]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blob - test/grsecurity-2.2.2-2.6.32.46-201108300001.patch
projects / thirdparty / grsecurity-scrape.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.32.46-201108300001.patch
1 diff -urNp linux-2.6.32.46/arch/alpha/include/asm/elf.h linux-2.6.32.46/arch/alpha/include/asm/elf.h
2 --- linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3 +++ linux-2.6.32.46/arch/alpha/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
4 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10 +
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13 +#endif
14 +
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.32.46/arch/alpha/include/asm/pgtable.h linux-2.6.32.46/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
20 +++ linux-2.6.32.46/arch/alpha/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25 +
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30 +#else
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
34 +#endif
35 +
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.32.46/arch/alpha/kernel/module.c linux-2.6.32.46/arch/alpha/kernel/module.c
40 --- linux-2.6.32.46/arch/alpha/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
41 +++ linux-2.6.32.46/arch/alpha/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.32.46/arch/alpha/kernel/osf_sys.c linux-2.6.32.46/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-08-09 18:35:28.000000000 -0400
53 +++ linux-2.6.32.46/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400
54 @@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
57 return -ENOMEM;
58 - if (!vma || addr + len <= vma->vm_start)
59 + if (check_heap_stack_gap(vma, addr, len))
60 return addr;
61 addr = vma->vm_end;
62 vma = vma->vm_next;
63 @@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
66
67 +#ifdef CONFIG_PAX_RANDMMAP
68 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
69 +#endif
70 +
71 if (addr) {
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74 @@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
75 }
76
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
79 - len, limit);
80 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
81 +
82 if (addr != (unsigned long) -ENOMEM)
83 return addr;
84
85 diff -urNp linux-2.6.32.46/arch/alpha/mm/fault.c linux-2.6.32.46/arch/alpha/mm/fault.c
86 --- linux-2.6.32.46/arch/alpha/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
87 +++ linux-2.6.32.46/arch/alpha/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
88 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
89 __reload_thread(pcb);
90 }
91
92 +#ifdef CONFIG_PAX_PAGEEXEC
93 +/*
94 + * PaX: decide what to do with offenders (regs->pc = fault address)
95 + *
96 + * returns 1 when task should be killed
97 + * 2 when patched PLT trampoline was detected
98 + * 3 when unpatched PLT trampoline was detected
99 + */
100 +static int pax_handle_fetch_fault(struct pt_regs *regs)
101 +{
102 +
103 +#ifdef CONFIG_PAX_EMUPLT
104 + int err;
105 +
106 + do { /* PaX: patched PLT emulation #1 */
107 + unsigned int ldah, ldq, jmp;
108 +
109 + err = get_user(ldah, (unsigned int *)regs->pc);
110 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
112 +
113 + if (err)
114 + break;
115 +
116 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118 + jmp == 0x6BFB0000U)
119 + {
120 + unsigned long r27, addr;
121 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
123 +
124 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125 + err = get_user(r27, (unsigned long *)addr);
126 + if (err)
127 + break;
128 +
129 + regs->r27 = r27;
130 + regs->pc = r27;
131 + return 2;
132 + }
133 + } while (0);
134 +
135 + do { /* PaX: patched PLT emulation #2 */
136 + unsigned int ldah, lda, br;
137 +
138 + err = get_user(ldah, (unsigned int *)regs->pc);
139 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
140 + err |= get_user(br, (unsigned int *)(regs->pc+8));
141 +
142 + if (err)
143 + break;
144 +
145 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
147 + (br & 0xFFE00000U) == 0xC3E00000U)
148 + {
149 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
152 +
153 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
155 + return 2;
156 + }
157 + } while (0);
158 +
159 + do { /* PaX: unpatched PLT emulation */
160 + unsigned int br;
161 +
162 + err = get_user(br, (unsigned int *)regs->pc);
163 +
164 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165 + unsigned int br2, ldq, nop, jmp;
166 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
167 +
168 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169 + err = get_user(br2, (unsigned int *)addr);
170 + err |= get_user(ldq, (unsigned int *)(addr+4));
171 + err |= get_user(nop, (unsigned int *)(addr+8));
172 + err |= get_user(jmp, (unsigned int *)(addr+12));
173 + err |= get_user(resolver, (unsigned long *)(addr+16));
174 +
175 + if (err)
176 + break;
177 +
178 + if (br2 == 0xC3600000U &&
179 + ldq == 0xA77B000CU &&
180 + nop == 0x47FF041FU &&
181 + jmp == 0x6B7B0000U)
182 + {
183 + regs->r28 = regs->pc+4;
184 + regs->r27 = addr+16;
185 + regs->pc = resolver;
186 + return 3;
187 + }
188 + }
189 + } while (0);
190 +#endif
191 +
192 + return 1;
193 +}
194 +
195 +void pax_report_insns(void *pc, void *sp)
196 +{
197 + unsigned long i;
198 +
199 + printk(KERN_ERR "PAX: bytes at PC: ");
200 + for (i = 0; i < 5; i++) {
201 + unsigned int c;
202 + if (get_user(c, (unsigned int *)pc+i))
203 + printk(KERN_CONT "???????? ");
204 + else
205 + printk(KERN_CONT "%08x ", c);
206 + }
207 + printk("\n");
208 +}
209 +#endif
210
211 /*
212 * This routine handles page faults. It determines the address,
213 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
214 good_area:
215 si_code = SEGV_ACCERR;
216 if (cause < 0) {
217 - if (!(vma->vm_flags & VM_EXEC))
218 + if (!(vma->vm_flags & VM_EXEC)) {
219 +
220 +#ifdef CONFIG_PAX_PAGEEXEC
221 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
222 + goto bad_area;
223 +
224 + up_read(&mm->mmap_sem);
225 + switch (pax_handle_fetch_fault(regs)) {
226 +
227 +#ifdef CONFIG_PAX_EMUPLT
228 + case 2:
229 + case 3:
230 + return;
231 +#endif
232 +
233 + }
234 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235 + do_group_exit(SIGKILL);
236 +#else
237 goto bad_area;
238 +#endif
239 +
240 + }
241 } else if (!cause) {
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244 diff -urNp linux-2.6.32.46/arch/arm/include/asm/elf.h linux-2.6.32.46/arch/arm/include/asm/elf.h
245 --- linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
246 +++ linux-2.6.32.46/arch/arm/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
247 @@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
250
251 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
253 +
254 +#ifdef CONFIG_PAX_ASLR
255 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
256 +
257 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
259 +#endif
260
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263 diff -urNp linux-2.6.32.46/arch/arm/include/asm/kmap_types.h linux-2.6.32.46/arch/arm/include/asm/kmap_types.h
264 --- linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
265 +++ linux-2.6.32.46/arch/arm/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
266 @@ -19,6 +19,7 @@ enum km_type {
267 KM_SOFTIRQ0,
268 KM_SOFTIRQ1,
269 KM_L2_CACHE,
270 + KM_CLEARPAGE,
271 KM_TYPE_NR
272 };
273
274 diff -urNp linux-2.6.32.46/arch/arm/include/asm/uaccess.h linux-2.6.32.46/arch/arm/include/asm/uaccess.h
275 --- linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
276 +++ linux-2.6.32.46/arch/arm/include/asm/uaccess.h 2011-06-29 21:02:24.000000000 -0400
277 @@ -22,6 +22,8 @@
278 #define VERIFY_READ 0
279 #define VERIFY_WRITE 1
280
281 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
282 +
283 /*
284 * The exception table consists of pairs of addresses: the first is the
285 * address of an instruction that is allowed to fault, and the second is
286 @@ -387,8 +389,23 @@ do { \
287
288
289 #ifdef CONFIG_MMU
290 -extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
291 -extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
292 +extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
293 +extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
294 +
295 +static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
296 +{
297 + if (!__builtin_constant_p(n))
298 + check_object_size(to, n, false);
299 + return ___copy_from_user(to, from, n);
300 +}
301 +
302 +static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
303 +{
304 + if (!__builtin_constant_p(n))
305 + check_object_size(from, n, true);
306 + return ___copy_to_user(to, from, n);
307 +}
308 +
309 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
310 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
311 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
312 @@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
313
314 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
315 {
316 + if ((long)n < 0)
317 + return n;
318 +
319 if (access_ok(VERIFY_READ, from, n))
320 n = __copy_from_user(to, from, n);
321 else /* security hole - plug it */
322 @@ -412,6 +432,9 @@ static inline unsigned long __must_check
323
324 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
325 {
326 + if ((long)n < 0)
327 + return n;
328 +
329 if (access_ok(VERIFY_WRITE, to, n))
330 n = __copy_to_user(to, from, n);
331 return n;
332 diff -urNp linux-2.6.32.46/arch/arm/kernel/armksyms.c linux-2.6.32.46/arch/arm/kernel/armksyms.c
333 --- linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-03-27 14:31:47.000000000 -0400
334 +++ linux-2.6.32.46/arch/arm/kernel/armksyms.c 2011-07-06 19:51:50.000000000 -0400
335 @@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
336 #ifdef CONFIG_MMU
337 EXPORT_SYMBOL(copy_page);
338
339 -EXPORT_SYMBOL(__copy_from_user);
340 -EXPORT_SYMBOL(__copy_to_user);
341 +EXPORT_SYMBOL(___copy_from_user);
342 +EXPORT_SYMBOL(___copy_to_user);
343 EXPORT_SYMBOL(__clear_user);
344
345 EXPORT_SYMBOL(__get_user_1);
346 diff -urNp linux-2.6.32.46/arch/arm/kernel/kgdb.c linux-2.6.32.46/arch/arm/kernel/kgdb.c
347 --- linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
348 +++ linux-2.6.32.46/arch/arm/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
349 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
350 * and we handle the normal undef case within the do_undefinstr
351 * handler.
352 */
353 -struct kgdb_arch arch_kgdb_ops = {
354 +const struct kgdb_arch arch_kgdb_ops = {
355 #ifndef __ARMEB__
356 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
357 #else /* ! __ARMEB__ */
358 diff -urNp linux-2.6.32.46/arch/arm/kernel/traps.c linux-2.6.32.46/arch/arm/kernel/traps.c
359 --- linux-2.6.32.46/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
360 +++ linux-2.6.32.46/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400
361 @@ -247,6 +247,8 @@ static void __die(const char *str, int e
362
363 DEFINE_SPINLOCK(die_lock);
364
365 +extern void gr_handle_kernel_exploit(void);
366 +
367 /*
368 * This function is protected against re-entrancy.
369 */
370 @@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
371 if (panic_on_oops)
372 panic("Fatal exception");
373
374 + gr_handle_kernel_exploit();
375 +
376 do_exit(SIGSEGV);
377 }
378
379 diff -urNp linux-2.6.32.46/arch/arm/lib/copy_from_user.S linux-2.6.32.46/arch/arm/lib/copy_from_user.S
380 --- linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-03-27 14:31:47.000000000 -0400
381 +++ linux-2.6.32.46/arch/arm/lib/copy_from_user.S 2011-06-29 20:48:38.000000000 -0400
382 @@ -16,7 +16,7 @@
383 /*
384 * Prototype:
385 *
386 - * size_t __copy_from_user(void *to, const void *from, size_t n)
387 + * size_t ___copy_from_user(void *to, const void *from, size_t n)
388 *
389 * Purpose:
390 *
391 @@ -84,11 +84,11 @@
392
393 .text
394
395 -ENTRY(__copy_from_user)
396 +ENTRY(___copy_from_user)
397
398 #include "copy_template.S"
399
400 -ENDPROC(__copy_from_user)
401 +ENDPROC(___copy_from_user)
402
403 .section .fixup,"ax"
404 .align 0
405 diff -urNp linux-2.6.32.46/arch/arm/lib/copy_to_user.S linux-2.6.32.46/arch/arm/lib/copy_to_user.S
406 --- linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-03-27 14:31:47.000000000 -0400
407 +++ linux-2.6.32.46/arch/arm/lib/copy_to_user.S 2011-06-29 20:46:49.000000000 -0400
408 @@ -16,7 +16,7 @@
409 /*
410 * Prototype:
411 *
412 - * size_t __copy_to_user(void *to, const void *from, size_t n)
413 + * size_t ___copy_to_user(void *to, const void *from, size_t n)
414 *
415 * Purpose:
416 *
417 @@ -88,11 +88,11 @@
418 .text
419
420 ENTRY(__copy_to_user_std)
421 -WEAK(__copy_to_user)
422 +WEAK(___copy_to_user)
423
424 #include "copy_template.S"
425
426 -ENDPROC(__copy_to_user)
427 +ENDPROC(___copy_to_user)
428
429 .section .fixup,"ax"
430 .align 0
431 diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess.S linux-2.6.32.46/arch/arm/lib/uaccess.S
432 --- linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-03-27 14:31:47.000000000 -0400
433 +++ linux-2.6.32.46/arch/arm/lib/uaccess.S 2011-06-29 20:48:53.000000000 -0400
434 @@ -19,7 +19,7 @@
435
436 #define PAGE_SHIFT 12
437
438 -/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
439 +/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
440 * Purpose : copy a block to user memory from kernel memory
441 * Params : to - user memory
442 * : from - kernel memory
443 @@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
444 sub r2, r2, ip
445 b .Lc2u_dest_aligned
446
447 -ENTRY(__copy_to_user)
448 +ENTRY(___copy_to_user)
449 stmfd sp!, {r2, r4 - r7, lr}
450 cmp r2, #4
451 blt .Lc2u_not_enough
452 @@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
453 ldrgtb r3, [r1], #0
454 USER( strgtbt r3, [r0], #1) @ May fault
455 b .Lc2u_finished
456 -ENDPROC(__copy_to_user)
457 +ENDPROC(___copy_to_user)
458
459 .section .fixup,"ax"
460 .align 0
461 9001: ldmfd sp!, {r0, r4 - r7, pc}
462 .previous
463
464 -/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
465 +/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
466 * Purpose : copy a block from user memory to kernel memory
467 * Params : to - kernel memory
468 * : from - user memory
469 @@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
470 sub r2, r2, ip
471 b .Lcfu_dest_aligned
472
473 -ENTRY(__copy_from_user)
474 +ENTRY(___copy_from_user)
475 stmfd sp!, {r0, r2, r4 - r7, lr}
476 cmp r2, #4
477 blt .Lcfu_not_enough
478 @@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
479 USER( ldrgtbt r3, [r1], #1) @ May fault
480 strgtb r3, [r0], #1
481 b .Lcfu_finished
482 -ENDPROC(__copy_from_user)
483 +ENDPROC(___copy_from_user)
484
485 .section .fixup,"ax"
486 .align 0
487 diff -urNp linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c
488 --- linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-03-27 14:31:47.000000000 -0400
489 +++ linux-2.6.32.46/arch/arm/lib/uaccess_with_memcpy.c 2011-06-29 20:44:35.000000000 -0400
490 @@ -97,7 +97,7 @@ out:
491 }
492
493 unsigned long
494 -__copy_to_user(void __user *to, const void *from, unsigned long n)
495 +___copy_to_user(void __user *to, const void *from, unsigned long n)
496 {
497 /*
498 * This test is stubbed out of the main function above to keep
499 diff -urNp linux-2.6.32.46/arch/arm/mach-at91/pm.c linux-2.6.32.46/arch/arm/mach-at91/pm.c
500 --- linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400
501 +++ linux-2.6.32.46/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400
502 @@ -348,7 +348,7 @@ static void at91_pm_end(void)
503 }
504
505
506 -static struct platform_suspend_ops at91_pm_ops ={
507 +static const struct platform_suspend_ops at91_pm_ops ={
508 .valid = at91_pm_valid_state,
509 .begin = at91_pm_begin,
510 .enter = at91_pm_enter,
511 diff -urNp linux-2.6.32.46/arch/arm/mach-omap1/pm.c linux-2.6.32.46/arch/arm/mach-omap1/pm.c
512 --- linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-03-27 14:31:47.000000000 -0400
513 +++ linux-2.6.32.46/arch/arm/mach-omap1/pm.c 2011-04-17 15:56:45.000000000 -0400
514 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
515
516
517
518 -static struct platform_suspend_ops omap_pm_ops ={
519 +static const struct platform_suspend_ops omap_pm_ops ={
520 .prepare = omap_pm_prepare,
521 .enter = omap_pm_enter,
522 .finish = omap_pm_finish,
523 diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c
524 --- linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-03-27 14:31:47.000000000 -0400
525 +++ linux-2.6.32.46/arch/arm/mach-omap2/pm24xx.c 2011-04-17 15:56:45.000000000 -0400
526 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
527 enable_hlt();
528 }
529
530 -static struct platform_suspend_ops omap_pm_ops = {
531 +static const struct platform_suspend_ops omap_pm_ops = {
532 .prepare = omap2_pm_prepare,
533 .enter = omap2_pm_enter,
534 .finish = omap2_pm_finish,
535 diff -urNp linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c
536 --- linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-03-27 14:31:47.000000000 -0400
537 +++ linux-2.6.32.46/arch/arm/mach-omap2/pm34xx.c 2011-04-17 15:56:45.000000000 -0400
538 @@ -401,7 +401,7 @@ static void omap3_pm_end(void)
539 return;
540 }
541
542 -static struct platform_suspend_ops omap_pm_ops = {
543 +static const struct platform_suspend_ops omap_pm_ops = {
544 .begin = omap3_pm_begin,
545 .end = omap3_pm_end,
546 .prepare = omap3_pm_prepare,
547 diff -urNp linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c
548 --- linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-03-27 14:31:47.000000000 -0400
549 +++ linux-2.6.32.46/arch/arm/mach-pnx4008/pm.c 2011-04-17 15:56:45.000000000 -0400
550 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
551 (state == PM_SUSPEND_MEM);
552 }
553
554 -static struct platform_suspend_ops pnx4008_pm_ops = {
555 +static const struct platform_suspend_ops pnx4008_pm_ops = {
556 .enter = pnx4008_pm_enter,
557 .valid = pnx4008_pm_valid,
558 };
559 diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/pm.c linux-2.6.32.46/arch/arm/mach-pxa/pm.c
560 --- linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-03-27 14:31:47.000000000 -0400
561 +++ linux-2.6.32.46/arch/arm/mach-pxa/pm.c 2011-04-17 15:56:45.000000000 -0400
562 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
563 pxa_cpu_pm_fns->finish();
564 }
565
566 -static struct platform_suspend_ops pxa_pm_ops = {
567 +static const struct platform_suspend_ops pxa_pm_ops = {
568 .valid = pxa_pm_valid,
569 .enter = pxa_pm_enter,
570 .prepare = pxa_pm_prepare,
571 diff -urNp linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c
572 --- linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-03-27 14:31:47.000000000 -0400
573 +++ linux-2.6.32.46/arch/arm/mach-pxa/sharpsl_pm.c 2011-04-17 15:56:45.000000000 -0400
574 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
575 }
576
577 #ifdef CONFIG_PM
578 -static struct platform_suspend_ops sharpsl_pm_ops = {
579 +static const struct platform_suspend_ops sharpsl_pm_ops = {
580 .prepare = pxa_pm_prepare,
581 .finish = pxa_pm_finish,
582 .enter = corgi_pxa_pm_enter,
583 diff -urNp linux-2.6.32.46/arch/arm/mach-sa1100/pm.c linux-2.6.32.46/arch/arm/mach-sa1100/pm.c
584 --- linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-03-27 14:31:47.000000000 -0400
585 +++ linux-2.6.32.46/arch/arm/mach-sa1100/pm.c 2011-04-17 15:56:45.000000000 -0400
586 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
587 return virt_to_phys(sp);
588 }
589
590 -static struct platform_suspend_ops sa11x0_pm_ops = {
591 +static const struct platform_suspend_ops sa11x0_pm_ops = {
592 .enter = sa11x0_pm_enter,
593 .valid = suspend_valid_only_mem,
594 };
595 diff -urNp linux-2.6.32.46/arch/arm/mm/fault.c linux-2.6.32.46/arch/arm/mm/fault.c
596 --- linux-2.6.32.46/arch/arm/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
597 +++ linux-2.6.32.46/arch/arm/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
598 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
599 }
600 #endif
601
602 +#ifdef CONFIG_PAX_PAGEEXEC
603 + if (fsr & FSR_LNX_PF) {
604 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
605 + do_group_exit(SIGKILL);
606 + }
607 +#endif
608 +
609 tsk->thread.address = addr;
610 tsk->thread.error_code = fsr;
611 tsk->thread.trap_no = 14;
612 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
613 }
614 #endif /* CONFIG_MMU */
615
616 +#ifdef CONFIG_PAX_PAGEEXEC
617 +void pax_report_insns(void *pc, void *sp)
618 +{
619 + long i;
620 +
621 + printk(KERN_ERR "PAX: bytes at PC: ");
622 + for (i = 0; i < 20; i++) {
623 + unsigned char c;
624 + if (get_user(c, (__force unsigned char __user *)pc+i))
625 + printk(KERN_CONT "?? ");
626 + else
627 + printk(KERN_CONT "%02x ", c);
628 + }
629 + printk("\n");
630 +
631 + printk(KERN_ERR "PAX: bytes at SP-4: ");
632 + for (i = -1; i < 20; i++) {
633 + unsigned long c;
634 + if (get_user(c, (__force unsigned long __user *)sp+i))
635 + printk(KERN_CONT "???????? ");
636 + else
637 + printk(KERN_CONT "%08lx ", c);
638 + }
639 + printk("\n");
640 +}
641 +#endif
642 +
643 /*
644 * First Level Translation Fault Handler
645 *
646 diff -urNp linux-2.6.32.46/arch/arm/mm/mmap.c linux-2.6.32.46/arch/arm/mm/mmap.c
647 --- linux-2.6.32.46/arch/arm/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
648 +++ linux-2.6.32.46/arch/arm/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
649 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
650 if (len > TASK_SIZE)
651 return -ENOMEM;
652
653 +#ifdef CONFIG_PAX_RANDMMAP
654 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
655 +#endif
656 +
657 if (addr) {
658 if (do_align)
659 addr = COLOUR_ALIGN(addr, pgoff);
660 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
661 addr = PAGE_ALIGN(addr);
662
663 vma = find_vma(mm, addr);
664 - if (TASK_SIZE - len >= addr &&
665 - (!vma || addr + len <= vma->vm_start))
666 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
667 return addr;
668 }
669 if (len > mm->cached_hole_size) {
670 - start_addr = addr = mm->free_area_cache;
671 + start_addr = addr = mm->free_area_cache;
672 } else {
673 - start_addr = addr = TASK_UNMAPPED_BASE;
674 - mm->cached_hole_size = 0;
675 + start_addr = addr = mm->mmap_base;
676 + mm->cached_hole_size = 0;
677 }
678
679 full_search:
680 @@ -94,14 +97,14 @@ full_search:
681 * Start a new search - just in case we missed
682 * some holes.
683 */
684 - if (start_addr != TASK_UNMAPPED_BASE) {
685 - start_addr = addr = TASK_UNMAPPED_BASE;
686 + if (start_addr != mm->mmap_base) {
687 + start_addr = addr = mm->mmap_base;
688 mm->cached_hole_size = 0;
689 goto full_search;
690 }
691 return -ENOMEM;
692 }
693 - if (!vma || addr + len <= vma->vm_start) {
694 + if (check_heap_stack_gap(vma, addr, len)) {
695 /*
696 * Remember the place where we stopped the search:
697 */
698 diff -urNp linux-2.6.32.46/arch/arm/plat-s3c/pm.c linux-2.6.32.46/arch/arm/plat-s3c/pm.c
699 --- linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-03-27 14:31:47.000000000 -0400
700 +++ linux-2.6.32.46/arch/arm/plat-s3c/pm.c 2011-04-17 15:56:45.000000000 -0400
701 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
702 s3c_pm_check_cleanup();
703 }
704
705 -static struct platform_suspend_ops s3c_pm_ops = {
706 +static const struct platform_suspend_ops s3c_pm_ops = {
707 .enter = s3c_pm_enter,
708 .prepare = s3c_pm_prepare,
709 .finish = s3c_pm_finish,
710 diff -urNp linux-2.6.32.46/arch/avr32/include/asm/elf.h linux-2.6.32.46/arch/avr32/include/asm/elf.h
711 --- linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
712 +++ linux-2.6.32.46/arch/avr32/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
713 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
714 the loader. We need to make sure that it is out of the way of the program
715 that it will "exec", and that there is sufficient room for the brk. */
716
717 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
718 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
719
720 +#ifdef CONFIG_PAX_ASLR
721 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
722 +
723 +#define PAX_DELTA_MMAP_LEN 15
724 +#define PAX_DELTA_STACK_LEN 15
725 +#endif
726
727 /* This yields a mask that user programs can use to figure out what
728 instruction set this CPU supports. This could be done in user space,
729 diff -urNp linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h
730 --- linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
731 +++ linux-2.6.32.46/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
732 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
733 D(11) KM_IRQ1,
734 D(12) KM_SOFTIRQ0,
735 D(13) KM_SOFTIRQ1,
736 -D(14) KM_TYPE_NR
737 +D(14) KM_CLEARPAGE,
738 +D(15) KM_TYPE_NR
739 };
740
741 #undef D
742 diff -urNp linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c
743 --- linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-03-27 14:31:47.000000000 -0400
744 +++ linux-2.6.32.46/arch/avr32/mach-at32ap/pm.c 2011-04-17 15:56:45.000000000 -0400
745 @@ -176,7 +176,7 @@ out:
746 return 0;
747 }
748
749 -static struct platform_suspend_ops avr32_pm_ops = {
750 +static const struct platform_suspend_ops avr32_pm_ops = {
751 .valid = avr32_pm_valid_state,
752 .enter = avr32_pm_enter,
753 };
754 diff -urNp linux-2.6.32.46/arch/avr32/mm/fault.c linux-2.6.32.46/arch/avr32/mm/fault.c
755 --- linux-2.6.32.46/arch/avr32/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
756 +++ linux-2.6.32.46/arch/avr32/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
757 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
758
759 int exception_trace = 1;
760
761 +#ifdef CONFIG_PAX_PAGEEXEC
762 +void pax_report_insns(void *pc, void *sp)
763 +{
764 + unsigned long i;
765 +
766 + printk(KERN_ERR "PAX: bytes at PC: ");
767 + for (i = 0; i < 20; i++) {
768 + unsigned char c;
769 + if (get_user(c, (unsigned char *)pc+i))
770 + printk(KERN_CONT "???????? ");
771 + else
772 + printk(KERN_CONT "%02x ", c);
773 + }
774 + printk("\n");
775 +}
776 +#endif
777 +
778 /*
779 * This routine handles page faults. It determines the address and the
780 * problem, and then passes it off to one of the appropriate routines.
781 @@ -157,6 +174,16 @@ bad_area:
782 up_read(&mm->mmap_sem);
783
784 if (user_mode(regs)) {
785 +
786 +#ifdef CONFIG_PAX_PAGEEXEC
787 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
788 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
789 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
790 + do_group_exit(SIGKILL);
791 + }
792 + }
793 +#endif
794 +
795 if (exception_trace && printk_ratelimit())
796 printk("%s%s[%d]: segfault at %08lx pc %08lx "
797 "sp %08lx ecr %lu\n",
798 diff -urNp linux-2.6.32.46/arch/blackfin/kernel/kgdb.c linux-2.6.32.46/arch/blackfin/kernel/kgdb.c
799 --- linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
800 +++ linux-2.6.32.46/arch/blackfin/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
801 @@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
802 return -1; /* this means that we do not want to exit from the handler */
803 }
804
805 -struct kgdb_arch arch_kgdb_ops = {
806 +const struct kgdb_arch arch_kgdb_ops = {
807 .gdb_bpt_instr = {0xa1},
808 #ifdef CONFIG_SMP
809 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
810 diff -urNp linux-2.6.32.46/arch/blackfin/mach-common/pm.c linux-2.6.32.46/arch/blackfin/mach-common/pm.c
811 --- linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-03-27 14:31:47.000000000 -0400
812 +++ linux-2.6.32.46/arch/blackfin/mach-common/pm.c 2011-04-17 15:56:45.000000000 -0400
813 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
814 return 0;
815 }
816
817 -struct platform_suspend_ops bfin_pm_ops = {
818 +const struct platform_suspend_ops bfin_pm_ops = {
819 .enter = bfin_pm_enter,
820 .valid = bfin_pm_valid,
821 };
822 diff -urNp linux-2.6.32.46/arch/frv/include/asm/kmap_types.h linux-2.6.32.46/arch/frv/include/asm/kmap_types.h
823 --- linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
824 +++ linux-2.6.32.46/arch/frv/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
825 @@ -23,6 +23,7 @@ enum km_type {
826 KM_IRQ1,
827 KM_SOFTIRQ0,
828 KM_SOFTIRQ1,
829 + KM_CLEARPAGE,
830 KM_TYPE_NR
831 };
832
833 diff -urNp linux-2.6.32.46/arch/frv/mm/elf-fdpic.c linux-2.6.32.46/arch/frv/mm/elf-fdpic.c
834 --- linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-03-27 14:31:47.000000000 -0400
835 +++ linux-2.6.32.46/arch/frv/mm/elf-fdpic.c 2011-04-17 15:56:45.000000000 -0400
836 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
837 if (addr) {
838 addr = PAGE_ALIGN(addr);
839 vma = find_vma(current->mm, addr);
840 - if (TASK_SIZE - len >= addr &&
841 - (!vma || addr + len <= vma->vm_start))
842 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
843 goto success;
844 }
845
846 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
847 for (; vma; vma = vma->vm_next) {
848 if (addr > limit)
849 break;
850 - if (addr + len <= vma->vm_start)
851 + if (check_heap_stack_gap(vma, addr, len))
852 goto success;
853 addr = vma->vm_end;
854 }
855 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
856 for (; vma; vma = vma->vm_next) {
857 if (addr > limit)
858 break;
859 - if (addr + len <= vma->vm_start)
860 + if (check_heap_stack_gap(vma, addr, len))
861 goto success;
862 addr = vma->vm_end;
863 }
864 diff -urNp linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c
865 --- linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-03-27 14:31:47.000000000 -0400
866 +++ linux-2.6.32.46/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:56:45.000000000 -0400
867 @@ -17,7 +17,7 @@
868 #include <linux/swiotlb.h>
869 #include <asm/machvec.h>
870
871 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
872 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
873
874 /* swiotlb declarations & definitions: */
875 extern int swiotlb_late_init_with_default_size (size_t size);
876 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
877 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
878 }
879
880 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
881 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
882 {
883 if (use_swiotlb(dev))
884 return &swiotlb_dma_ops;
885 diff -urNp linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c
886 --- linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-03-27 14:31:47.000000000 -0400
887 +++ linux-2.6.32.46/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:56:45.000000000 -0400
888 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
889 },
890 };
891
892 -extern struct dma_map_ops swiotlb_dma_ops;
893 +extern const struct dma_map_ops swiotlb_dma_ops;
894
895 static int __init
896 sba_init(void)
897 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
898
899 __setup("sbapagesize=",sba_page_override);
900
901 -struct dma_map_ops sba_dma_ops = {
902 +const struct dma_map_ops sba_dma_ops = {
903 .alloc_coherent = sba_alloc_coherent,
904 .free_coherent = sba_free_coherent,
905 .map_page = sba_map_page,
906 diff -urNp linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c
907 --- linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-03-27 14:31:47.000000000 -0400
908 +++ linux-2.6.32.46/arch/ia64/ia32/binfmt_elf32.c 2011-04-17 15:56:45.000000000 -0400
909 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
910
911 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
912
913 +#ifdef CONFIG_PAX_ASLR
914 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
915 +
916 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
917 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
918 +#endif
919 +
920 /* Ugly but avoids duplication */
921 #include "../../../fs/binfmt_elf.c"
922
923 diff -urNp linux-2.6.32.46/arch/ia64/ia32/ia32priv.h linux-2.6.32.46/arch/ia64/ia32/ia32priv.h
924 --- linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-03-27 14:31:47.000000000 -0400
925 +++ linux-2.6.32.46/arch/ia64/ia32/ia32priv.h 2011-04-17 15:56:45.000000000 -0400
926 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
927 #define ELF_DATA ELFDATA2LSB
928 #define ELF_ARCH EM_386
929
930 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
931 +#ifdef CONFIG_PAX_RANDUSTACK
932 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
933 +#else
934 +#define __IA32_DELTA_STACK 0UL
935 +#endif
936 +
937 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
938 +
939 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
940 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
941
942 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h
943 --- linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
944 +++ linux-2.6.32.46/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
945 @@ -12,7 +12,7 @@
946
947 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
948
949 -extern struct dma_map_ops *dma_ops;
950 +extern const struct dma_map_ops *dma_ops;
951 extern struct ia64_machine_vector ia64_mv;
952 extern void set_iommu_machvec(void);
953
954 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
955 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
956 dma_addr_t *daddr, gfp_t gfp)
957 {
958 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
959 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
960 void *caddr;
961
962 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
963 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
964 static inline void dma_free_coherent(struct device *dev, size_t size,
965 void *caddr, dma_addr_t daddr)
966 {
967 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
968 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
969 debug_dma_free_coherent(dev, size, caddr, daddr);
970 ops->free_coherent(dev, size, caddr, daddr);
971 }
972 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
973
974 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
975 {
976 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
977 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
978 return ops->mapping_error(dev, daddr);
979 }
980
981 static inline int dma_supported(struct device *dev, u64 mask)
982 {
983 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
984 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
985 return ops->dma_supported(dev, mask);
986 }
987
988 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/elf.h linux-2.6.32.46/arch/ia64/include/asm/elf.h
989 --- linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
990 +++ linux-2.6.32.46/arch/ia64/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
991 @@ -43,6 +43,13 @@
992 */
993 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
994
995 +#ifdef CONFIG_PAX_ASLR
996 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
997 +
998 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
999 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1000 +#endif
1001 +
1002 #define PT_IA_64_UNWIND 0x70000001
1003
1004 /* IA-64 relocations: */
1005 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/machvec.h linux-2.6.32.46/arch/ia64/include/asm/machvec.h
1006 --- linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-03-27 14:31:47.000000000 -0400
1007 +++ linux-2.6.32.46/arch/ia64/include/asm/machvec.h 2011-04-17 15:56:45.000000000 -0400
1008 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1009 /* DMA-mapping interface: */
1010 typedef void ia64_mv_dma_init (void);
1011 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1012 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1013 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1014
1015 /*
1016 * WARNING: The legacy I/O space is _architected_. Platforms are
1017 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1018 # endif /* CONFIG_IA64_GENERIC */
1019
1020 extern void swiotlb_dma_init(void);
1021 -extern struct dma_map_ops *dma_get_ops(struct device *);
1022 +extern const struct dma_map_ops *dma_get_ops(struct device *);
1023
1024 /*
1025 * Define default versions so we can extend machvec for new platforms without having
1026 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/pgtable.h linux-2.6.32.46/arch/ia64/include/asm/pgtable.h
1027 --- linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1028 +++ linux-2.6.32.46/arch/ia64/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1029 @@ -12,7 +12,7 @@
1030 * David Mosberger-Tang <davidm@hpl.hp.com>
1031 */
1032
1033 -
1034 +#include <linux/const.h>
1035 #include <asm/mman.h>
1036 #include <asm/page.h>
1037 #include <asm/processor.h>
1038 @@ -143,6 +143,17 @@
1039 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1040 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1041 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1042 +
1043 +#ifdef CONFIG_PAX_PAGEEXEC
1044 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1045 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1046 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1047 +#else
1048 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1049 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1050 +# define PAGE_COPY_NOEXEC PAGE_COPY
1051 +#endif
1052 +
1053 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1054 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1055 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1056 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/spinlock.h linux-2.6.32.46/arch/ia64/include/asm/spinlock.h
1057 --- linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
1058 +++ linux-2.6.32.46/arch/ia64/include/asm/spinlock.h 2011-04-17 15:56:45.000000000 -0400
1059 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1060 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1061
1062 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1063 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1064 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1065 }
1066
1067 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1068 diff -urNp linux-2.6.32.46/arch/ia64/include/asm/uaccess.h linux-2.6.32.46/arch/ia64/include/asm/uaccess.h
1069 --- linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
1070 +++ linux-2.6.32.46/arch/ia64/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
1071 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1072 const void *__cu_from = (from); \
1073 long __cu_len = (n); \
1074 \
1075 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
1076 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1077 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1078 __cu_len; \
1079 })
1080 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1081 long __cu_len = (n); \
1082 \
1083 __chk_user_ptr(__cu_from); \
1084 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
1085 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1086 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1087 __cu_len; \
1088 })
1089 diff -urNp linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c
1090 --- linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-03-27 14:31:47.000000000 -0400
1091 +++ linux-2.6.32.46/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:56:45.000000000 -0400
1092 @@ -3,7 +3,7 @@
1093 /* Set this to 1 if there is a HW IOMMU in the system */
1094 int iommu_detected __read_mostly;
1095
1096 -struct dma_map_ops *dma_ops;
1097 +const struct dma_map_ops *dma_ops;
1098 EXPORT_SYMBOL(dma_ops);
1099
1100 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1101 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1102 }
1103 fs_initcall(dma_init);
1104
1105 -struct dma_map_ops *dma_get_ops(struct device *dev)
1106 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1107 {
1108 return dma_ops;
1109 }
1110 diff -urNp linux-2.6.32.46/arch/ia64/kernel/module.c linux-2.6.32.46/arch/ia64/kernel/module.c
1111 --- linux-2.6.32.46/arch/ia64/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1112 +++ linux-2.6.32.46/arch/ia64/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1113 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1114 void
1115 module_free (struct module *mod, void *module_region)
1116 {
1117 - if (mod && mod->arch.init_unw_table &&
1118 - module_region == mod->module_init) {
1119 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1120 unw_remove_unwind_table(mod->arch.init_unw_table);
1121 mod->arch.init_unw_table = NULL;
1122 }
1123 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1124 }
1125
1126 static inline int
1127 +in_init_rx (const struct module *mod, uint64_t addr)
1128 +{
1129 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1130 +}
1131 +
1132 +static inline int
1133 +in_init_rw (const struct module *mod, uint64_t addr)
1134 +{
1135 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1136 +}
1137 +
1138 +static inline int
1139 in_init (const struct module *mod, uint64_t addr)
1140 {
1141 - return addr - (uint64_t) mod->module_init < mod->init_size;
1142 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1143 +}
1144 +
1145 +static inline int
1146 +in_core_rx (const struct module *mod, uint64_t addr)
1147 +{
1148 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1149 +}
1150 +
1151 +static inline int
1152 +in_core_rw (const struct module *mod, uint64_t addr)
1153 +{
1154 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1155 }
1156
1157 static inline int
1158 in_core (const struct module *mod, uint64_t addr)
1159 {
1160 - return addr - (uint64_t) mod->module_core < mod->core_size;
1161 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1162 }
1163
1164 static inline int
1165 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1166 break;
1167
1168 case RV_BDREL:
1169 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1170 + if (in_init_rx(mod, val))
1171 + val -= (uint64_t) mod->module_init_rx;
1172 + else if (in_init_rw(mod, val))
1173 + val -= (uint64_t) mod->module_init_rw;
1174 + else if (in_core_rx(mod, val))
1175 + val -= (uint64_t) mod->module_core_rx;
1176 + else if (in_core_rw(mod, val))
1177 + val -= (uint64_t) mod->module_core_rw;
1178 break;
1179
1180 case RV_LTV:
1181 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1182 * addresses have been selected...
1183 */
1184 uint64_t gp;
1185 - if (mod->core_size > MAX_LTOFF)
1186 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1187 /*
1188 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1189 * at the end of the module.
1190 */
1191 - gp = mod->core_size - MAX_LTOFF / 2;
1192 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1193 else
1194 - gp = mod->core_size / 2;
1195 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1196 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1197 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1198 mod->arch.gp = gp;
1199 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1200 }
1201 diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-dma.c linux-2.6.32.46/arch/ia64/kernel/pci-dma.c
1202 --- linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
1203 +++ linux-2.6.32.46/arch/ia64/kernel/pci-dma.c 2011-04-17 15:56:45.000000000 -0400
1204 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1205 .dma_mask = &fallback_dev.coherent_dma_mask,
1206 };
1207
1208 -extern struct dma_map_ops intel_dma_ops;
1209 +extern const struct dma_map_ops intel_dma_ops;
1210
1211 static int __init pci_iommu_init(void)
1212 {
1213 @@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1214 }
1215 EXPORT_SYMBOL(iommu_dma_supported);
1216
1217 +extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1218 +extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1219 +extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1220 +extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1221 +extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1222 +extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1223 +extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1224 +
1225 +static const struct dma_map_ops intel_iommu_dma_ops = {
1226 + /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1227 + .alloc_coherent = intel_alloc_coherent,
1228 + .free_coherent = intel_free_coherent,
1229 + .map_sg = intel_map_sg,
1230 + .unmap_sg = intel_unmap_sg,
1231 + .map_page = intel_map_page,
1232 + .unmap_page = intel_unmap_page,
1233 + .mapping_error = intel_mapping_error,
1234 +
1235 + .sync_single_for_cpu = machvec_dma_sync_single,
1236 + .sync_sg_for_cpu = machvec_dma_sync_sg,
1237 + .sync_single_for_device = machvec_dma_sync_single,
1238 + .sync_sg_for_device = machvec_dma_sync_sg,
1239 + .dma_supported = iommu_dma_supported,
1240 +};
1241 +
1242 void __init pci_iommu_alloc(void)
1243 {
1244 - dma_ops = &intel_dma_ops;
1245 -
1246 - dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1247 - dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1248 - dma_ops->sync_single_for_device = machvec_dma_sync_single;
1249 - dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1250 - dma_ops->dma_supported = iommu_dma_supported;
1251 + dma_ops = &intel_iommu_dma_ops;
1252
1253 /*
1254 * The order of these functions is important for
1255 diff -urNp linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c
1256 --- linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
1257 +++ linux-2.6.32.46/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
1258 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1259 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1260 }
1261
1262 -struct dma_map_ops swiotlb_dma_ops = {
1263 +const struct dma_map_ops swiotlb_dma_ops = {
1264 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1265 .free_coherent = swiotlb_free_coherent,
1266 .map_page = swiotlb_map_page,
1267 diff -urNp linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c
1268 --- linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-03-27 14:31:47.000000000 -0400
1269 +++ linux-2.6.32.46/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:56:45.000000000 -0400
1270 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1271 if (REGION_NUMBER(addr) == RGN_HPAGE)
1272 addr = 0;
1273 #endif
1274 +
1275 +#ifdef CONFIG_PAX_RANDMMAP
1276 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1277 + addr = mm->free_area_cache;
1278 + else
1279 +#endif
1280 +
1281 if (!addr)
1282 addr = mm->free_area_cache;
1283
1284 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1285 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1286 /* At this point: (!vma || addr < vma->vm_end). */
1287 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1288 - if (start_addr != TASK_UNMAPPED_BASE) {
1289 + if (start_addr != mm->mmap_base) {
1290 /* Start a new search --- just in case we missed some holes. */
1291 - addr = TASK_UNMAPPED_BASE;
1292 + addr = mm->mmap_base;
1293 goto full_search;
1294 }
1295 return -ENOMEM;
1296 }
1297 - if (!vma || addr + len <= vma->vm_start) {
1298 + if (check_heap_stack_gap(vma, addr, len)) {
1299 /* Remember the address where we stopped this search: */
1300 mm->free_area_cache = addr + len;
1301 return addr;
1302 diff -urNp linux-2.6.32.46/arch/ia64/kernel/topology.c linux-2.6.32.46/arch/ia64/kernel/topology.c
1303 --- linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-03-27 14:31:47.000000000 -0400
1304 +++ linux-2.6.32.46/arch/ia64/kernel/topology.c 2011-04-17 15:56:45.000000000 -0400
1305 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1306 return ret;
1307 }
1308
1309 -static struct sysfs_ops cache_sysfs_ops = {
1310 +static const struct sysfs_ops cache_sysfs_ops = {
1311 .show = cache_show
1312 };
1313
1314 diff -urNp linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S
1315 --- linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
1316 +++ linux-2.6.32.46/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:56:45.000000000 -0400
1317 @@ -190,7 +190,7 @@ SECTIONS
1318 /* Per-cpu data: */
1319 . = ALIGN(PERCPU_PAGE_SIZE);
1320 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1321 - __phys_per_cpu_start = __per_cpu_load;
1322 + __phys_per_cpu_start = per_cpu_load;
1323 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1324 * into percpu page size
1325 */
1326 diff -urNp linux-2.6.32.46/arch/ia64/mm/fault.c linux-2.6.32.46/arch/ia64/mm/fault.c
1327 --- linux-2.6.32.46/arch/ia64/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1328 +++ linux-2.6.32.46/arch/ia64/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1329 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1330 return pte_present(pte);
1331 }
1332
1333 +#ifdef CONFIG_PAX_PAGEEXEC
1334 +void pax_report_insns(void *pc, void *sp)
1335 +{
1336 + unsigned long i;
1337 +
1338 + printk(KERN_ERR "PAX: bytes at PC: ");
1339 + for (i = 0; i < 8; i++) {
1340 + unsigned int c;
1341 + if (get_user(c, (unsigned int *)pc+i))
1342 + printk(KERN_CONT "???????? ");
1343 + else
1344 + printk(KERN_CONT "%08x ", c);
1345 + }
1346 + printk("\n");
1347 +}
1348 +#endif
1349 +
1350 void __kprobes
1351 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1352 {
1353 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1354 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1355 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1356
1357 - if ((vma->vm_flags & mask) != mask)
1358 + if ((vma->vm_flags & mask) != mask) {
1359 +
1360 +#ifdef CONFIG_PAX_PAGEEXEC
1361 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1362 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1363 + goto bad_area;
1364 +
1365 + up_read(&mm->mmap_sem);
1366 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1367 + do_group_exit(SIGKILL);
1368 + }
1369 +#endif
1370 +
1371 goto bad_area;
1372
1373 + }
1374 +
1375 survive:
1376 /*
1377 * If for any reason at all we couldn't handle the fault, make
1378 diff -urNp linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c
1379 --- linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
1380 +++ linux-2.6.32.46/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:56:45.000000000 -0400
1381 @@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1382 /* At this point: (!vmm || addr < vmm->vm_end). */
1383 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1384 return -ENOMEM;
1385 - if (!vmm || (addr + len) <= vmm->vm_start)
1386 + if (check_heap_stack_gap(vmm, addr, len))
1387 return addr;
1388 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1389 }
1390 diff -urNp linux-2.6.32.46/arch/ia64/mm/init.c linux-2.6.32.46/arch/ia64/mm/init.c
1391 --- linux-2.6.32.46/arch/ia64/mm/init.c 2011-03-27 14:31:47.000000000 -0400
1392 +++ linux-2.6.32.46/arch/ia64/mm/init.c 2011-04-17 15:56:45.000000000 -0400
1393 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1394 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1395 vma->vm_end = vma->vm_start + PAGE_SIZE;
1396 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1397 +
1398 +#ifdef CONFIG_PAX_PAGEEXEC
1399 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1400 + vma->vm_flags &= ~VM_EXEC;
1401 +
1402 +#ifdef CONFIG_PAX_MPROTECT
1403 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1404 + vma->vm_flags &= ~VM_MAYEXEC;
1405 +#endif
1406 +
1407 + }
1408 +#endif
1409 +
1410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1411 down_write(&current->mm->mmap_sem);
1412 if (insert_vm_struct(current->mm, vma)) {
1413 diff -urNp linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c
1414 --- linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-03-27 14:31:47.000000000 -0400
1415 +++ linux-2.6.32.46/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:56:45.000000000 -0400
1416 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1417 return ret;
1418 }
1419
1420 -static struct dma_map_ops sn_dma_ops = {
1421 +static const struct dma_map_ops sn_dma_ops = {
1422 .alloc_coherent = sn_dma_alloc_coherent,
1423 .free_coherent = sn_dma_free_coherent,
1424 .map_page = sn_dma_map_page,
1425 diff -urNp linux-2.6.32.46/arch/m32r/lib/usercopy.c linux-2.6.32.46/arch/m32r/lib/usercopy.c
1426 --- linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-03-27 14:31:47.000000000 -0400
1427 +++ linux-2.6.32.46/arch/m32r/lib/usercopy.c 2011-04-17 15:56:45.000000000 -0400
1428 @@ -14,6 +14,9 @@
1429 unsigned long
1430 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1431 {
1432 + if ((long)n < 0)
1433 + return n;
1434 +
1435 prefetch(from);
1436 if (access_ok(VERIFY_WRITE, to, n))
1437 __copy_user(to,from,n);
1438 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1439 unsigned long
1440 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1441 {
1442 + if ((long)n < 0)
1443 + return n;
1444 +
1445 prefetchw(to);
1446 if (access_ok(VERIFY_READ, from, n))
1447 __copy_user_zeroing(to,from,n);
1448 diff -urNp linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c
1449 --- linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-03-27 14:31:47.000000000 -0400
1450 +++ linux-2.6.32.46/arch/mips/alchemy/devboards/pm.c 2011-04-17 15:56:45.000000000 -0400
1451 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1452
1453 }
1454
1455 -static struct platform_suspend_ops db1x_pm_ops = {
1456 +static const struct platform_suspend_ops db1x_pm_ops = {
1457 .valid = suspend_valid_only_mem,
1458 .begin = db1x_pm_begin,
1459 .enter = db1x_pm_enter,
1460 diff -urNp linux-2.6.32.46/arch/mips/include/asm/elf.h linux-2.6.32.46/arch/mips/include/asm/elf.h
1461 --- linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1462 +++ linux-2.6.32.46/arch/mips/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1463 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1464 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1465 #endif
1466
1467 +#ifdef CONFIG_PAX_ASLR
1468 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1469 +
1470 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472 +#endif
1473 +
1474 #endif /* _ASM_ELF_H */
1475 diff -urNp linux-2.6.32.46/arch/mips/include/asm/page.h linux-2.6.32.46/arch/mips/include/asm/page.h
1476 --- linux-2.6.32.46/arch/mips/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
1477 +++ linux-2.6.32.46/arch/mips/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
1478 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1479 #ifdef CONFIG_CPU_MIPS32
1480 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1481 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1482 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1483 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1484 #else
1485 typedef struct { unsigned long long pte; } pte_t;
1486 #define pte_val(x) ((x).pte)
1487 diff -urNp linux-2.6.32.46/arch/mips/include/asm/reboot.h linux-2.6.32.46/arch/mips/include/asm/reboot.h
1488 --- linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
1489 +++ linux-2.6.32.46/arch/mips/include/asm/reboot.h 2011-08-21 17:35:02.000000000 -0400
1490 @@ -9,7 +9,7 @@
1491 #ifndef _ASM_REBOOT_H
1492 #define _ASM_REBOOT_H
1493
1494 -extern void (*_machine_restart)(char *command);
1495 -extern void (*_machine_halt)(void);
1496 +extern void (*__noreturn _machine_restart)(char *command);
1497 +extern void (*__noreturn _machine_halt)(void);
1498
1499 #endif /* _ASM_REBOOT_H */
1500 diff -urNp linux-2.6.32.46/arch/mips/include/asm/system.h linux-2.6.32.46/arch/mips/include/asm/system.h
1501 --- linux-2.6.32.46/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
1502 +++ linux-2.6.32.46/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
1503 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1504 */
1505 #define __ARCH_WANT_UNLOCKED_CTXSW
1506
1507 -extern unsigned long arch_align_stack(unsigned long sp);
1508 +#define arch_align_stack(x) ((x) & ~0xfUL)
1509
1510 #endif /* _ASM_SYSTEM_H */
1511 diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c
1512 --- linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-03-27 14:31:47.000000000 -0400
1513 +++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:56:45.000000000 -0400
1514 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1515 #undef ELF_ET_DYN_BASE
1516 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1517
1518 +#ifdef CONFIG_PAX_ASLR
1519 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1520 +
1521 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1522 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1523 +#endif
1524 +
1525 #include <asm/processor.h>
1526 #include <linux/module.h>
1527 #include <linux/elfcore.h>
1528 diff -urNp linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c
1529 --- linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-03-27 14:31:47.000000000 -0400
1530 +++ linux-2.6.32.46/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:56:45.000000000 -0400
1531 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1532 #undef ELF_ET_DYN_BASE
1533 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1534
1535 +#ifdef CONFIG_PAX_ASLR
1536 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1537 +
1538 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1539 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1540 +#endif
1541 +
1542 #include <asm/processor.h>
1543
1544 /*
1545 diff -urNp linux-2.6.32.46/arch/mips/kernel/kgdb.c linux-2.6.32.46/arch/mips/kernel/kgdb.c
1546 --- linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1547 +++ linux-2.6.32.46/arch/mips/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1548 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1549 return -1;
1550 }
1551
1552 +/* cannot be const */
1553 struct kgdb_arch arch_kgdb_ops;
1554
1555 /*
1556 diff -urNp linux-2.6.32.46/arch/mips/kernel/process.c linux-2.6.32.46/arch/mips/kernel/process.c
1557 --- linux-2.6.32.46/arch/mips/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
1558 +++ linux-2.6.32.46/arch/mips/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
1559 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1560 out:
1561 return pc;
1562 }
1563 -
1564 -/*
1565 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1566 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1567 - */
1568 -unsigned long arch_align_stack(unsigned long sp)
1569 -{
1570 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1571 - sp -= get_random_int() & ~PAGE_MASK;
1572 -
1573 - return sp & ALMASK;
1574 -}
1575 diff -urNp linux-2.6.32.46/arch/mips/kernel/reset.c linux-2.6.32.46/arch/mips/kernel/reset.c
1576 --- linux-2.6.32.46/arch/mips/kernel/reset.c 2011-03-27 14:31:47.000000000 -0400
1577 +++ linux-2.6.32.46/arch/mips/kernel/reset.c 2011-08-21 17:35:26.000000000 -0400
1578 @@ -19,8 +19,8 @@
1579 * So handle all using function pointers to machine specific
1580 * functions.
1581 */
1582 -void (*_machine_restart)(char *command);
1583 -void (*_machine_halt)(void);
1584 +void (*__noreturn _machine_restart)(char *command);
1585 +void (*__noreturn _machine_halt)(void);
1586 void (*pm_power_off)(void);
1587
1588 EXPORT_SYMBOL(pm_power_off);
1589 @@ -29,16 +29,19 @@ void machine_restart(char *command)
1590 {
1591 if (_machine_restart)
1592 _machine_restart(command);
1593 + BUG();
1594 }
1595
1596 void machine_halt(void)
1597 {
1598 if (_machine_halt)
1599 _machine_halt();
1600 + BUG();
1601 }
1602
1603 void machine_power_off(void)
1604 {
1605 if (pm_power_off)
1606 pm_power_off();
1607 + BUG();
1608 }
1609 diff -urNp linux-2.6.32.46/arch/mips/kernel/syscall.c linux-2.6.32.46/arch/mips/kernel/syscall.c
1610 --- linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400
1611 +++ linux-2.6.32.46/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400
1612 @@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1613 do_color_align = 0;
1614 if (filp || (flags & MAP_SHARED))
1615 do_color_align = 1;
1616 +
1617 +#ifdef CONFIG_PAX_RANDMMAP
1618 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1619 +#endif
1620 +
1621 if (addr) {
1622 if (do_color_align)
1623 addr = COLOUR_ALIGN(addr, pgoff);
1624 else
1625 addr = PAGE_ALIGN(addr);
1626 vmm = find_vma(current->mm, addr);
1627 - if (task_size - len >= addr &&
1628 - (!vmm || addr + len <= vmm->vm_start))
1629 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1630 return addr;
1631 }
1632 - addr = TASK_UNMAPPED_BASE;
1633 + addr = current->mm->mmap_base;
1634 if (do_color_align)
1635 addr = COLOUR_ALIGN(addr, pgoff);
1636 else
1637 @@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1638 /* At this point: (!vmm || addr < vmm->vm_end). */
1639 if (task_size - len < addr)
1640 return -ENOMEM;
1641 - if (!vmm || addr + len <= vmm->vm_start)
1642 + if (check_heap_stack_gap(vmm, addr, len))
1643 return addr;
1644 addr = vmm->vm_end;
1645 if (do_color_align)
1646 diff -urNp linux-2.6.32.46/arch/mips/Makefile linux-2.6.32.46/arch/mips/Makefile
1647 --- linux-2.6.32.46/arch/mips/Makefile 2011-03-27 14:31:47.000000000 -0400
1648 +++ linux-2.6.32.46/arch/mips/Makefile 2011-08-21 19:26:52.000000000 -0400
1649 @@ -51,6 +51,8 @@ endif
1650 cflags-y := -ffunction-sections
1651 cflags-y += $(call cc-option, -mno-check-zero-division)
1652
1653 +cflags-y += -Wno-sign-compare -Wno-extra
1654 +
1655 ifdef CONFIG_32BIT
1656 ld-emul = $(32bit-emul)
1657 vmlinux-32 = vmlinux
1658 diff -urNp linux-2.6.32.46/arch/mips/mm/fault.c linux-2.6.32.46/arch/mips/mm/fault.c
1659 --- linux-2.6.32.46/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1660 +++ linux-2.6.32.46/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1661 @@ -26,6 +26,23 @@
1662 #include <asm/ptrace.h>
1663 #include <asm/highmem.h> /* For VMALLOC_END */
1664
1665 +#ifdef CONFIG_PAX_PAGEEXEC
1666 +void pax_report_insns(void *pc, void *sp)
1667 +{
1668 + unsigned long i;
1669 +
1670 + printk(KERN_ERR "PAX: bytes at PC: ");
1671 + for (i = 0; i < 5; i++) {
1672 + unsigned int c;
1673 + if (get_user(c, (unsigned int *)pc+i))
1674 + printk(KERN_CONT "???????? ");
1675 + else
1676 + printk(KERN_CONT "%08x ", c);
1677 + }
1678 + printk("\n");
1679 +}
1680 +#endif
1681 +
1682 /*
1683 * This routine handles page faults. It determines the address,
1684 * and the problem, and then passes it off to one of the appropriate
1685 diff -urNp linux-2.6.32.46/arch/parisc/include/asm/elf.h linux-2.6.32.46/arch/parisc/include/asm/elf.h
1686 --- linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1687 +++ linux-2.6.32.46/arch/parisc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1688 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1689
1690 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1691
1692 +#ifdef CONFIG_PAX_ASLR
1693 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1694 +
1695 +#define PAX_DELTA_MMAP_LEN 16
1696 +#define PAX_DELTA_STACK_LEN 16
1697 +#endif
1698 +
1699 /* This yields a mask that user programs can use to figure out what
1700 instruction set this CPU supports. This could be done in user space,
1701 but it's not easy, and we've already done it here. */
1702 diff -urNp linux-2.6.32.46/arch/parisc/include/asm/pgtable.h linux-2.6.32.46/arch/parisc/include/asm/pgtable.h
1703 --- linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1704 +++ linux-2.6.32.46/arch/parisc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1705 @@ -207,6 +207,17 @@
1706 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1707 #define PAGE_COPY PAGE_EXECREAD
1708 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1709 +
1710 +#ifdef CONFIG_PAX_PAGEEXEC
1711 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1712 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1713 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1714 +#else
1715 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1716 +# define PAGE_COPY_NOEXEC PAGE_COPY
1717 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1718 +#endif
1719 +
1720 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1721 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1722 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1723 diff -urNp linux-2.6.32.46/arch/parisc/kernel/module.c linux-2.6.32.46/arch/parisc/kernel/module.c
1724 --- linux-2.6.32.46/arch/parisc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1725 +++ linux-2.6.32.46/arch/parisc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1726 @@ -95,16 +95,38 @@
1727
1728 /* three functions to determine where in the module core
1729 * or init pieces the location is */
1730 +static inline int in_init_rx(struct module *me, void *loc)
1731 +{
1732 + return (loc >= me->module_init_rx &&
1733 + loc < (me->module_init_rx + me->init_size_rx));
1734 +}
1735 +
1736 +static inline int in_init_rw(struct module *me, void *loc)
1737 +{
1738 + return (loc >= me->module_init_rw &&
1739 + loc < (me->module_init_rw + me->init_size_rw));
1740 +}
1741 +
1742 static inline int in_init(struct module *me, void *loc)
1743 {
1744 - return (loc >= me->module_init &&
1745 - loc <= (me->module_init + me->init_size));
1746 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1747 +}
1748 +
1749 +static inline int in_core_rx(struct module *me, void *loc)
1750 +{
1751 + return (loc >= me->module_core_rx &&
1752 + loc < (me->module_core_rx + me->core_size_rx));
1753 +}
1754 +
1755 +static inline int in_core_rw(struct module *me, void *loc)
1756 +{
1757 + return (loc >= me->module_core_rw &&
1758 + loc < (me->module_core_rw + me->core_size_rw));
1759 }
1760
1761 static inline int in_core(struct module *me, void *loc)
1762 {
1763 - return (loc >= me->module_core &&
1764 - loc <= (me->module_core + me->core_size));
1765 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1766 }
1767
1768 static inline int in_local(struct module *me, void *loc)
1769 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1770 }
1771
1772 /* align things a bit */
1773 - me->core_size = ALIGN(me->core_size, 16);
1774 - me->arch.got_offset = me->core_size;
1775 - me->core_size += gots * sizeof(struct got_entry);
1776 -
1777 - me->core_size = ALIGN(me->core_size, 16);
1778 - me->arch.fdesc_offset = me->core_size;
1779 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1780 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1781 + me->arch.got_offset = me->core_size_rw;
1782 + me->core_size_rw += gots * sizeof(struct got_entry);
1783 +
1784 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1785 + me->arch.fdesc_offset = me->core_size_rw;
1786 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1787
1788 me->arch.got_max = gots;
1789 me->arch.fdesc_max = fdescs;
1790 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1791
1792 BUG_ON(value == 0);
1793
1794 - got = me->module_core + me->arch.got_offset;
1795 + got = me->module_core_rw + me->arch.got_offset;
1796 for (i = 0; got[i].addr; i++)
1797 if (got[i].addr == value)
1798 goto out;
1799 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1800 #ifdef CONFIG_64BIT
1801 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1802 {
1803 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1804 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1805
1806 if (!value) {
1807 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1808 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1809
1810 /* Create new one */
1811 fdesc->addr = value;
1812 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1813 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1814 return (Elf_Addr)fdesc;
1815 }
1816 #endif /* CONFIG_64BIT */
1817 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1818
1819 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1820 end = table + sechdrs[me->arch.unwind_section].sh_size;
1821 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1822 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1823
1824 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1825 me->arch.unwind_section, table, end, gp);
1826 diff -urNp linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c
1827 --- linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-03-27 14:31:47.000000000 -0400
1828 +++ linux-2.6.32.46/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:56:45.000000000 -0400
1829 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1830 /* At this point: (!vma || addr < vma->vm_end). */
1831 if (TASK_SIZE - len < addr)
1832 return -ENOMEM;
1833 - if (!vma || addr + len <= vma->vm_start)
1834 + if (check_heap_stack_gap(vma, addr, len))
1835 return addr;
1836 addr = vma->vm_end;
1837 }
1838 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1839 /* At this point: (!vma || addr < vma->vm_end). */
1840 if (TASK_SIZE - len < addr)
1841 return -ENOMEM;
1842 - if (!vma || addr + len <= vma->vm_start)
1843 + if (check_heap_stack_gap(vma, addr, len))
1844 return addr;
1845 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1846 if (addr < vma->vm_end) /* handle wraparound */
1847 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1848 if (flags & MAP_FIXED)
1849 return addr;
1850 if (!addr)
1851 - addr = TASK_UNMAPPED_BASE;
1852 + addr = current->mm->mmap_base;
1853
1854 if (filp) {
1855 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1856 diff -urNp linux-2.6.32.46/arch/parisc/kernel/traps.c linux-2.6.32.46/arch/parisc/kernel/traps.c
1857 --- linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
1858 +++ linux-2.6.32.46/arch/parisc/kernel/traps.c 2011-04-17 15:56:45.000000000 -0400
1859 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1860
1861 down_read(&current->mm->mmap_sem);
1862 vma = find_vma(current->mm,regs->iaoq[0]);
1863 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1864 - && (vma->vm_flags & VM_EXEC)) {
1865 -
1866 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1867 fault_address = regs->iaoq[0];
1868 fault_space = regs->iasq[0];
1869
1870 diff -urNp linux-2.6.32.46/arch/parisc/mm/fault.c linux-2.6.32.46/arch/parisc/mm/fault.c
1871 --- linux-2.6.32.46/arch/parisc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1872 +++ linux-2.6.32.46/arch/parisc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1873 @@ -15,6 +15,7 @@
1874 #include <linux/sched.h>
1875 #include <linux/interrupt.h>
1876 #include <linux/module.h>
1877 +#include <linux/unistd.h>
1878
1879 #include <asm/uaccess.h>
1880 #include <asm/traps.h>
1881 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1882 static unsigned long
1883 parisc_acctyp(unsigned long code, unsigned int inst)
1884 {
1885 - if (code == 6 || code == 16)
1886 + if (code == 6 || code == 7 || code == 16)
1887 return VM_EXEC;
1888
1889 switch (inst & 0xf0000000) {
1890 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1891 }
1892 #endif
1893
1894 +#ifdef CONFIG_PAX_PAGEEXEC
1895 +/*
1896 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1897 + *
1898 + * returns 1 when task should be killed
1899 + * 2 when rt_sigreturn trampoline was detected
1900 + * 3 when unpatched PLT trampoline was detected
1901 + */
1902 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1903 +{
1904 +
1905 +#ifdef CONFIG_PAX_EMUPLT
1906 + int err;
1907 +
1908 + do { /* PaX: unpatched PLT emulation */
1909 + unsigned int bl, depwi;
1910 +
1911 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1912 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1913 +
1914 + if (err)
1915 + break;
1916 +
1917 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1918 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1919 +
1920 + err = get_user(ldw, (unsigned int *)addr);
1921 + err |= get_user(bv, (unsigned int *)(addr+4));
1922 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1923 +
1924 + if (err)
1925 + break;
1926 +
1927 + if (ldw == 0x0E801096U &&
1928 + bv == 0xEAC0C000U &&
1929 + ldw2 == 0x0E881095U)
1930 + {
1931 + unsigned int resolver, map;
1932 +
1933 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1934 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1935 + if (err)
1936 + break;
1937 +
1938 + regs->gr[20] = instruction_pointer(regs)+8;
1939 + regs->gr[21] = map;
1940 + regs->gr[22] = resolver;
1941 + regs->iaoq[0] = resolver | 3UL;
1942 + regs->iaoq[1] = regs->iaoq[0] + 4;
1943 + return 3;
1944 + }
1945 + }
1946 + } while (0);
1947 +#endif
1948 +
1949 +#ifdef CONFIG_PAX_EMUTRAMP
1950 +
1951 +#ifndef CONFIG_PAX_EMUSIGRT
1952 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1953 + return 1;
1954 +#endif
1955 +
1956 + do { /* PaX: rt_sigreturn emulation */
1957 + unsigned int ldi1, ldi2, bel, nop;
1958 +
1959 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1960 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1961 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1962 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1963 +
1964 + if (err)
1965 + break;
1966 +
1967 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1968 + ldi2 == 0x3414015AU &&
1969 + bel == 0xE4008200U &&
1970 + nop == 0x08000240U)
1971 + {
1972 + regs->gr[25] = (ldi1 & 2) >> 1;
1973 + regs->gr[20] = __NR_rt_sigreturn;
1974 + regs->gr[31] = regs->iaoq[1] + 16;
1975 + regs->sr[0] = regs->iasq[1];
1976 + regs->iaoq[0] = 0x100UL;
1977 + regs->iaoq[1] = regs->iaoq[0] + 4;
1978 + regs->iasq[0] = regs->sr[2];
1979 + regs->iasq[1] = regs->sr[2];
1980 + return 2;
1981 + }
1982 + } while (0);
1983 +#endif
1984 +
1985 + return 1;
1986 +}
1987 +
1988 +void pax_report_insns(void *pc, void *sp)
1989 +{
1990 + unsigned long i;
1991 +
1992 + printk(KERN_ERR "PAX: bytes at PC: ");
1993 + for (i = 0; i < 5; i++) {
1994 + unsigned int c;
1995 + if (get_user(c, (unsigned int *)pc+i))
1996 + printk(KERN_CONT "???????? ");
1997 + else
1998 + printk(KERN_CONT "%08x ", c);
1999 + }
2000 + printk("\n");
2001 +}
2002 +#endif
2003 +
2004 int fixup_exception(struct pt_regs *regs)
2005 {
2006 const struct exception_table_entry *fix;
2007 @@ -192,8 +303,33 @@ good_area:
2008
2009 acc_type = parisc_acctyp(code,regs->iir);
2010
2011 - if ((vma->vm_flags & acc_type) != acc_type)
2012 + if ((vma->vm_flags & acc_type) != acc_type) {
2013 +
2014 +#ifdef CONFIG_PAX_PAGEEXEC
2015 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2016 + (address & ~3UL) == instruction_pointer(regs))
2017 + {
2018 + up_read(&mm->mmap_sem);
2019 + switch (pax_handle_fetch_fault(regs)) {
2020 +
2021 +#ifdef CONFIG_PAX_EMUPLT
2022 + case 3:
2023 + return;
2024 +#endif
2025 +
2026 +#ifdef CONFIG_PAX_EMUTRAMP
2027 + case 2:
2028 + return;
2029 +#endif
2030 +
2031 + }
2032 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2033 + do_group_exit(SIGKILL);
2034 + }
2035 +#endif
2036 +
2037 goto bad_area;
2038 + }
2039
2040 /*
2041 * If for any reason at all we couldn't handle the fault, make
2042 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/device.h linux-2.6.32.46/arch/powerpc/include/asm/device.h
2043 --- linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
2044 +++ linux-2.6.32.46/arch/powerpc/include/asm/device.h 2011-04-17 15:56:45.000000000 -0400
2045 @@ -14,7 +14,7 @@ struct dev_archdata {
2046 struct device_node *of_node;
2047
2048 /* DMA operations on that device */
2049 - struct dma_map_ops *dma_ops;
2050 + const struct dma_map_ops *dma_ops;
2051
2052 /*
2053 * When an iommu is in use, dma_data is used as a ptr to the base of the
2054 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h
2055 --- linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
2056 +++ linux-2.6.32.46/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
2057 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2058 #ifdef CONFIG_PPC64
2059 extern struct dma_map_ops dma_iommu_ops;
2060 #endif
2061 -extern struct dma_map_ops dma_direct_ops;
2062 +extern const struct dma_map_ops dma_direct_ops;
2063
2064 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2065 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2066 {
2067 /* We don't handle the NULL dev case for ISA for now. We could
2068 * do it via an out of line call but it is not needed for now. The
2069 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2070 return dev->archdata.dma_ops;
2071 }
2072
2073 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2074 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2075 {
2076 dev->archdata.dma_ops = ops;
2077 }
2078 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2079
2080 static inline int dma_supported(struct device *dev, u64 mask)
2081 {
2082 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2083 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2084
2085 if (unlikely(dma_ops == NULL))
2086 return 0;
2087 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2088
2089 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2090 {
2091 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2092 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2093
2094 if (unlikely(dma_ops == NULL))
2095 return -EIO;
2096 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2097 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2098 dma_addr_t *dma_handle, gfp_t flag)
2099 {
2100 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2101 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2102 void *cpu_addr;
2103
2104 BUG_ON(!dma_ops);
2105 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2106 static inline void dma_free_coherent(struct device *dev, size_t size,
2107 void *cpu_addr, dma_addr_t dma_handle)
2108 {
2109 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2110 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2111
2112 BUG_ON(!dma_ops);
2113
2114 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2115
2116 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2117 {
2118 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2119 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2120
2121 if (dma_ops->mapping_error)
2122 return dma_ops->mapping_error(dev, dma_addr);
2123 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/elf.h linux-2.6.32.46/arch/powerpc/include/asm/elf.h
2124 --- linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
2125 +++ linux-2.6.32.46/arch/powerpc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
2126 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2127 the loader. We need to make sure that it is out of the way of the program
2128 that it will "exec", and that there is sufficient room for the brk. */
2129
2130 -extern unsigned long randomize_et_dyn(unsigned long base);
2131 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2132 +#define ELF_ET_DYN_BASE (0x20000000)
2133 +
2134 +#ifdef CONFIG_PAX_ASLR
2135 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2136 +
2137 +#ifdef __powerpc64__
2138 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2139 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2140 +#else
2141 +#define PAX_DELTA_MMAP_LEN 15
2142 +#define PAX_DELTA_STACK_LEN 15
2143 +#endif
2144 +#endif
2145
2146 /*
2147 * Our registers are always unsigned longs, whether we're a 32 bit
2148 @@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2149 (0x7ff >> (PAGE_SHIFT - 12)) : \
2150 (0x3ffff >> (PAGE_SHIFT - 12)))
2151
2152 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2153 -#define arch_randomize_brk arch_randomize_brk
2154 -
2155 #endif /* __KERNEL__ */
2156
2157 /*
2158 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/iommu.h linux-2.6.32.46/arch/powerpc/include/asm/iommu.h
2159 --- linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
2160 +++ linux-2.6.32.46/arch/powerpc/include/asm/iommu.h 2011-04-17 15:56:45.000000000 -0400
2161 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2162 extern void iommu_init_early_dart(void);
2163 extern void iommu_init_early_pasemi(void);
2164
2165 +/* dma-iommu.c */
2166 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2167 +
2168 #ifdef CONFIG_PCI
2169 extern void pci_iommu_init(void);
2170 extern void pci_direct_iommu_init(void);
2171 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h
2172 --- linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
2173 +++ linux-2.6.32.46/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
2174 @@ -26,6 +26,7 @@ enum km_type {
2175 KM_SOFTIRQ1,
2176 KM_PPC_SYNC_PAGE,
2177 KM_PPC_SYNC_ICACHE,
2178 + KM_CLEARPAGE,
2179 KM_TYPE_NR
2180 };
2181
2182 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page_64.h linux-2.6.32.46/arch/powerpc/include/asm/page_64.h
2183 --- linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-03-27 14:31:47.000000000 -0400
2184 +++ linux-2.6.32.46/arch/powerpc/include/asm/page_64.h 2011-04-17 15:56:45.000000000 -0400
2185 @@ -180,15 +180,18 @@ do { \
2186 * stack by default, so in the absense of a PT_GNU_STACK program header
2187 * we turn execute permission off.
2188 */
2189 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2190 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2191 +#define VM_STACK_DEFAULT_FLAGS32 \
2192 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2193 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2194
2195 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2196 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2197
2198 +#ifndef CONFIG_PAX_PAGEEXEC
2199 #define VM_STACK_DEFAULT_FLAGS \
2200 (test_thread_flag(TIF_32BIT) ? \
2201 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2202 +#endif
2203
2204 #include <asm-generic/getorder.h>
2205
2206 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/page.h linux-2.6.32.46/arch/powerpc/include/asm/page.h
2207 --- linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2208 +++ linux-2.6.32.46/arch/powerpc/include/asm/page.h 2011-08-21 16:07:39.000000000 -0400
2209 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2210 * and needs to be executable. This means the whole heap ends
2211 * up being executable.
2212 */
2213 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2214 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2215 +#define VM_DATA_DEFAULT_FLAGS32 \
2216 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2217 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2218
2219 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2220 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2221 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2222 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2223 #endif
2224
2225 +#define ktla_ktva(addr) (addr)
2226 +#define ktva_ktla(addr) (addr)
2227 +
2228 #ifndef __ASSEMBLY__
2229
2230 #undef STRICT_MM_TYPECHECKS
2231 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pci.h linux-2.6.32.46/arch/powerpc/include/asm/pci.h
2232 --- linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-03-27 14:31:47.000000000 -0400
2233 +++ linux-2.6.32.46/arch/powerpc/include/asm/pci.h 2011-04-17 15:56:45.000000000 -0400
2234 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2235 }
2236
2237 #ifdef CONFIG_PCI
2238 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2239 -extern struct dma_map_ops *get_pci_dma_ops(void);
2240 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2241 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2242 #else /* CONFIG_PCI */
2243 #define set_pci_dma_ops(d)
2244 #define get_pci_dma_ops() NULL
2245 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h
2246 --- linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2247 +++ linux-2.6.32.46/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2248 @@ -2,6 +2,7 @@
2249 #define _ASM_POWERPC_PGTABLE_H
2250 #ifdef __KERNEL__
2251
2252 +#include <linux/const.h>
2253 #ifndef __ASSEMBLY__
2254 #include <asm/processor.h> /* For TASK_SIZE */
2255 #include <asm/mmu.h>
2256 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h
2257 --- linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-03-27 14:31:47.000000000 -0400
2258 +++ linux-2.6.32.46/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:56:45.000000000 -0400
2259 @@ -21,6 +21,7 @@
2260 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2261 #define _PAGE_USER 0x004 /* usermode access allowed */
2262 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2263 +#define _PAGE_EXEC _PAGE_GUARDED
2264 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2265 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2266 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2267 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h
2268 --- linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
2269 +++ linux-2.6.32.46/arch/powerpc/include/asm/ptrace.h 2011-08-21 15:53:58.000000000 -0400
2270 @@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
2271 } while(0)
2272
2273 struct task_struct;
2274 -extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
2275 +extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
2276 extern int ptrace_put_reg(struct task_struct *task, int regno,
2277 unsigned long data);
2278
2279 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/reg.h linux-2.6.32.46/arch/powerpc/include/asm/reg.h
2280 --- linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400
2281 +++ linux-2.6.32.46/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400
2282 @@ -191,6 +191,7 @@
2283 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2284 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2285 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2286 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2287 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2288 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2289 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2290 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h
2291 --- linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-03-27 14:31:47.000000000 -0400
2292 +++ linux-2.6.32.46/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:56:45.000000000 -0400
2293 @@ -13,7 +13,7 @@
2294
2295 #include <linux/swiotlb.h>
2296
2297 -extern struct dma_map_ops swiotlb_dma_ops;
2298 +extern const struct dma_map_ops swiotlb_dma_ops;
2299
2300 static inline void dma_mark_clean(void *addr, size_t size) {}
2301
2302 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/system.h linux-2.6.32.46/arch/powerpc/include/asm/system.h
2303 --- linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
2304 +++ linux-2.6.32.46/arch/powerpc/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
2305 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2306 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2307 #endif
2308
2309 -extern unsigned long arch_align_stack(unsigned long sp);
2310 +#define arch_align_stack(x) ((x) & ~0xfUL)
2311
2312 /* Used in very early kernel initialization. */
2313 extern unsigned long reloc_offset(void);
2314 diff -urNp linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h
2315 --- linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
2316 +++ linux-2.6.32.46/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
2317 @@ -13,6 +13,8 @@
2318 #define VERIFY_READ 0
2319 #define VERIFY_WRITE 1
2320
2321 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2322 +
2323 /*
2324 * The fs value determines whether argument validity checking should be
2325 * performed or not. If get_fs() == USER_DS, checking is performed, with
2326 @@ -327,52 +329,6 @@ do { \
2327 extern unsigned long __copy_tofrom_user(void __user *to,
2328 const void __user *from, unsigned long size);
2329
2330 -#ifndef __powerpc64__
2331 -
2332 -static inline unsigned long copy_from_user(void *to,
2333 - const void __user *from, unsigned long n)
2334 -{
2335 - unsigned long over;
2336 -
2337 - if (access_ok(VERIFY_READ, from, n))
2338 - return __copy_tofrom_user((__force void __user *)to, from, n);
2339 - if ((unsigned long)from < TASK_SIZE) {
2340 - over = (unsigned long)from + n - TASK_SIZE;
2341 - return __copy_tofrom_user((__force void __user *)to, from,
2342 - n - over) + over;
2343 - }
2344 - return n;
2345 -}
2346 -
2347 -static inline unsigned long copy_to_user(void __user *to,
2348 - const void *from, unsigned long n)
2349 -{
2350 - unsigned long over;
2351 -
2352 - if (access_ok(VERIFY_WRITE, to, n))
2353 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2354 - if ((unsigned long)to < TASK_SIZE) {
2355 - over = (unsigned long)to + n - TASK_SIZE;
2356 - return __copy_tofrom_user(to, (__force void __user *)from,
2357 - n - over) + over;
2358 - }
2359 - return n;
2360 -}
2361 -
2362 -#else /* __powerpc64__ */
2363 -
2364 -#define __copy_in_user(to, from, size) \
2365 - __copy_tofrom_user((to), (from), (size))
2366 -
2367 -extern unsigned long copy_from_user(void *to, const void __user *from,
2368 - unsigned long n);
2369 -extern unsigned long copy_to_user(void __user *to, const void *from,
2370 - unsigned long n);
2371 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2372 - unsigned long n);
2373 -
2374 -#endif /* __powerpc64__ */
2375 -
2376 static inline unsigned long __copy_from_user_inatomic(void *to,
2377 const void __user *from, unsigned long n)
2378 {
2379 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2380 if (ret == 0)
2381 return 0;
2382 }
2383 +
2384 + if (!__builtin_constant_p(n))
2385 + check_object_size(to, n, false);
2386 +
2387 return __copy_tofrom_user((__force void __user *)to, from, n);
2388 }
2389
2390 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2391 if (ret == 0)
2392 return 0;
2393 }
2394 +
2395 + if (!__builtin_constant_p(n))
2396 + check_object_size(from, n, true);
2397 +
2398 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2399 }
2400
2401 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2402 return __copy_to_user_inatomic(to, from, size);
2403 }
2404
2405 +#ifndef __powerpc64__
2406 +
2407 +static inline unsigned long __must_check copy_from_user(void *to,
2408 + const void __user *from, unsigned long n)
2409 +{
2410 + unsigned long over;
2411 +
2412 + if ((long)n < 0)
2413 + return n;
2414 +
2415 + if (access_ok(VERIFY_READ, from, n)) {
2416 + if (!__builtin_constant_p(n))
2417 + check_object_size(to, n, false);
2418 + return __copy_tofrom_user((__force void __user *)to, from, n);
2419 + }
2420 + if ((unsigned long)from < TASK_SIZE) {
2421 + over = (unsigned long)from + n - TASK_SIZE;
2422 + if (!__builtin_constant_p(n - over))
2423 + check_object_size(to, n - over, false);
2424 + return __copy_tofrom_user((__force void __user *)to, from,
2425 + n - over) + over;
2426 + }
2427 + return n;
2428 +}
2429 +
2430 +static inline unsigned long __must_check copy_to_user(void __user *to,
2431 + const void *from, unsigned long n)
2432 +{
2433 + unsigned long over;
2434 +
2435 + if ((long)n < 0)
2436 + return n;
2437 +
2438 + if (access_ok(VERIFY_WRITE, to, n)) {
2439 + if (!__builtin_constant_p(n))
2440 + check_object_size(from, n, true);
2441 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2442 + }
2443 + if ((unsigned long)to < TASK_SIZE) {
2444 + over = (unsigned long)to + n - TASK_SIZE;
2445 + if (!__builtin_constant_p(n))
2446 + check_object_size(from, n - over, true);
2447 + return __copy_tofrom_user(to, (__force void __user *)from,
2448 + n - over) + over;
2449 + }
2450 + return n;
2451 +}
2452 +
2453 +#else /* __powerpc64__ */
2454 +
2455 +#define __copy_in_user(to, from, size) \
2456 + __copy_tofrom_user((to), (from), (size))
2457 +
2458 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2459 +{
2460 + if ((long)n < 0 || n > INT_MAX)
2461 + return n;
2462 +
2463 + if (!__builtin_constant_p(n))
2464 + check_object_size(to, n, false);
2465 +
2466 + if (likely(access_ok(VERIFY_READ, from, n)))
2467 + n = __copy_from_user(to, from, n);
2468 + else
2469 + memset(to, 0, n);
2470 + return n;
2471 +}
2472 +
2473 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2474 +{
2475 + if ((long)n < 0 || n > INT_MAX)
2476 + return n;
2477 +
2478 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2479 + if (!__builtin_constant_p(n))
2480 + check_object_size(from, n, true);
2481 + n = __copy_to_user(to, from, n);
2482 + }
2483 + return n;
2484 +}
2485 +
2486 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487 + unsigned long n);
2488 +
2489 +#endif /* __powerpc64__ */
2490 +
2491 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2492
2493 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2494 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c
2495 --- linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
2496 +++ linux-2.6.32.46/arch/powerpc/kernel/cacheinfo.c 2011-04-17 15:56:45.000000000 -0400
2497 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2498 &cache_assoc_attr,
2499 };
2500
2501 -static struct sysfs_ops cache_index_ops = {
2502 +static const struct sysfs_ops cache_index_ops = {
2503 .show = cache_index_show,
2504 };
2505
2506 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma.c linux-2.6.32.46/arch/powerpc/kernel/dma.c
2507 --- linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-03-27 14:31:47.000000000 -0400
2508 +++ linux-2.6.32.46/arch/powerpc/kernel/dma.c 2011-04-17 15:56:45.000000000 -0400
2509 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2510 }
2511 #endif
2512
2513 -struct dma_map_ops dma_direct_ops = {
2514 +const struct dma_map_ops dma_direct_ops = {
2515 .alloc_coherent = dma_direct_alloc_coherent,
2516 .free_coherent = dma_direct_free_coherent,
2517 .map_sg = dma_direct_map_sg,
2518 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c
2519 --- linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-03-27 14:31:47.000000000 -0400
2520 +++ linux-2.6.32.46/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:56:45.000000000 -0400
2521 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2522 }
2523
2524 /* We support DMA to/from any memory page via the iommu */
2525 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2526 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2527 {
2528 struct iommu_table *tbl = get_iommu_table_base(dev);
2529
2530 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c
2531 --- linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
2532 +++ linux-2.6.32.46/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
2533 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2534 * map_page, and unmap_page on highmem, use normal dma_ops
2535 * for everything else.
2536 */
2537 -struct dma_map_ops swiotlb_dma_ops = {
2538 +const struct dma_map_ops swiotlb_dma_ops = {
2539 .alloc_coherent = dma_direct_alloc_coherent,
2540 .free_coherent = dma_direct_free_coherent,
2541 .map_sg = swiotlb_map_sg_attrs,
2542 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S
2543 --- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-03-27 14:31:47.000000000 -0400
2544 +++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:56:45.000000000 -0400
2545 @@ -455,6 +455,7 @@ storage_fault_common:
2546 std r14,_DAR(r1)
2547 std r15,_DSISR(r1)
2548 addi r3,r1,STACK_FRAME_OVERHEAD
2549 + bl .save_nvgprs
2550 mr r4,r14
2551 mr r5,r15
2552 ld r14,PACA_EXGEN+EX_R14(r13)
2553 @@ -464,8 +465,7 @@ storage_fault_common:
2554 cmpdi r3,0
2555 bne- 1f
2556 b .ret_from_except_lite
2557 -1: bl .save_nvgprs
2558 - mr r5,r3
2559 +1: mr r5,r3
2560 addi r3,r1,STACK_FRAME_OVERHEAD
2561 ld r4,_DAR(r1)
2562 bl .bad_page_fault
2563 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S
2564 --- linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-03-27 14:31:47.000000000 -0400
2565 +++ linux-2.6.32.46/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:56:45.000000000 -0400
2566 @@ -818,10 +818,10 @@ handle_page_fault:
2567 11: ld r4,_DAR(r1)
2568 ld r5,_DSISR(r1)
2569 addi r3,r1,STACK_FRAME_OVERHEAD
2570 + bl .save_nvgprs
2571 bl .do_page_fault
2572 cmpdi r3,0
2573 beq+ 13f
2574 - bl .save_nvgprs
2575 mr r5,r3
2576 addi r3,r1,STACK_FRAME_OVERHEAD
2577 lwz r4,_DAR(r1)
2578 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c
2579 --- linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-03-27 14:31:47.000000000 -0400
2580 +++ linux-2.6.32.46/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:56:45.000000000 -0400
2581 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2582 return 1;
2583 }
2584
2585 -static struct dma_map_ops ibmebus_dma_ops = {
2586 +static const struct dma_map_ops ibmebus_dma_ops = {
2587 .alloc_coherent = ibmebus_alloc_coherent,
2588 .free_coherent = ibmebus_free_coherent,
2589 .map_sg = ibmebus_map_sg,
2590 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/kgdb.c linux-2.6.32.46/arch/powerpc/kernel/kgdb.c
2591 --- linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
2592 +++ linux-2.6.32.46/arch/powerpc/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
2593 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2594 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2595 return 0;
2596
2597 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2598 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2599 regs->nip += 4;
2600
2601 return 1;
2602 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2603 /*
2604 * Global data
2605 */
2606 -struct kgdb_arch arch_kgdb_ops = {
2607 +const struct kgdb_arch arch_kgdb_ops = {
2608 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2609 };
2610
2611 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module_32.c linux-2.6.32.46/arch/powerpc/kernel/module_32.c
2612 --- linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-03-27 14:31:47.000000000 -0400
2613 +++ linux-2.6.32.46/arch/powerpc/kernel/module_32.c 2011-04-17 15:56:45.000000000 -0400
2614 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2615 me->arch.core_plt_section = i;
2616 }
2617 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2618 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2619 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2620 return -ENOEXEC;
2621 }
2622
2623 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2624
2625 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2626 /* Init, or core PLT? */
2627 - if (location >= mod->module_core
2628 - && location < mod->module_core + mod->core_size)
2629 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2630 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2631 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2632 - else
2633 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2634 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2635 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2636 + else {
2637 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2638 + return ~0UL;
2639 + }
2640
2641 /* Find this entry, or if that fails, the next avail. entry */
2642 while (entry->jump[0]) {
2643 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/module.c linux-2.6.32.46/arch/powerpc/kernel/module.c
2644 --- linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
2645 +++ linux-2.6.32.46/arch/powerpc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
2646 @@ -31,11 +31,24 @@
2647
2648 LIST_HEAD(module_bug_list);
2649
2650 +#ifdef CONFIG_PAX_KERNEXEC
2651 void *module_alloc(unsigned long size)
2652 {
2653 if (size == 0)
2654 return NULL;
2655
2656 + return vmalloc(size);
2657 +}
2658 +
2659 +void *module_alloc_exec(unsigned long size)
2660 +#else
2661 +void *module_alloc(unsigned long size)
2662 +#endif
2663 +
2664 +{
2665 + if (size == 0)
2666 + return NULL;
2667 +
2668 return vmalloc_exec(size);
2669 }
2670
2671 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2672 vfree(module_region);
2673 }
2674
2675 +#ifdef CONFIG_PAX_KERNEXEC
2676 +void module_free_exec(struct module *mod, void *module_region)
2677 +{
2678 + module_free(mod, module_region);
2679 +}
2680 +#endif
2681 +
2682 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2683 const Elf_Shdr *sechdrs,
2684 const char *name)
2685 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/pci-common.c linux-2.6.32.46/arch/powerpc/kernel/pci-common.c
2686 --- linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-03-27 14:31:47.000000000 -0400
2687 +++ linux-2.6.32.46/arch/powerpc/kernel/pci-common.c 2011-04-17 15:56:45.000000000 -0400
2688 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2689 unsigned int ppc_pci_flags = 0;
2690
2691
2692 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2693 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2694
2695 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2696 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2697 {
2698 pci_dma_ops = dma_ops;
2699 }
2700
2701 -struct dma_map_ops *get_pci_dma_ops(void)
2702 +const struct dma_map_ops *get_pci_dma_ops(void)
2703 {
2704 return pci_dma_ops;
2705 }
2706 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/process.c linux-2.6.32.46/arch/powerpc/kernel/process.c
2707 --- linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
2708 +++ linux-2.6.32.46/arch/powerpc/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
2709 @@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2710 * Lookup NIP late so we have the best change of getting the
2711 * above info out without failing
2712 */
2713 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2714 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2715 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2716 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2717 #endif
2718 show_stack(current, (unsigned long *) regs->gpr[1]);
2719 if (!user_mode(regs))
2720 @@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2721 newsp = stack[0];
2722 ip = stack[STACK_FRAME_LR_SAVE];
2723 if (!firstframe || ip != lr) {
2724 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2725 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2726 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2727 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2728 - printk(" (%pS)",
2729 + printk(" (%pA)",
2730 (void *)current->ret_stack[curr_frame].ret);
2731 curr_frame--;
2732 }
2733 @@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2734 struct pt_regs *regs = (struct pt_regs *)
2735 (sp + STACK_FRAME_OVERHEAD);
2736 lr = regs->link;
2737 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2738 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2739 regs->trap, (void *)regs->nip, (void *)lr);
2740 firstframe = 1;
2741 }
2742 @@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2743 }
2744
2745 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2746 -
2747 -unsigned long arch_align_stack(unsigned long sp)
2748 -{
2749 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2750 - sp -= get_random_int() & ~PAGE_MASK;
2751 - return sp & ~0xf;
2752 -}
2753 -
2754 -static inline unsigned long brk_rnd(void)
2755 -{
2756 - unsigned long rnd = 0;
2757 -
2758 - /* 8MB for 32bit, 1GB for 64bit */
2759 - if (is_32bit_task())
2760 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2761 - else
2762 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2763 -
2764 - return rnd << PAGE_SHIFT;
2765 -}
2766 -
2767 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2768 -{
2769 - unsigned long base = mm->brk;
2770 - unsigned long ret;
2771 -
2772 -#ifdef CONFIG_PPC_STD_MMU_64
2773 - /*
2774 - * If we are using 1TB segments and we are allowed to randomise
2775 - * the heap, we can put it above 1TB so it is backed by a 1TB
2776 - * segment. Otherwise the heap will be in the bottom 1TB
2777 - * which always uses 256MB segments and this may result in a
2778 - * performance penalty.
2779 - */
2780 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2781 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2782 -#endif
2783 -
2784 - ret = PAGE_ALIGN(base + brk_rnd());
2785 -
2786 - if (ret < mm->brk)
2787 - return mm->brk;
2788 -
2789 - return ret;
2790 -}
2791 -
2792 -unsigned long randomize_et_dyn(unsigned long base)
2793 -{
2794 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2795 -
2796 - if (ret < base)
2797 - return base;
2798 -
2799 - return ret;
2800 -}
2801 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/ptrace.c linux-2.6.32.46/arch/powerpc/kernel/ptrace.c
2802 --- linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
2803 +++ linux-2.6.32.46/arch/powerpc/kernel/ptrace.c 2011-08-21 15:53:39.000000000 -0400
2804 @@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
2805 /*
2806 * Get contents of register REGNO in task TASK.
2807 */
2808 -unsigned long ptrace_get_reg(struct task_struct *task, int regno)
2809 +unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
2810 {
2811 if (task->thread.regs == NULL)
2812 return -EIO;
2813 @@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
2814
2815 CHECK_FULL_REGS(child->thread.regs);
2816 if (index < PT_FPR0) {
2817 - tmp = ptrace_get_reg(child, (int) index);
2818 + tmp = ptrace_get_reg(child, index);
2819 } else {
2820 flush_fp_to_thread(child);
2821 tmp = ((unsigned long *)child->thread.fpr)
2822 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_32.c linux-2.6.32.46/arch/powerpc/kernel/signal_32.c
2823 --- linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400
2824 +++ linux-2.6.32.46/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400
2825 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2826 /* Save user registers on the stack */
2827 frame = &rt_sf->uc.uc_mcontext;
2828 addr = frame;
2829 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2830 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2831 if (save_user_regs(regs, frame, 0, 1))
2832 goto badframe;
2833 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2834 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/signal_64.c linux-2.6.32.46/arch/powerpc/kernel/signal_64.c
2835 --- linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-03-27 14:31:47.000000000 -0400
2836 +++ linux-2.6.32.46/arch/powerpc/kernel/signal_64.c 2011-04-17 15:56:45.000000000 -0400
2837 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2838 current->thread.fpscr.val = 0;
2839
2840 /* Set up to return from userspace. */
2841 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2842 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2843 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2844 } else {
2845 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2846 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c
2847 --- linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-03-27 14:31:47.000000000 -0400
2848 +++ linux-2.6.32.46/arch/powerpc/kernel/sys_ppc32.c 2011-04-17 15:56:45.000000000 -0400
2849 @@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2850 if (oldlenp) {
2851 if (!error) {
2852 if (get_user(oldlen, oldlenp) ||
2853 - put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2854 + put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2855 + copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2856 error = -EFAULT;
2857 }
2858 - copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2859 }
2860 return error;
2861 }
2862 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/traps.c linux-2.6.32.46/arch/powerpc/kernel/traps.c
2863 --- linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
2864 +++ linux-2.6.32.46/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400
2865 @@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2866 static inline void pmac_backlight_unblank(void) { }
2867 #endif
2868
2869 +extern void gr_handle_kernel_exploit(void);
2870 +
2871 int die(const char *str, struct pt_regs *regs, long err)
2872 {
2873 static struct {
2874 @@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2875 if (panic_on_oops)
2876 panic("Fatal exception");
2877
2878 + gr_handle_kernel_exploit();
2879 +
2880 oops_exit();
2881 do_exit(err);
2882
2883 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vdso.c linux-2.6.32.46/arch/powerpc/kernel/vdso.c
2884 --- linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400
2885 +++ linux-2.6.32.46/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400
2886 @@ -36,6 +36,7 @@
2887 #include <asm/firmware.h>
2888 #include <asm/vdso.h>
2889 #include <asm/vdso_datapage.h>
2890 +#include <asm/mman.h>
2891
2892 #include "setup.h"
2893
2894 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2895 vdso_base = VDSO32_MBASE;
2896 #endif
2897
2898 - current->mm->context.vdso_base = 0;
2899 + current->mm->context.vdso_base = ~0UL;
2900
2901 /* vDSO has a problem and was disabled, just don't "enable" it for the
2902 * process
2903 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2904 vdso_base = get_unmapped_area(NULL, vdso_base,
2905 (vdso_pages << PAGE_SHIFT) +
2906 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2907 - 0, 0);
2908 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2909 if (IS_ERR_VALUE(vdso_base)) {
2910 rc = vdso_base;
2911 goto fail_mmapsem;
2912 diff -urNp linux-2.6.32.46/arch/powerpc/kernel/vio.c linux-2.6.32.46/arch/powerpc/kernel/vio.c
2913 --- linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-03-27 14:31:47.000000000 -0400
2914 +++ linux-2.6.32.46/arch/powerpc/kernel/vio.c 2011-04-17 15:56:45.000000000 -0400
2915 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2916 vio_cmo_dealloc(viodev, alloc_size);
2917 }
2918
2919 -struct dma_map_ops vio_dma_mapping_ops = {
2920 +static const struct dma_map_ops vio_dma_mapping_ops = {
2921 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2922 .free_coherent = vio_dma_iommu_free_coherent,
2923 .map_sg = vio_dma_iommu_map_sg,
2924 .unmap_sg = vio_dma_iommu_unmap_sg,
2925 + .dma_supported = dma_iommu_dma_supported,
2926 .map_page = vio_dma_iommu_map_page,
2927 .unmap_page = vio_dma_iommu_unmap_page,
2928
2929 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2930
2931 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2932 {
2933 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2934 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2935 }
2936
2937 diff -urNp linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c
2938 --- linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
2939 +++ linux-2.6.32.46/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:56:45.000000000 -0400
2940 @@ -9,22 +9,6 @@
2941 #include <linux/module.h>
2942 #include <asm/uaccess.h>
2943
2944 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2945 -{
2946 - if (likely(access_ok(VERIFY_READ, from, n)))
2947 - n = __copy_from_user(to, from, n);
2948 - else
2949 - memset(to, 0, n);
2950 - return n;
2951 -}
2952 -
2953 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2954 -{
2955 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2956 - n = __copy_to_user(to, from, n);
2957 - return n;
2958 -}
2959 -
2960 unsigned long copy_in_user(void __user *to, const void __user *from,
2961 unsigned long n)
2962 {
2963 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2964 return n;
2965 }
2966
2967 -EXPORT_SYMBOL(copy_from_user);
2968 -EXPORT_SYMBOL(copy_to_user);
2969 EXPORT_SYMBOL(copy_in_user);
2970
2971 diff -urNp linux-2.6.32.46/arch/powerpc/Makefile linux-2.6.32.46/arch/powerpc/Makefile
2972 --- linux-2.6.32.46/arch/powerpc/Makefile 2011-03-27 14:31:47.000000000 -0400
2973 +++ linux-2.6.32.46/arch/powerpc/Makefile 2011-08-21 19:27:08.000000000 -0400
2974 @@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH)
2975 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
2976 CPP = $(CC) -E $(KBUILD_CFLAGS)
2977
2978 +cflags-y += -Wno-sign-compare -Wno-extra
2979 +
2980 CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
2981
2982 ifeq ($(CONFIG_PPC64),y)
2983 diff -urNp linux-2.6.32.46/arch/powerpc/mm/fault.c linux-2.6.32.46/arch/powerpc/mm/fault.c
2984 --- linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2985 +++ linux-2.6.32.46/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2986 @@ -30,6 +30,10 @@
2987 #include <linux/kprobes.h>
2988 #include <linux/kdebug.h>
2989 #include <linux/perf_event.h>
2990 +#include <linux/slab.h>
2991 +#include <linux/pagemap.h>
2992 +#include <linux/compiler.h>
2993 +#include <linux/unistd.h>
2994
2995 #include <asm/firmware.h>
2996 #include <asm/page.h>
2997 @@ -40,6 +44,7 @@
2998 #include <asm/uaccess.h>
2999 #include <asm/tlbflush.h>
3000 #include <asm/siginfo.h>
3001 +#include <asm/ptrace.h>
3002
3003
3004 #ifdef CONFIG_KPROBES
3005 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
3006 }
3007 #endif
3008
3009 +#ifdef CONFIG_PAX_PAGEEXEC
3010 +/*
3011 + * PaX: decide what to do with offenders (regs->nip = fault address)
3012 + *
3013 + * returns 1 when task should be killed
3014 + */
3015 +static int pax_handle_fetch_fault(struct pt_regs *regs)
3016 +{
3017 + return 1;
3018 +}
3019 +
3020 +void pax_report_insns(void *pc, void *sp)
3021 +{
3022 + unsigned long i;
3023 +
3024 + printk(KERN_ERR "PAX: bytes at PC: ");
3025 + for (i = 0; i < 5; i++) {
3026 + unsigned int c;
3027 + if (get_user(c, (unsigned int __user *)pc+i))
3028 + printk(KERN_CONT "???????? ");
3029 + else
3030 + printk(KERN_CONT "%08x ", c);
3031 + }
3032 + printk("\n");
3033 +}
3034 +#endif
3035 +
3036 /*
3037 * Check whether the instruction at regs->nip is a store using
3038 * an update addressing form which will update r1.
3039 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
3040 * indicate errors in DSISR but can validly be set in SRR1.
3041 */
3042 if (trap == 0x400)
3043 - error_code &= 0x48200000;
3044 + error_code &= 0x58200000;
3045 else
3046 is_write = error_code & DSISR_ISSTORE;
3047 #else
3048 @@ -250,7 +282,7 @@ good_area:
3049 * "undefined". Of those that can be set, this is the only
3050 * one which seems bad.
3051 */
3052 - if (error_code & 0x10000000)
3053 + if (error_code & DSISR_GUARDED)
3054 /* Guarded storage error. */
3055 goto bad_area;
3056 #endif /* CONFIG_8xx */
3057 @@ -265,7 +297,7 @@ good_area:
3058 * processors use the same I/D cache coherency mechanism
3059 * as embedded.
3060 */
3061 - if (error_code & DSISR_PROTFAULT)
3062 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3063 goto bad_area;
3064 #endif /* CONFIG_PPC_STD_MMU */
3065
3066 @@ -335,6 +367,23 @@ bad_area:
3067 bad_area_nosemaphore:
3068 /* User mode accesses cause a SIGSEGV */
3069 if (user_mode(regs)) {
3070 +
3071 +#ifdef CONFIG_PAX_PAGEEXEC
3072 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3073 +#ifdef CONFIG_PPC_STD_MMU
3074 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3075 +#else
3076 + if (is_exec && regs->nip == address) {
3077 +#endif
3078 + switch (pax_handle_fetch_fault(regs)) {
3079 + }
3080 +
3081 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3082 + do_group_exit(SIGKILL);
3083 + }
3084 + }
3085 +#endif
3086 +
3087 _exception(SIGSEGV, regs, code, address);
3088 return 0;
3089 }
3090 diff -urNp linux-2.6.32.46/arch/powerpc/mm/mem.c linux-2.6.32.46/arch/powerpc/mm/mem.c
3091 --- linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-03-27 14:31:47.000000000 -0400
3092 +++ linux-2.6.32.46/arch/powerpc/mm/mem.c 2011-08-21 15:50:39.000000000 -0400
3093 @@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
3094 {
3095 unsigned long lmb_next_region_start_pfn,
3096 lmb_region_max_pfn;
3097 - int i;
3098 + unsigned int i;
3099
3100 for (i = 0; i < lmb.memory.cnt - 1; i++) {
3101 lmb_region_max_pfn =
3102 diff -urNp linux-2.6.32.46/arch/powerpc/mm/mmap_64.c linux-2.6.32.46/arch/powerpc/mm/mmap_64.c
3103 --- linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400
3104 +++ linux-2.6.32.46/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400
3105 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3106 */
3107 if (mmap_is_legacy()) {
3108 mm->mmap_base = TASK_UNMAPPED_BASE;
3109 +
3110 +#ifdef CONFIG_PAX_RANDMMAP
3111 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3112 + mm->mmap_base += mm->delta_mmap;
3113 +#endif
3114 +
3115 mm->get_unmapped_area = arch_get_unmapped_area;
3116 mm->unmap_area = arch_unmap_area;
3117 } else {
3118 mm->mmap_base = mmap_base();
3119 +
3120 +#ifdef CONFIG_PAX_RANDMMAP
3121 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3122 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3123 +#endif
3124 +
3125 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3126 mm->unmap_area = arch_unmap_area_topdown;
3127 }
3128 diff -urNp linux-2.6.32.46/arch/powerpc/mm/slice.c linux-2.6.32.46/arch/powerpc/mm/slice.c
3129 --- linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-03-27 14:31:47.000000000 -0400
3130 +++ linux-2.6.32.46/arch/powerpc/mm/slice.c 2011-04-17 15:56:45.000000000 -0400
3131 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3132 if ((mm->task_size - len) < addr)
3133 return 0;
3134 vma = find_vma(mm, addr);
3135 - return (!vma || (addr + len) <= vma->vm_start);
3136 + return check_heap_stack_gap(vma, addr, len);
3137 }
3138
3139 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3140 @@ -256,7 +256,7 @@ full_search:
3141 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3142 continue;
3143 }
3144 - if (!vma || addr + len <= vma->vm_start) {
3145 + if (check_heap_stack_gap(vma, addr, len)) {
3146 /*
3147 * Remember the place where we stopped the search:
3148 */
3149 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3150 }
3151 }
3152
3153 - addr = mm->mmap_base;
3154 - while (addr > len) {
3155 + if (mm->mmap_base < len)
3156 + addr = -ENOMEM;
3157 + else
3158 + addr = mm->mmap_base - len;
3159 +
3160 + while (!IS_ERR_VALUE(addr)) {
3161 /* Go down by chunk size */
3162 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3163 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3164
3165 /* Check for hit with different page size */
3166 mask = slice_range_to_mask(addr, len);
3167 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3168 * return with success:
3169 */
3170 vma = find_vma(mm, addr);
3171 - if (!vma || (addr + len) <= vma->vm_start) {
3172 + if (check_heap_stack_gap(vma, addr, len)) {
3173 /* remember the address as a hint for next time */
3174 if (use_cache)
3175 mm->free_area_cache = addr;
3176 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3177 mm->cached_hole_size = vma->vm_start - addr;
3178
3179 /* try just below the current vma->vm_start */
3180 - addr = vma->vm_start;
3181 + addr = skip_heap_stack_gap(vma, len);
3182 }
3183
3184 /*
3185 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3187 return -EINVAL;
3188
3189 +#ifdef CONFIG_PAX_RANDMMAP
3190 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3191 + addr = 0;
3192 +#endif
3193 +
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c
3198 --- linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-03-27 14:31:47.000000000 -0400
3199 +++ linux-2.6.32.46/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-04-17 15:56:45.000000000 -0400
3200 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3202 }
3203
3204 -static struct platform_suspend_ops lite5200_pm_ops = {
3205 +static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210 --- linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-03-27 14:31:47.000000000 -0400
3211 +++ linux-2.6.32.46/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-04-17 15:56:45.000000000 -0400
3212 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3213 iounmap(mbar);
3214 }
3215
3216 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3217 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c
3222 --- linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-03-27 14:31:47.000000000 -0400
3223 +++ linux-2.6.32.46/arch/powerpc/platforms/83xx/suspend.c 2011-04-17 15:56:45.000000000 -0400
3224 @@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3225 return ret;
3226 }
3227
3228 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c
3234 --- linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-03-27 14:31:47.000000000 -0400
3235 +++ linux-2.6.32.46/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:56:45.000000000 -0400
3236 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3237
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3239
3240 -struct dma_map_ops dma_iommu_fixed_ops = {
3241 +const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c
3246 --- linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-03-27 14:31:47.000000000 -0400
3247 +++ linux-2.6.32.46/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:56:45.000000000 -0400
3248 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3250 }
3251
3252 -static struct dma_map_ops ps3_sb_dma_ops = {
3253 +static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3259 };
3260
3261 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3262 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266 diff -urNp linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig
3267 --- linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-03-27 14:31:47.000000000 -0400
3268 +++ linux-2.6.32.46/arch/powerpc/platforms/pseries/Kconfig 2011-04-17 15:56:45.000000000 -0400
3269 @@ -2,6 +2,8 @@ config PPC_PSERIES
3270 depends on PPC64 && PPC_BOOK3S
3271 bool "IBM pSeries & new (POWER5-based) iSeries"
3272 select MPIC
3273 + select PCI_MSI
3274 + select XICS
3275 select PPC_I8259
3276 select PPC_RTAS
3277 select RTAS_ERROR_LOGGING
3278 diff -urNp linux-2.6.32.46/arch/s390/include/asm/elf.h linux-2.6.32.46/arch/s390/include/asm/elf.h
3279 --- linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3280 +++ linux-2.6.32.46/arch/s390/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
3281 @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3282 that it will "exec", and that there is sufficient room for the brk. */
3283 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3284
3285 +#ifdef CONFIG_PAX_ASLR
3286 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3287 +
3288 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3289 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3290 +#endif
3291 +
3292 /* This yields a mask that user programs can use to figure out what
3293 instruction set this CPU supports. */
3294
3295 diff -urNp linux-2.6.32.46/arch/s390/include/asm/setup.h linux-2.6.32.46/arch/s390/include/asm/setup.h
3296 --- linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-03-27 14:31:47.000000000 -0400
3297 +++ linux-2.6.32.46/arch/s390/include/asm/setup.h 2011-04-17 15:56:45.000000000 -0400
3298 @@ -50,13 +50,13 @@ extern unsigned long memory_end;
3299 void detect_memory_layout(struct mem_chunk chunk[]);
3300
3301 #ifdef CONFIG_S390_SWITCH_AMODE
3302 -extern unsigned int switch_amode;
3303 +#define switch_amode (1)
3304 #else
3305 #define switch_amode (0)
3306 #endif
3307
3308 #ifdef CONFIG_S390_EXEC_PROTECT
3309 -extern unsigned int s390_noexec;
3310 +#define s390_noexec (1)
3311 #else
3312 #define s390_noexec (0)
3313 #endif
3314 diff -urNp linux-2.6.32.46/arch/s390/include/asm/uaccess.h linux-2.6.32.46/arch/s390/include/asm/uaccess.h
3315 --- linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3316 +++ linux-2.6.32.46/arch/s390/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
3317 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
3318 copy_to_user(void __user *to, const void *from, unsigned long n)
3319 {
3320 might_fault();
3321 +
3322 + if ((long)n < 0)
3323 + return n;
3324 +
3325 if (access_ok(VERIFY_WRITE, to, n))
3326 n = __copy_to_user(to, from, n);
3327 return n;
3328 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3329 static inline unsigned long __must_check
3330 __copy_from_user(void *to, const void __user *from, unsigned long n)
3331 {
3332 + if ((long)n < 0)
3333 + return n;
3334 +
3335 if (__builtin_constant_p(n) && (n <= 256))
3336 return uaccess.copy_from_user_small(n, from, to);
3337 else
3338 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
3339 copy_from_user(void *to, const void __user *from, unsigned long n)
3340 {
3341 might_fault();
3342 +
3343 + if ((long)n < 0)
3344 + return n;
3345 +
3346 if (access_ok(VERIFY_READ, from, n))
3347 n = __copy_from_user(to, from, n);
3348 else
3349 diff -urNp linux-2.6.32.46/arch/s390/Kconfig linux-2.6.32.46/arch/s390/Kconfig
3350 --- linux-2.6.32.46/arch/s390/Kconfig 2011-03-27 14:31:47.000000000 -0400
3351 +++ linux-2.6.32.46/arch/s390/Kconfig 2011-04-17 15:56:45.000000000 -0400
3352 @@ -194,28 +194,26 @@ config AUDIT_ARCH
3353
3354 config S390_SWITCH_AMODE
3355 bool "Switch kernel/user addressing modes"
3356 + default y
3357 help
3358 This option allows to switch the addressing modes of kernel and user
3359 - space. The kernel parameter switch_amode=on will enable this feature,
3360 - default is disabled. Enabling this (via kernel parameter) on machines
3361 - earlier than IBM System z9-109 EC/BC will reduce system performance.
3362 + space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3363 + will reduce system performance.
3364
3365 Note that this option will also be selected by selecting the execute
3366 - protection option below. Enabling the execute protection via the
3367 - noexec kernel parameter will also switch the addressing modes,
3368 - independent of the switch_amode kernel parameter.
3369 + protection option below. Enabling the execute protection will also
3370 + switch the addressing modes, independent of this option.
3371
3372
3373 config S390_EXEC_PROTECT
3374 bool "Data execute protection"
3375 + default y
3376 select S390_SWITCH_AMODE
3377 help
3378 This option allows to enable a buffer overflow protection for user
3379 space programs and it also selects the addressing mode option above.
3380 - The kernel parameter noexec=on will enable this feature and also
3381 - switch the addressing modes, default is disabled. Enabling this (via
3382 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3383 - will reduce system performance.
3384 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3385 + reduce system performance.
3386
3387 comment "Code generation options"
3388
3389 diff -urNp linux-2.6.32.46/arch/s390/kernel/module.c linux-2.6.32.46/arch/s390/kernel/module.c
3390 --- linux-2.6.32.46/arch/s390/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
3391 +++ linux-2.6.32.46/arch/s390/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
3392 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3393
3394 /* Increase core size by size of got & plt and set start
3395 offsets for got and plt. */
3396 - me->core_size = ALIGN(me->core_size, 4);
3397 - me->arch.got_offset = me->core_size;
3398 - me->core_size += me->arch.got_size;
3399 - me->arch.plt_offset = me->core_size;
3400 - me->core_size += me->arch.plt_size;
3401 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3402 + me->arch.got_offset = me->core_size_rw;
3403 + me->core_size_rw += me->arch.got_size;
3404 + me->arch.plt_offset = me->core_size_rx;
3405 + me->core_size_rx += me->arch.plt_size;
3406 return 0;
3407 }
3408
3409 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3410 if (info->got_initialized == 0) {
3411 Elf_Addr *gotent;
3412
3413 - gotent = me->module_core + me->arch.got_offset +
3414 + gotent = me->module_core_rw + me->arch.got_offset +
3415 info->got_offset;
3416 *gotent = val;
3417 info->got_initialized = 1;
3418 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3419 else if (r_type == R_390_GOTENT ||
3420 r_type == R_390_GOTPLTENT)
3421 *(unsigned int *) loc =
3422 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3423 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3424 else if (r_type == R_390_GOT64 ||
3425 r_type == R_390_GOTPLT64)
3426 *(unsigned long *) loc = val;
3427 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3428 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3429 if (info->plt_initialized == 0) {
3430 unsigned int *ip;
3431 - ip = me->module_core + me->arch.plt_offset +
3432 + ip = me->module_core_rx + me->arch.plt_offset +
3433 info->plt_offset;
3434 #ifndef CONFIG_64BIT
3435 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3436 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3437 val - loc + 0xffffUL < 0x1ffffeUL) ||
3438 (r_type == R_390_PLT32DBL &&
3439 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3440 - val = (Elf_Addr) me->module_core +
3441 + val = (Elf_Addr) me->module_core_rx +
3442 me->arch.plt_offset +
3443 info->plt_offset;
3444 val += rela->r_addend - loc;
3445 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3446 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3447 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3448 val = val + rela->r_addend -
3449 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3450 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3451 if (r_type == R_390_GOTOFF16)
3452 *(unsigned short *) loc = val;
3453 else if (r_type == R_390_GOTOFF32)
3454 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3455 break;
3456 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3457 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3458 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3459 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3460 rela->r_addend - loc;
3461 if (r_type == R_390_GOTPC)
3462 *(unsigned int *) loc = val;
3463 diff -urNp linux-2.6.32.46/arch/s390/kernel/setup.c linux-2.6.32.46/arch/s390/kernel/setup.c
3464 --- linux-2.6.32.46/arch/s390/kernel/setup.c 2011-03-27 14:31:47.000000000 -0400
3465 +++ linux-2.6.32.46/arch/s390/kernel/setup.c 2011-04-17 15:56:45.000000000 -0400
3466 @@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3467 early_param("mem", early_parse_mem);
3468
3469 #ifdef CONFIG_S390_SWITCH_AMODE
3470 -unsigned int switch_amode = 0;
3471 -EXPORT_SYMBOL_GPL(switch_amode);
3472 -
3473 static int set_amode_and_uaccess(unsigned long user_amode,
3474 unsigned long user32_amode)
3475 {
3476 @@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3477 return 0;
3478 }
3479 }
3480 -
3481 -/*
3482 - * Switch kernel/user addressing modes?
3483 - */
3484 -static int __init early_parse_switch_amode(char *p)
3485 -{
3486 - switch_amode = 1;
3487 - return 0;
3488 -}
3489 -early_param("switch_amode", early_parse_switch_amode);
3490 -
3491 #else /* CONFIG_S390_SWITCH_AMODE */
3492 static inline int set_amode_and_uaccess(unsigned long user_amode,
3493 unsigned long user32_amode)
3494 @@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3495 }
3496 #endif /* CONFIG_S390_SWITCH_AMODE */
3497
3498 -#ifdef CONFIG_S390_EXEC_PROTECT
3499 -unsigned int s390_noexec = 0;
3500 -EXPORT_SYMBOL_GPL(s390_noexec);
3501 -
3502 -/*
3503 - * Enable execute protection?
3504 - */
3505 -static int __init early_parse_noexec(char *p)
3506 -{
3507 - if (!strncmp(p, "off", 3))
3508 - return 0;
3509 - switch_amode = 1;
3510 - s390_noexec = 1;
3511 - return 0;
3512 -}
3513 -early_param("noexec", early_parse_noexec);
3514 -#endif /* CONFIG_S390_EXEC_PROTECT */
3515 -
3516 static void setup_addressing_mode(void)
3517 {
3518 if (s390_noexec) {
3519 diff -urNp linux-2.6.32.46/arch/s390/mm/mmap.c linux-2.6.32.46/arch/s390/mm/mmap.c
3520 --- linux-2.6.32.46/arch/s390/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3521 +++ linux-2.6.32.46/arch/s390/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
3522 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3523 */
3524 if (mmap_is_legacy()) {
3525 mm->mmap_base = TASK_UNMAPPED_BASE;
3526 +
3527 +#ifdef CONFIG_PAX_RANDMMAP
3528 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3529 + mm->mmap_base += mm->delta_mmap;
3530 +#endif
3531 +
3532 mm->get_unmapped_area = arch_get_unmapped_area;
3533 mm->unmap_area = arch_unmap_area;
3534 } else {
3535 mm->mmap_base = mmap_base();
3536 +
3537 +#ifdef CONFIG_PAX_RANDMMAP
3538 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3539 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3540 +#endif
3541 +
3542 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3543 mm->unmap_area = arch_unmap_area_topdown;
3544 }
3545 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3546 */
3547 if (mmap_is_legacy()) {
3548 mm->mmap_base = TASK_UNMAPPED_BASE;
3549 +
3550 +#ifdef CONFIG_PAX_RANDMMAP
3551 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3552 + mm->mmap_base += mm->delta_mmap;
3553 +#endif
3554 +
3555 mm->get_unmapped_area = s390_get_unmapped_area;
3556 mm->unmap_area = arch_unmap_area;
3557 } else {
3558 mm->mmap_base = mmap_base();
3559 +
3560 +#ifdef CONFIG_PAX_RANDMMAP
3561 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3562 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3563 +#endif
3564 +
3565 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3566 mm->unmap_area = arch_unmap_area_topdown;
3567 }
3568 diff -urNp linux-2.6.32.46/arch/score/include/asm/system.h linux-2.6.32.46/arch/score/include/asm/system.h
3569 --- linux-2.6.32.46/arch/score/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
3570 +++ linux-2.6.32.46/arch/score/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
3571 @@ -17,7 +17,7 @@ do { \
3572 #define finish_arch_switch(prev) do {} while (0)
3573
3574 typedef void (*vi_handler_t)(void);
3575 -extern unsigned long arch_align_stack(unsigned long sp);
3576 +#define arch_align_stack(x) (x)
3577
3578 #define mb() barrier()
3579 #define rmb() barrier()
3580 diff -urNp linux-2.6.32.46/arch/score/kernel/process.c linux-2.6.32.46/arch/score/kernel/process.c
3581 --- linux-2.6.32.46/arch/score/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
3582 +++ linux-2.6.32.46/arch/score/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
3583 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3584
3585 return task_pt_regs(task)->cp0_epc;
3586 }
3587 -
3588 -unsigned long arch_align_stack(unsigned long sp)
3589 -{
3590 - return sp;
3591 -}
3592 diff -urNp linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c
3593 --- linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-03-27 14:31:47.000000000 -0400
3594 +++ linux-2.6.32.46/arch/sh/boards/mach-hp6xx/pm.c 2011-04-17 15:56:45.000000000 -0400
3595 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3596 return 0;
3597 }
3598
3599 -static struct platform_suspend_ops hp6x0_pm_ops = {
3600 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3601 .enter = hp6x0_pm_enter,
3602 .valid = suspend_valid_only_mem,
3603 };
3604 diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c
3605 --- linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-03-27 14:31:47.000000000 -0400
3606 +++ linux-2.6.32.46/arch/sh/kernel/cpu/sh4/sq.c 2011-04-17 15:56:46.000000000 -0400
3607 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3608 NULL,
3609 };
3610
3611 -static struct sysfs_ops sq_sysfs_ops = {
3612 +static const struct sysfs_ops sq_sysfs_ops = {
3613 .show = sq_sysfs_show,
3614 .store = sq_sysfs_store,
3615 };
3616 diff -urNp linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c
3617 --- linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-03-27 14:31:47.000000000 -0400
3618 +++ linux-2.6.32.46/arch/sh/kernel/cpu/shmobile/pm.c 2011-04-17 15:56:46.000000000 -0400
3619 @@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3620 return 0;
3621 }
3622
3623 -static struct platform_suspend_ops sh_pm_ops = {
3624 +static const struct platform_suspend_ops sh_pm_ops = {
3625 .enter = sh_pm_enter,
3626 .valid = suspend_valid_only_mem,
3627 };
3628 diff -urNp linux-2.6.32.46/arch/sh/kernel/kgdb.c linux-2.6.32.46/arch/sh/kernel/kgdb.c
3629 --- linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
3630 +++ linux-2.6.32.46/arch/sh/kernel/kgdb.c 2011-04-17 15:56:46.000000000 -0400
3631 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3632 {
3633 }
3634
3635 -struct kgdb_arch arch_kgdb_ops = {
3636 +const struct kgdb_arch arch_kgdb_ops = {
3637 /* Breakpoint instruction: trapa #0x3c */
3638 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3639 .gdb_bpt_instr = { 0x3c, 0xc3 },
3640 diff -urNp linux-2.6.32.46/arch/sh/mm/mmap.c linux-2.6.32.46/arch/sh/mm/mmap.c
3641 --- linux-2.6.32.46/arch/sh/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3642 +++ linux-2.6.32.46/arch/sh/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
3643 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3644 addr = PAGE_ALIGN(addr);
3645
3646 vma = find_vma(mm, addr);
3647 - if (TASK_SIZE - len >= addr &&
3648 - (!vma || addr + len <= vma->vm_start))
3649 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3650 return addr;
3651 }
3652
3653 @@ -106,7 +105,7 @@ full_search:
3654 }
3655 return -ENOMEM;
3656 }
3657 - if (likely(!vma || addr + len <= vma->vm_start)) {
3658 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3659 /*
3660 * Remember the place where we stopped the search:
3661 */
3662 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3663 addr = PAGE_ALIGN(addr);
3664
3665 vma = find_vma(mm, addr);
3666 - if (TASK_SIZE - len >= addr &&
3667 - (!vma || addr + len <= vma->vm_start))
3668 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3669 return addr;
3670 }
3671
3672 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3673 /* make sure it can fit in the remaining address space */
3674 if (likely(addr > len)) {
3675 vma = find_vma(mm, addr-len);
3676 - if (!vma || addr <= vma->vm_start) {
3677 + if (check_heap_stack_gap(vma, addr - len, len)) {
3678 /* remember the address as a hint for next time */
3679 return (mm->free_area_cache = addr-len);
3680 }
3681 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3682 if (unlikely(mm->mmap_base < len))
3683 goto bottomup;
3684
3685 - addr = mm->mmap_base-len;
3686 - if (do_colour_align)
3687 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3688 + addr = mm->mmap_base - len;
3689
3690 do {
3691 + if (do_colour_align)
3692 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3693 /*
3694 * Lookup failure means no vma is above this address,
3695 * else if new region fits below vma->vm_start,
3696 * return with success:
3697 */
3698 vma = find_vma(mm, addr);
3699 - if (likely(!vma || addr+len <= vma->vm_start)) {
3700 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3701 /* remember the address as a hint for next time */
3702 return (mm->free_area_cache = addr);
3703 }
3704 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3705 mm->cached_hole_size = vma->vm_start - addr;
3706
3707 /* try just below the current vma->vm_start */
3708 - addr = vma->vm_start-len;
3709 - if (do_colour_align)
3710 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3711 - } while (likely(len < vma->vm_start));
3712 + addr = skip_heap_stack_gap(vma, len);
3713 + } while (!IS_ERR_VALUE(addr));
3714
3715 bottomup:
3716 /*
3717 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h
3718 --- linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
3719 +++ linux-2.6.32.46/arch/sparc/include/asm/atomic_64.h 2011-08-18 23:11:34.000000000 -0400
3720 @@ -14,18 +14,40 @@
3721 #define ATOMIC64_INIT(i) { (i) }
3722
3723 #define atomic_read(v) ((v)->counter)
3724 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3725 +{
3726 + return v->counter;
3727 +}
3728 #define atomic64_read(v) ((v)->counter)
3729 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3730 +{
3731 + return v->counter;
3732 +}
3733
3734 #define atomic_set(v, i) (((v)->counter) = i)
3735 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3736 +{
3737 + v->counter = i;
3738 +}
3739 #define atomic64_set(v, i) (((v)->counter) = i)
3740 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3741 +{
3742 + v->counter = i;
3743 +}
3744
3745 extern void atomic_add(int, atomic_t *);
3746 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3747 extern void atomic64_add(long, atomic64_t *);
3748 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3749 extern void atomic_sub(int, atomic_t *);
3750 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3751 extern void atomic64_sub(long, atomic64_t *);
3752 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3753
3754 extern int atomic_add_ret(int, atomic_t *);
3755 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3756 extern long atomic64_add_ret(long, atomic64_t *);
3757 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3758 extern int atomic_sub_ret(int, atomic_t *);
3759 extern long atomic64_sub_ret(long, atomic64_t *);
3760
3761 @@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3762 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3763
3764 #define atomic_inc_return(v) atomic_add_ret(1, v)
3765 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3766 +{
3767 + return atomic_add_ret_unchecked(1, v);
3768 +}
3769 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3770 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3771 +{
3772 + return atomic64_add_ret_unchecked(1, v);
3773 +}
3774
3775 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3776 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3777
3778 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3779 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3780 +{
3781 + return atomic_add_ret_unchecked(i, v);
3782 +}
3783 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3784 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3785 +{
3786 + return atomic64_add_ret_unchecked(i, v);
3787 +}
3788
3789 /*
3790 * atomic_inc_and_test - increment and test
3791 @@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
3792 * other cases.
3793 */
3794 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3795 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
3796 +{
3797 + return atomic_inc_return_unchecked(v) == 0;
3798 +}
3799 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3800
3801 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3802 @@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
3803 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3804
3805 #define atomic_inc(v) atomic_add(1, v)
3806 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3807 +{
3808 + atomic_add_unchecked(1, v);
3809 +}
3810 #define atomic64_inc(v) atomic64_add(1, v)
3811 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3812 +{
3813 + atomic64_add_unchecked(1, v);
3814 +}
3815
3816 #define atomic_dec(v) atomic_sub(1, v)
3817 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3818 +{
3819 + atomic_sub_unchecked(1, v);
3820 +}
3821 #define atomic64_dec(v) atomic64_sub(1, v)
3822 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3823 +{
3824 + atomic64_sub_unchecked(1, v);
3825 +}
3826
3827 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3828 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3829
3830 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3831 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
3832 +{
3833 + return cmpxchg(&v->counter, old, new);
3834 +}
3835 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3836 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
3837 +{
3838 + return xchg(&v->counter, new);
3839 +}
3840
3841 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3842 {
3843 - int c, old;
3844 + int c, old, new;
3845 c = atomic_read(v);
3846 for (;;) {
3847 - if (unlikely(c == (u)))
3848 + if (unlikely(c == u))
3849 break;
3850 - old = atomic_cmpxchg((v), c, c + (a));
3851 +
3852 + asm volatile("addcc %2, %0, %0\n"
3853 +
3854 +#ifdef CONFIG_PAX_REFCOUNT
3855 + "tvs %%icc, 6\n"
3856 +#endif
3857 +
3858 + : "=r" (new)
3859 + : "0" (c), "ir" (a)
3860 + : "cc");
3861 +
3862 + old = atomic_cmpxchg(v, c, new);
3863 if (likely(old == c))
3864 break;
3865 c = old;
3866 }
3867 - return c != (u);
3868 + return c != u;
3869 }
3870
3871 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3872 @@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
3873 #define atomic64_cmpxchg(v, o, n) \
3874 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
3875 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
3876 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
3877 +{
3878 + return xchg(&v->counter, new);
3879 +}
3880
3881 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3882 {
3883 - long c, old;
3884 + long c, old, new;
3885 c = atomic64_read(v);
3886 for (;;) {
3887 - if (unlikely(c == (u)))
3888 + if (unlikely(c == u))
3889 break;
3890 - old = atomic64_cmpxchg((v), c, c + (a));
3891 +
3892 + asm volatile("addcc %2, %0, %0\n"
3893 +
3894 +#ifdef CONFIG_PAX_REFCOUNT
3895 + "tvs %%xcc, 6\n"
3896 +#endif
3897 +
3898 + : "=r" (new)
3899 + : "0" (c), "ir" (a)
3900 + : "cc");
3901 +
3902 + old = atomic64_cmpxchg(v, c, new);
3903 if (likely(old == c))
3904 break;
3905 c = old;
3906 }
3907 - return c != (u);
3908 + return c != u;
3909 }
3910
3911 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3912 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/cache.h linux-2.6.32.46/arch/sparc/include/asm/cache.h
3913 --- linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
3914 +++ linux-2.6.32.46/arch/sparc/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
3915 @@ -8,7 +8,7 @@
3916 #define _SPARC_CACHE_H
3917
3918 #define L1_CACHE_SHIFT 5
3919 -#define L1_CACHE_BYTES 32
3920 +#define L1_CACHE_BYTES 32UL
3921 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3922
3923 #ifdef CONFIG_SPARC32
3924 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h
3925 --- linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
3926 +++ linux-2.6.32.46/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
3927 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3928 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3929 #define dma_is_consistent(d, h) (1)
3930
3931 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3932 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3933 extern struct bus_type pci_bus_type;
3934
3935 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3936 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3937 {
3938 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3939 if (dev->bus == &pci_bus_type)
3940 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3941 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3942 dma_addr_t *dma_handle, gfp_t flag)
3943 {
3944 - struct dma_map_ops *ops = get_dma_ops(dev);
3945 + const struct dma_map_ops *ops = get_dma_ops(dev);
3946 void *cpu_addr;
3947
3948 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3949 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3950 static inline void dma_free_coherent(struct device *dev, size_t size,
3951 void *cpu_addr, dma_addr_t dma_handle)
3952 {
3953 - struct dma_map_ops *ops = get_dma_ops(dev);
3954 + const struct dma_map_ops *ops = get_dma_ops(dev);
3955
3956 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3957 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3958 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_32.h linux-2.6.32.46/arch/sparc/include/asm/elf_32.h
3959 --- linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-03-27 14:31:47.000000000 -0400
3960 +++ linux-2.6.32.46/arch/sparc/include/asm/elf_32.h 2011-04-17 15:56:46.000000000 -0400
3961 @@ -116,6 +116,13 @@ typedef struct {
3962
3963 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3964
3965 +#ifdef CONFIG_PAX_ASLR
3966 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3967 +
3968 +#define PAX_DELTA_MMAP_LEN 16
3969 +#define PAX_DELTA_STACK_LEN 16
3970 +#endif
3971 +
3972 /* This yields a mask that user programs can use to figure out what
3973 instruction set this cpu supports. This can NOT be done in userspace
3974 on Sparc. */
3975 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/elf_64.h linux-2.6.32.46/arch/sparc/include/asm/elf_64.h
3976 --- linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-03-27 14:31:47.000000000 -0400
3977 +++ linux-2.6.32.46/arch/sparc/include/asm/elf_64.h 2011-04-17 15:56:46.000000000 -0400
3978 @@ -163,6 +163,12 @@ typedef struct {
3979 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3980 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3981
3982 +#ifdef CONFIG_PAX_ASLR
3983 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3984 +
3985 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3986 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3987 +#endif
3988
3989 /* This yields a mask that user programs can use to figure out what
3990 instruction set this cpu supports. */
3991 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h
3992 --- linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
3993 +++ linux-2.6.32.46/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
3994 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3995 BTFIXUPDEF_INT(page_none)
3996 BTFIXUPDEF_INT(page_copy)
3997 BTFIXUPDEF_INT(page_readonly)
3998 +
3999 +#ifdef CONFIG_PAX_PAGEEXEC
4000 +BTFIXUPDEF_INT(page_shared_noexec)
4001 +BTFIXUPDEF_INT(page_copy_noexec)
4002 +BTFIXUPDEF_INT(page_readonly_noexec)
4003 +#endif
4004 +
4005 BTFIXUPDEF_INT(page_kernel)
4006
4007 #define PMD_SHIFT SUN4C_PMD_SHIFT
4008 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
4009 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
4010 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
4011
4012 +#ifdef CONFIG_PAX_PAGEEXEC
4013 +extern pgprot_t PAGE_SHARED_NOEXEC;
4014 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
4015 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
4016 +#else
4017 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
4018 +# define PAGE_COPY_NOEXEC PAGE_COPY
4019 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
4020 +#endif
4021 +
4022 extern unsigned long page_kernel;
4023
4024 #ifdef MODULE
4025 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h
4026 --- linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-03-27 14:31:47.000000000 -0400
4027 +++ linux-2.6.32.46/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:56:46.000000000 -0400
4028 @@ -115,6 +115,13 @@
4029 SRMMU_EXEC | SRMMU_REF)
4030 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4031 SRMMU_EXEC | SRMMU_REF)
4032 +
4033 +#ifdef CONFIG_PAX_PAGEEXEC
4034 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4035 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4036 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4037 +#endif
4038 +
4039 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4040 SRMMU_DIRTY | SRMMU_REF)
4041
4042 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h
4043 --- linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-03-27 14:31:47.000000000 -0400
4044 +++ linux-2.6.32.46/arch/sparc/include/asm/spinlock_64.h 2011-08-18 23:19:30.000000000 -0400
4045 @@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
4046
4047 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
4048
4049 -static void inline arch_read_lock(raw_rwlock_t *lock)
4050 +static inline void arch_read_lock(raw_rwlock_t *lock)
4051 {
4052 unsigned long tmp1, tmp2;
4053
4054 __asm__ __volatile__ (
4055 "1: ldsw [%2], %0\n"
4056 " brlz,pn %0, 2f\n"
4057 -"4: add %0, 1, %1\n"
4058 +"4: addcc %0, 1, %1\n"
4059 +
4060 +#ifdef CONFIG_PAX_REFCOUNT
4061 +" tvs %%icc, 6\n"
4062 +#endif
4063 +
4064 " cas [%2], %0, %1\n"
4065 " cmp %0, %1\n"
4066 " bne,pn %%icc, 1b\n"
4067 @@ -112,10 +117,10 @@ static void inline arch_read_lock(raw_rw
4068 " .previous"
4069 : "=&r" (tmp1), "=&r" (tmp2)
4070 : "r" (lock)
4071 - : "memory");
4072 + : "memory", "cc");
4073 }
4074
4075 -static int inline arch_read_trylock(raw_rwlock_t *lock)
4076 +static inline int arch_read_trylock(raw_rwlock_t *lock)
4077 {
4078 int tmp1, tmp2;
4079
4080 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
4081 "1: ldsw [%2], %0\n"
4082 " brlz,a,pn %0, 2f\n"
4083 " mov 0, %0\n"
4084 -" add %0, 1, %1\n"
4085 +" addcc %0, 1, %1\n"
4086 +
4087 +#ifdef CONFIG_PAX_REFCOUNT
4088 +" tvs %%icc, 6\n"
4089 +#endif
4090 +
4091 " cas [%2], %0, %1\n"
4092 " cmp %0, %1\n"
4093 " bne,pn %%icc, 1b\n"
4094 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4095 return tmp1;
4096 }
4097
4098 -static void inline arch_read_unlock(raw_rwlock_t *lock)
4099 +static inline void arch_read_unlock(raw_rwlock_t *lock)
4100 {
4101 unsigned long tmp1, tmp2;
4102
4103 __asm__ __volatile__(
4104 "1: lduw [%2], %0\n"
4105 -" sub %0, 1, %1\n"
4106 +" subcc %0, 1, %1\n"
4107 +
4108 +#ifdef CONFIG_PAX_REFCOUNT
4109 +" tvs %%icc, 6\n"
4110 +#endif
4111 +
4112 " cas [%2], %0, %1\n"
4113 " cmp %0, %1\n"
4114 " bne,pn %%xcc, 1b\n"
4115 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4116 : "memory");
4117 }
4118
4119 -static void inline arch_write_lock(raw_rwlock_t *lock)
4120 +static inline void arch_write_lock(raw_rwlock_t *lock)
4121 {
4122 unsigned long mask, tmp1, tmp2;
4123
4124 @@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4125 : "memory");
4126 }
4127
4128 -static void inline arch_write_unlock(raw_rwlock_t *lock)
4129 +static inline void arch_write_unlock(raw_rwlock_t *lock)
4130 {
4131 __asm__ __volatile__(
4132 " stw %%g0, [%0]"
4133 @@ -186,7 +201,7 @@ static void inline arch_write_unlock(raw
4134 : "memory");
4135 }
4136
4137 -static int inline arch_write_trylock(raw_rwlock_t *lock)
4138 +static inline int arch_write_trylock(raw_rwlock_t *lock)
4139 {
4140 unsigned long mask, tmp1, tmp2, result;
4141
4142 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h
4143 --- linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-03-27 14:31:47.000000000 -0400
4144 +++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_32.h 2011-06-04 20:46:01.000000000 -0400
4145 @@ -50,6 +50,8 @@ struct thread_info {
4146 unsigned long w_saved;
4147
4148 struct restart_block restart_block;
4149 +
4150 + unsigned long lowest_stack;
4151 };
4152
4153 /*
4154 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h
4155 --- linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-03-27 14:31:47.000000000 -0400
4156 +++ linux-2.6.32.46/arch/sparc/include/asm/thread_info_64.h 2011-06-04 20:46:21.000000000 -0400
4157 @@ -68,6 +68,8 @@ struct thread_info {
4158 struct pt_regs *kern_una_regs;
4159 unsigned int kern_una_insn;
4160
4161 + unsigned long lowest_stack;
4162 +
4163 unsigned long fpregs[0] __attribute__ ((aligned(64)));
4164 };
4165
4166 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h
4167 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
4168 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:56:46.000000000 -0400
4169 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4170
4171 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4172 {
4173 - if (n && __access_ok((unsigned long) to, n))
4174 + if ((long)n < 0)
4175 + return n;
4176 +
4177 + if (n && __access_ok((unsigned long) to, n)) {
4178 + if (!__builtin_constant_p(n))
4179 + check_object_size(from, n, true);
4180 return __copy_user(to, (__force void __user *) from, n);
4181 - else
4182 + } else
4183 return n;
4184 }
4185
4186 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4187 {
4188 + if ((long)n < 0)
4189 + return n;
4190 +
4191 + if (!__builtin_constant_p(n))
4192 + check_object_size(from, n, true);
4193 +
4194 return __copy_user(to, (__force void __user *) from, n);
4195 }
4196
4197 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4198 {
4199 - if (n && __access_ok((unsigned long) from, n))
4200 + if ((long)n < 0)
4201 + return n;
4202 +
4203 + if (n && __access_ok((unsigned long) from, n)) {
4204 + if (!__builtin_constant_p(n))
4205 + check_object_size(to, n, false);
4206 return __copy_user((__force void __user *) to, from, n);
4207 - else
4208 + } else
4209 return n;
4210 }
4211
4212 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4213 {
4214 + if ((long)n < 0)
4215 + return n;
4216 +
4217 return __copy_user((__force void __user *) to, from, n);
4218 }
4219
4220 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h
4221 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
4222 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:56:46.000000000 -0400
4223 @@ -9,6 +9,7 @@
4224 #include <linux/compiler.h>
4225 #include <linux/string.h>
4226 #include <linux/thread_info.h>
4227 +#include <linux/kernel.h>
4228 #include <asm/asi.h>
4229 #include <asm/system.h>
4230 #include <asm/spitfire.h>
4231 @@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4232 static inline unsigned long __must_check
4233 copy_from_user(void *to, const void __user *from, unsigned long size)
4234 {
4235 - unsigned long ret = ___copy_from_user(to, from, size);
4236 + unsigned long ret;
4237
4238 + if ((long)size < 0 || size > INT_MAX)
4239 + return size;
4240 +
4241 + if (!__builtin_constant_p(size))
4242 + check_object_size(to, size, false);
4243 +
4244 + ret = ___copy_from_user(to, from, size);
4245 if (unlikely(ret))
4246 ret = copy_from_user_fixup(to, from, size);
4247 return ret;
4248 @@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4249 static inline unsigned long __must_check
4250 copy_to_user(void __user *to, const void *from, unsigned long size)
4251 {
4252 - unsigned long ret = ___copy_to_user(to, from, size);
4253 + unsigned long ret;
4254 +
4255 + if ((long)size < 0 || size > INT_MAX)
4256 + return size;
4257 +
4258 + if (!__builtin_constant_p(size))
4259 + check_object_size(from, size, true);
4260
4261 + ret = ___copy_to_user(to, from, size);
4262 if (unlikely(ret))
4263 ret = copy_to_user_fixup(to, from, size);
4264 return ret;
4265 diff -urNp linux-2.6.32.46/arch/sparc/include/asm/uaccess.h linux-2.6.32.46/arch/sparc/include/asm/uaccess.h
4266 --- linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
4267 +++ linux-2.6.32.46/arch/sparc/include/asm/uaccess.h 2011-04-17 15:56:46.000000000 -0400
4268 @@ -1,5 +1,13 @@
4269 #ifndef ___ASM_SPARC_UACCESS_H
4270 #define ___ASM_SPARC_UACCESS_H
4271 +
4272 +#ifdef __KERNEL__
4273 +#ifndef __ASSEMBLY__
4274 +#include <linux/types.h>
4275 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4276 +#endif
4277 +#endif
4278 +
4279 #if defined(__sparc__) && defined(__arch64__)
4280 #include <asm/uaccess_64.h>
4281 #else
4282 diff -urNp linux-2.6.32.46/arch/sparc/kernel/iommu.c linux-2.6.32.46/arch/sparc/kernel/iommu.c
4283 --- linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-03-27 14:31:47.000000000 -0400
4284 +++ linux-2.6.32.46/arch/sparc/kernel/iommu.c 2011-04-17 15:56:46.000000000 -0400
4285 @@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4286 spin_unlock_irqrestore(&iommu->lock, flags);
4287 }
4288
4289 -static struct dma_map_ops sun4u_dma_ops = {
4290 +static const struct dma_map_ops sun4u_dma_ops = {
4291 .alloc_coherent = dma_4u_alloc_coherent,
4292 .free_coherent = dma_4u_free_coherent,
4293 .map_page = dma_4u_map_page,
4294 @@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4295 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4296 };
4297
4298 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4299 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4300 EXPORT_SYMBOL(dma_ops);
4301
4302 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4303 diff -urNp linux-2.6.32.46/arch/sparc/kernel/ioport.c linux-2.6.32.46/arch/sparc/kernel/ioport.c
4304 --- linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
4305 +++ linux-2.6.32.46/arch/sparc/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
4306 @@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4307 BUG();
4308 }
4309
4310 -struct dma_map_ops sbus_dma_ops = {
4311 +const struct dma_map_ops sbus_dma_ops = {
4312 .alloc_coherent = sbus_alloc_coherent,
4313 .free_coherent = sbus_free_coherent,
4314 .map_page = sbus_map_page,
4315 @@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4316 .sync_sg_for_device = sbus_sync_sg_for_device,
4317 };
4318
4319 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4320 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4321 EXPORT_SYMBOL(dma_ops);
4322
4323 static int __init sparc_register_ioport(void)
4324 @@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4325 }
4326 }
4327
4328 -struct dma_map_ops pci32_dma_ops = {
4329 +const struct dma_map_ops pci32_dma_ops = {
4330 .alloc_coherent = pci32_alloc_coherent,
4331 .free_coherent = pci32_free_coherent,
4332 .map_page = pci32_map_page,
4333 diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c
4334 --- linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-03-27 14:31:47.000000000 -0400
4335 +++ linux-2.6.32.46/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:56:46.000000000 -0400
4336 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4337 {
4338 }
4339
4340 -struct kgdb_arch arch_kgdb_ops = {
4341 +const struct kgdb_arch arch_kgdb_ops = {
4342 /* Breakpoint instruction: ta 0x7d */
4343 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4344 };
4345 diff -urNp linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c
4346 --- linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-03-27 14:31:47.000000000 -0400
4347 +++ linux-2.6.32.46/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:56:46.000000000 -0400
4348 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4349 {
4350 }
4351
4352 -struct kgdb_arch arch_kgdb_ops = {
4353 +const struct kgdb_arch arch_kgdb_ops = {
4354 /* Breakpoint instruction: ta 0x72 */
4355 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4356 };
4357 diff -urNp linux-2.6.32.46/arch/sparc/kernel/Makefile linux-2.6.32.46/arch/sparc/kernel/Makefile
4358 --- linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-03-27 14:31:47.000000000 -0400
4359 +++ linux-2.6.32.46/arch/sparc/kernel/Makefile 2011-04-17 15:56:46.000000000 -0400
4360 @@ -3,7 +3,7 @@
4361 #
4362
4363 asflags-y := -ansi
4364 -ccflags-y := -Werror
4365 +#ccflags-y := -Werror
4366
4367 extra-y := head_$(BITS).o
4368 extra-y += init_task.o
4369 diff -urNp linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c
4370 --- linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-03-27 14:31:47.000000000 -0400
4371 +++ linux-2.6.32.46/arch/sparc/kernel/pci_sun4v.c 2011-04-17 15:56:46.000000000 -0400
4372 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4373 spin_unlock_irqrestore(&iommu->lock, flags);
4374 }
4375
4376 -static struct dma_map_ops sun4v_dma_ops = {
4377 +static const struct dma_map_ops sun4v_dma_ops = {
4378 .alloc_coherent = dma_4v_alloc_coherent,
4379 .free_coherent = dma_4v_free_coherent,
4380 .map_page = dma_4v_map_page,
4381 diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_32.c linux-2.6.32.46/arch/sparc/kernel/process_32.c
4382 --- linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-03-27 14:31:47.000000000 -0400
4383 +++ linux-2.6.32.46/arch/sparc/kernel/process_32.c 2011-04-17 15:56:46.000000000 -0400
4384 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4385 rw->ins[4], rw->ins[5],
4386 rw->ins[6],
4387 rw->ins[7]);
4388 - printk("%pS\n", (void *) rw->ins[7]);
4389 + printk("%pA\n", (void *) rw->ins[7]);
4390 rw = (struct reg_window32 *) rw->ins[6];
4391 }
4392 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4393 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4394
4395 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4396 r->psr, r->pc, r->npc, r->y, print_tainted());
4397 - printk("PC: <%pS>\n", (void *) r->pc);
4398 + printk("PC: <%pA>\n", (void *) r->pc);
4399 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4400 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4401 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4402 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4403 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4404 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4405 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4406 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4407
4408 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4409 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4410 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4411 rw = (struct reg_window32 *) fp;
4412 pc = rw->ins[7];
4413 printk("[%08lx : ", pc);
4414 - printk("%pS ] ", (void *) pc);
4415 + printk("%pA ] ", (void *) pc);
4416 fp = rw->ins[6];
4417 } while (++count < 16);
4418 printk("\n");
4419 diff -urNp linux-2.6.32.46/arch/sparc/kernel/process_64.c linux-2.6.32.46/arch/sparc/kernel/process_64.c
4420 --- linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-03-27 14:31:47.000000000 -0400
4421 +++ linux-2.6.32.46/arch/sparc/kernel/process_64.c 2011-04-17 15:56:46.000000000 -0400
4422 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4423 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4424 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4425 if (regs->tstate & TSTATE_PRIV)
4426 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4427 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4428 }
4429
4430 void show_regs(struct pt_regs *regs)
4431 {
4432 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4433 regs->tpc, regs->tnpc, regs->y, print_tainted());
4434 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4435 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4436 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4437 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4438 regs->u_regs[3]);
4439 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4440 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4441 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4442 regs->u_regs[15]);
4443 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4444 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4445 show_regwindow(regs);
4446 }
4447
4448 @@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4449 ((tp && tp->task) ? tp->task->pid : -1));
4450
4451 if (gp->tstate & TSTATE_PRIV) {
4452 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4453 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4454 (void *) gp->tpc,
4455 (void *) gp->o7,
4456 (void *) gp->i7,
4457 diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c
4458 --- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-03-27 14:31:47.000000000 -0400
4459 +++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:56:46.000000000 -0400
4460 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4461 if (ARCH_SUN4C && len > 0x20000000)
4462 return -ENOMEM;
4463 if (!addr)
4464 - addr = TASK_UNMAPPED_BASE;
4465 + addr = current->mm->mmap_base;
4466
4467 if (flags & MAP_SHARED)
4468 addr = COLOUR_ALIGN(addr);
4469 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4470 }
4471 if (TASK_SIZE - PAGE_SIZE - len < addr)
4472 return -ENOMEM;
4473 - if (!vmm || addr + len <= vmm->vm_start)
4474 + if (check_heap_stack_gap(vmm, addr, len))
4475 return addr;
4476 addr = vmm->vm_end;
4477 if (flags & MAP_SHARED)
4478 diff -urNp linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c
4479 --- linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-03-27 14:31:47.000000000 -0400
4480 +++ linux-2.6.32.46/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:56:46.000000000 -0400
4481 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4482 /* We do not accept a shared mapping if it would violate
4483 * cache aliasing constraints.
4484 */
4485 - if ((flags & MAP_SHARED) &&
4486 + if ((filp || (flags & MAP_SHARED)) &&
4487 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4488 return -EINVAL;
4489 return addr;
4490 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4491 if (filp || (flags & MAP_SHARED))
4492 do_color_align = 1;
4493
4494 +#ifdef CONFIG_PAX_RANDMMAP
4495 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4496 +#endif
4497 +
4498 if (addr) {
4499 if (do_color_align)
4500 addr = COLOUR_ALIGN(addr, pgoff);
4501 @@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4502 addr = PAGE_ALIGN(addr);
4503
4504 vma = find_vma(mm, addr);
4505 - if (task_size - len >= addr &&
4506 - (!vma || addr + len <= vma->vm_start))
4507 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4508 return addr;
4509 }
4510
4511 if (len > mm->cached_hole_size) {
4512 - start_addr = addr = mm->free_area_cache;
4513 + start_addr = addr = mm->free_area_cache;
4514 } else {
4515 - start_addr = addr = TASK_UNMAPPED_BASE;
4516 + start_addr = addr = mm->mmap_base;
4517 mm->cached_hole_size = 0;
4518 }
4519
4520 @@ -175,14 +178,14 @@ full_search:
4521 vma = find_vma(mm, VA_EXCLUDE_END);
4522 }
4523 if (unlikely(task_size < addr)) {
4524 - if (start_addr != TASK_UNMAPPED_BASE) {
4525 - start_addr = addr = TASK_UNMAPPED_BASE;
4526 + if (start_addr != mm->mmap_base) {
4527 + start_addr = addr = mm->mmap_base;
4528 mm->cached_hole_size = 0;
4529 goto full_search;
4530 }
4531 return -ENOMEM;
4532 }
4533 - if (likely(!vma || addr + len <= vma->vm_start)) {
4534 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4535 /*
4536 * Remember the place where we stopped the search:
4537 */
4538 @@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4539 /* We do not accept a shared mapping if it would violate
4540 * cache aliasing constraints.
4541 */
4542 - if ((flags & MAP_SHARED) &&
4543 + if ((filp || (flags & MAP_SHARED)) &&
4544 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4545 return -EINVAL;
4546 return addr;
4547 @@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4548 addr = PAGE_ALIGN(addr);
4549
4550 vma = find_vma(mm, addr);
4551 - if (task_size - len >= addr &&
4552 - (!vma || addr + len <= vma->vm_start))
4553 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4554 return addr;
4555 }
4556
4557 @@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4558 /* make sure it can fit in the remaining address space */
4559 if (likely(addr > len)) {
4560 vma = find_vma(mm, addr-len);
4561 - if (!vma || addr <= vma->vm_start) {
4562 + if (check_heap_stack_gap(vma, addr - len, len)) {
4563 /* remember the address as a hint for next time */
4564 return (mm->free_area_cache = addr-len);
4565 }
4566 @@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4567 if (unlikely(mm->mmap_base < len))
4568 goto bottomup;
4569
4570 - addr = mm->mmap_base-len;
4571 - if (do_color_align)
4572 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4573 + addr = mm->mmap_base - len;
4574
4575 do {
4576 + if (do_color_align)
4577 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4578 /*
4579 * Lookup failure means no vma is above this address,
4580 * else if new region fits below vma->vm_start,
4581 * return with success:
4582 */
4583 vma = find_vma(mm, addr);
4584 - if (likely(!vma || addr+len <= vma->vm_start)) {
4585 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4586 /* remember the address as a hint for next time */
4587 return (mm->free_area_cache = addr);
4588 }
4589 @@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4590 mm->cached_hole_size = vma->vm_start - addr;
4591
4592 /* try just below the current vma->vm_start */
4593 - addr = vma->vm_start-len;
4594 - if (do_color_align)
4595 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4596 - } while (likely(len < vma->vm_start));
4597 + addr = skip_heap_stack_gap(vma, len);
4598 + } while (!IS_ERR_VALUE(addr));
4599
4600 bottomup:
4601 /*
4602 @@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4603 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4604 sysctl_legacy_va_layout) {
4605 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4606 +
4607 +#ifdef CONFIG_PAX_RANDMMAP
4608 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4609 + mm->mmap_base += mm->delta_mmap;
4610 +#endif
4611 +
4612 mm->get_unmapped_area = arch_get_unmapped_area;
4613 mm->unmap_area = arch_unmap_area;
4614 } else {
4615 @@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4616 gap = (task_size / 6 * 5);
4617
4618 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4619 +
4620 +#ifdef CONFIG_PAX_RANDMMAP
4621 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4622 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4623 +#endif
4624 +
4625 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4626 mm->unmap_area = arch_unmap_area_topdown;
4627 }
4628 diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_32.c linux-2.6.32.46/arch/sparc/kernel/traps_32.c
4629 --- linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400
4630 +++ linux-2.6.32.46/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400
4631 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4632 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4633 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4634
4635 +extern void gr_handle_kernel_exploit(void);
4636 +
4637 void die_if_kernel(char *str, struct pt_regs *regs)
4638 {
4639 static int die_counter;
4640 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4641 count++ < 30 &&
4642 (((unsigned long) rw) >= PAGE_OFFSET) &&
4643 !(((unsigned long) rw) & 0x7)) {
4644 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4645 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4646 (void *) rw->ins[7]);
4647 rw = (struct reg_window32 *)rw->ins[6];
4648 }
4649 }
4650 printk("Instruction DUMP:");
4651 instruction_dump ((unsigned long *) regs->pc);
4652 - if(regs->psr & PSR_PS)
4653 + if(regs->psr & PSR_PS) {
4654 + gr_handle_kernel_exploit();
4655 do_exit(SIGKILL);
4656 + }
4657 do_exit(SIGSEGV);
4658 }
4659
4660 diff -urNp linux-2.6.32.46/arch/sparc/kernel/traps_64.c linux-2.6.32.46/arch/sparc/kernel/traps_64.c
4661 --- linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400
4662 +++ linux-2.6.32.46/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400
4663 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4664 i + 1,
4665 p->trapstack[i].tstate, p->trapstack[i].tpc,
4666 p->trapstack[i].tnpc, p->trapstack[i].tt);
4667 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4668 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4669 }
4670 }
4671
4672 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4673
4674 lvl -= 0x100;
4675 if (regs->tstate & TSTATE_PRIV) {
4676 +
4677 +#ifdef CONFIG_PAX_REFCOUNT
4678 + if (lvl == 6)
4679 + pax_report_refcount_overflow(regs);
4680 +#endif
4681 +
4682 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4683 die_if_kernel(buffer, regs);
4684 }
4685 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4686 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4687 {
4688 char buffer[32];
4689 -
4690 +
4691 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4692 0, lvl, SIGTRAP) == NOTIFY_STOP)
4693 return;
4694
4695 +#ifdef CONFIG_PAX_REFCOUNT
4696 + if (lvl == 6)
4697 + pax_report_refcount_overflow(regs);
4698 +#endif
4699 +
4700 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4701
4702 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4703 @@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4704 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4705 printk("%s" "ERROR(%d): ",
4706 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4707 - printk("TPC<%pS>\n", (void *) regs->tpc);
4708 + printk("TPC<%pA>\n", (void *) regs->tpc);
4709 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4710 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4711 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4712 @@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4713 smp_processor_id(),
4714 (type & 0x1) ? 'I' : 'D',
4715 regs->tpc);
4716 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4717 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4718 panic("Irrecoverable Cheetah+ parity error.");
4719 }
4720
4721 @@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4722 smp_processor_id(),
4723 (type & 0x1) ? 'I' : 'D',
4724 regs->tpc);
4725 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4726 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4727 }
4728
4729 struct sun4v_error_entry {
4730 @@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4731
4732 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4733 regs->tpc, tl);
4734 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4735 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4736 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4737 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4738 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4739 (void *) regs->u_regs[UREG_I7]);
4740 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4741 "pte[%lx] error[%lx]\n",
4742 @@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4743
4744 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4745 regs->tpc, tl);
4746 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4747 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4748 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4749 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4750 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4751 (void *) regs->u_regs[UREG_I7]);
4752 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4753 "pte[%lx] error[%lx]\n",
4754 @@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4755 fp = (unsigned long)sf->fp + STACK_BIAS;
4756 }
4757
4758 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4759 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4760 } while (++count < 16);
4761 }
4762
4763 @@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4764 return (struct reg_window *) (fp + STACK_BIAS);
4765 }
4766
4767 +extern void gr_handle_kernel_exploit(void);
4768 +
4769 void die_if_kernel(char *str, struct pt_regs *regs)
4770 {
4771 static int die_counter;
4772 @@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4773 while (rw &&
4774 count++ < 30&&
4775 is_kernel_stack(current, rw)) {
4776 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4777 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4778 (void *) rw->ins[7]);
4779
4780 rw = kernel_stack_up(rw);
4781 @@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4782 }
4783 user_instruction_dump ((unsigned int __user *) regs->tpc);
4784 }
4785 - if (regs->tstate & TSTATE_PRIV)
4786 + if (regs->tstate & TSTATE_PRIV) {
4787 + gr_handle_kernel_exploit();
4788 do_exit(SIGKILL);
4789 + }
4790 +
4791 do_exit(SIGSEGV);
4792 }
4793 EXPORT_SYMBOL(die_if_kernel);
4794 diff -urNp linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S
4795 --- linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-03-27 14:31:47.000000000 -0400
4796 +++ linux-2.6.32.46/arch/sparc/kernel/una_asm_64.S 2011-07-13 22:20:05.000000000 -0400
4797 @@ -127,7 +127,7 @@ do_int_load:
4798 wr %o5, 0x0, %asi
4799 retl
4800 mov 0, %o0
4801 - .size __do_int_load, .-__do_int_load
4802 + .size do_int_load, .-do_int_load
4803
4804 .section __ex_table,"a"
4805 .word 4b, __retl_efault
4806 diff -urNp linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c
4807 --- linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400
4808 +++ linux-2.6.32.46/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400
4809 @@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4810 if (count < 5) {
4811 last_time = jiffies;
4812 count++;
4813 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4814 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4815 regs->tpc, (void *) regs->tpc);
4816 }
4817 }
4818 diff -urNp linux-2.6.32.46/arch/sparc/lib/atomic_64.S linux-2.6.32.46/arch/sparc/lib/atomic_64.S
4819 --- linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-03-27 14:31:47.000000000 -0400
4820 +++ linux-2.6.32.46/arch/sparc/lib/atomic_64.S 2011-04-17 15:56:46.000000000 -0400
4821 @@ -18,7 +18,12 @@
4822 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4823 BACKOFF_SETUP(%o2)
4824 1: lduw [%o1], %g1
4825 - add %g1, %o0, %g7
4826 + addcc %g1, %o0, %g7
4827 +
4828 +#ifdef CONFIG_PAX_REFCOUNT
4829 + tvs %icc, 6
4830 +#endif
4831 +
4832 cas [%o1], %g1, %g7
4833 cmp %g1, %g7
4834 bne,pn %icc, 2f
4835 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4836 2: BACKOFF_SPIN(%o2, %o3, 1b)
4837 .size atomic_add, .-atomic_add
4838
4839 + .globl atomic_add_unchecked
4840 + .type atomic_add_unchecked,#function
4841 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4842 + BACKOFF_SETUP(%o2)
4843 +1: lduw [%o1], %g1
4844 + add %g1, %o0, %g7
4845 + cas [%o1], %g1, %g7
4846 + cmp %g1, %g7
4847 + bne,pn %icc, 2f
4848 + nop
4849 + retl
4850 + nop
4851 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4852 + .size atomic_add_unchecked, .-atomic_add_unchecked
4853 +
4854 .globl atomic_sub
4855 .type atomic_sub,#function
4856 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4857 BACKOFF_SETUP(%o2)
4858 1: lduw [%o1], %g1
4859 - sub %g1, %o0, %g7
4860 + subcc %g1, %o0, %g7
4861 +
4862 +#ifdef CONFIG_PAX_REFCOUNT
4863 + tvs %icc, 6
4864 +#endif
4865 +
4866 cas [%o1], %g1, %g7
4867 cmp %g1, %g7
4868 bne,pn %icc, 2f
4869 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4870 2: BACKOFF_SPIN(%o2, %o3, 1b)
4871 .size atomic_sub, .-atomic_sub
4872
4873 + .globl atomic_sub_unchecked
4874 + .type atomic_sub_unchecked,#function
4875 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4876 + BACKOFF_SETUP(%o2)
4877 +1: lduw [%o1], %g1
4878 + sub %g1, %o0, %g7
4879 + cas [%o1], %g1, %g7
4880 + cmp %g1, %g7
4881 + bne,pn %icc, 2f
4882 + nop
4883 + retl
4884 + nop
4885 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4886 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4887 +
4888 .globl atomic_add_ret
4889 .type atomic_add_ret,#function
4890 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4891 BACKOFF_SETUP(%o2)
4892 1: lduw [%o1], %g1
4893 - add %g1, %o0, %g7
4894 + addcc %g1, %o0, %g7
4895 +
4896 +#ifdef CONFIG_PAX_REFCOUNT
4897 + tvs %icc, 6
4898 +#endif
4899 +
4900 cas [%o1], %g1, %g7
4901 cmp %g1, %g7
4902 bne,pn %icc, 2f
4903 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4904 2: BACKOFF_SPIN(%o2, %o3, 1b)
4905 .size atomic_add_ret, .-atomic_add_ret
4906
4907 + .globl atomic_add_ret_unchecked
4908 + .type atomic_add_ret_unchecked,#function
4909 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4910 + BACKOFF_SETUP(%o2)
4911 +1: lduw [%o1], %g1
4912 + addcc %g1, %o0, %g7
4913 + cas [%o1], %g1, %g7
4914 + cmp %g1, %g7
4915 + bne,pn %icc, 2f
4916 + add %g7, %o0, %g7
4917 + sra %g7, 0, %o0
4918 + retl
4919 + nop
4920 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4921 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4922 +
4923 .globl atomic_sub_ret
4924 .type atomic_sub_ret,#function
4925 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4926 BACKOFF_SETUP(%o2)
4927 1: lduw [%o1], %g1
4928 - sub %g1, %o0, %g7
4929 + subcc %g1, %o0, %g7
4930 +
4931 +#ifdef CONFIG_PAX_REFCOUNT
4932 + tvs %icc, 6
4933 +#endif
4934 +
4935 cas [%o1], %g1, %g7
4936 cmp %g1, %g7
4937 bne,pn %icc, 2f
4938 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4939 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4940 BACKOFF_SETUP(%o2)
4941 1: ldx [%o1], %g1
4942 - add %g1, %o0, %g7
4943 + addcc %g1, %o0, %g7
4944 +
4945 +#ifdef CONFIG_PAX_REFCOUNT
4946 + tvs %xcc, 6
4947 +#endif
4948 +
4949 casx [%o1], %g1, %g7
4950 cmp %g1, %g7
4951 bne,pn %xcc, 2f
4952 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4953 2: BACKOFF_SPIN(%o2, %o3, 1b)
4954 .size atomic64_add, .-atomic64_add
4955
4956 + .globl atomic64_add_unchecked
4957 + .type atomic64_add_unchecked,#function
4958 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4959 + BACKOFF_SETUP(%o2)
4960 +1: ldx [%o1], %g1
4961 + addcc %g1, %o0, %g7
4962 + casx [%o1], %g1, %g7
4963 + cmp %g1, %g7
4964 + bne,pn %xcc, 2f
4965 + nop
4966 + retl
4967 + nop
4968 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4969 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4970 +
4971 .globl atomic64_sub
4972 .type atomic64_sub,#function
4973 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4974 BACKOFF_SETUP(%o2)
4975 1: ldx [%o1], %g1
4976 - sub %g1, %o0, %g7
4977 + subcc %g1, %o0, %g7
4978 +
4979 +#ifdef CONFIG_PAX_REFCOUNT
4980 + tvs %xcc, 6
4981 +#endif
4982 +
4983 casx [%o1], %g1, %g7
4984 cmp %g1, %g7
4985 bne,pn %xcc, 2f
4986 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4987 2: BACKOFF_SPIN(%o2, %o3, 1b)
4988 .size atomic64_sub, .-atomic64_sub
4989
4990 + .globl atomic64_sub_unchecked
4991 + .type atomic64_sub_unchecked,#function
4992 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4993 + BACKOFF_SETUP(%o2)
4994 +1: ldx [%o1], %g1
4995 + subcc %g1, %o0, %g7
4996 + casx [%o1], %g1, %g7
4997 + cmp %g1, %g7
4998 + bne,pn %xcc, 2f
4999 + nop
5000 + retl
5001 + nop
5002 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5003 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
5004 +
5005 .globl atomic64_add_ret
5006 .type atomic64_add_ret,#function
5007 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5008 BACKOFF_SETUP(%o2)
5009 1: ldx [%o1], %g1
5010 - add %g1, %o0, %g7
5011 + addcc %g1, %o0, %g7
5012 +
5013 +#ifdef CONFIG_PAX_REFCOUNT
5014 + tvs %xcc, 6
5015 +#endif
5016 +
5017 casx [%o1], %g1, %g7
5018 cmp %g1, %g7
5019 bne,pn %xcc, 2f
5020 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
5021 2: BACKOFF_SPIN(%o2, %o3, 1b)
5022 .size atomic64_add_ret, .-atomic64_add_ret
5023
5024 + .globl atomic64_add_ret_unchecked
5025 + .type atomic64_add_ret_unchecked,#function
5026 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5027 + BACKOFF_SETUP(%o2)
5028 +1: ldx [%o1], %g1
5029 + addcc %g1, %o0, %g7
5030 + casx [%o1], %g1, %g7
5031 + cmp %g1, %g7
5032 + bne,pn %xcc, 2f
5033 + add %g7, %o0, %g7
5034 + mov %g7, %o0
5035 + retl
5036 + nop
5037 +2: BACKOFF_SPIN(%o2, %o3, 1b)
5038 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
5039 +
5040 .globl atomic64_sub_ret
5041 .type atomic64_sub_ret,#function
5042 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5043 BACKOFF_SETUP(%o2)
5044 1: ldx [%o1], %g1
5045 - sub %g1, %o0, %g7
5046 + subcc %g1, %o0, %g7
5047 +
5048 +#ifdef CONFIG_PAX_REFCOUNT
5049 + tvs %xcc, 6
5050 +#endif
5051 +
5052 casx [%o1], %g1, %g7
5053 cmp %g1, %g7
5054 bne,pn %xcc, 2f
5055 diff -urNp linux-2.6.32.46/arch/sparc/lib/ksyms.c linux-2.6.32.46/arch/sparc/lib/ksyms.c
5056 --- linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-03-27 14:31:47.000000000 -0400
5057 +++ linux-2.6.32.46/arch/sparc/lib/ksyms.c 2011-08-19 23:05:14.000000000 -0400
5058 @@ -144,12 +144,18 @@ EXPORT_SYMBOL(__downgrade_write);
5059
5060 /* Atomic counter implementation. */
5061 EXPORT_SYMBOL(atomic_add);
5062 +EXPORT_SYMBOL(atomic_add_unchecked);
5063 EXPORT_SYMBOL(atomic_add_ret);
5064 +EXPORT_SYMBOL(atomic_add_ret_unchecked);
5065 EXPORT_SYMBOL(atomic_sub);
5066 +EXPORT_SYMBOL(atomic_sub_unchecked);
5067 EXPORT_SYMBOL(atomic_sub_ret);
5068 EXPORT_SYMBOL(atomic64_add);
5069 +EXPORT_SYMBOL(atomic64_add_unchecked);
5070 EXPORT_SYMBOL(atomic64_add_ret);
5071 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
5072 EXPORT_SYMBOL(atomic64_sub);
5073 +EXPORT_SYMBOL(atomic64_sub_unchecked);
5074 EXPORT_SYMBOL(atomic64_sub_ret);
5075
5076 /* Atomic bit operations. */
5077 diff -urNp linux-2.6.32.46/arch/sparc/lib/Makefile linux-2.6.32.46/arch/sparc/lib/Makefile
5078 --- linux-2.6.32.46/arch/sparc/lib/Makefile 2011-03-27 14:31:47.000000000 -0400
5079 +++ linux-2.6.32.46/arch/sparc/lib/Makefile 2011-05-17 19:26:34.000000000 -0400
5080 @@ -2,7 +2,7 @@
5081 #
5082
5083 asflags-y := -ansi -DST_DIV0=0x02
5084 -ccflags-y := -Werror
5085 +#ccflags-y := -Werror
5086
5087 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
5088 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
5089 diff -urNp linux-2.6.32.46/arch/sparc/lib/rwsem_64.S linux-2.6.32.46/arch/sparc/lib/rwsem_64.S
5090 --- linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
5091 +++ linux-2.6.32.46/arch/sparc/lib/rwsem_64.S 2011-04-17 15:56:46.000000000 -0400
5092 @@ -11,7 +11,12 @@
5093 .globl __down_read
5094 __down_read:
5095 1: lduw [%o0], %g1
5096 - add %g1, 1, %g7
5097 + addcc %g1, 1, %g7
5098 +
5099 +#ifdef CONFIG_PAX_REFCOUNT
5100 + tvs %icc, 6
5101 +#endif
5102 +
5103 cas [%o0], %g1, %g7
5104 cmp %g1, %g7
5105 bne,pn %icc, 1b
5106 @@ -33,7 +38,12 @@ __down_read:
5107 .globl __down_read_trylock
5108 __down_read_trylock:
5109 1: lduw [%o0], %g1
5110 - add %g1, 1, %g7
5111 + addcc %g1, 1, %g7
5112 +
5113 +#ifdef CONFIG_PAX_REFCOUNT
5114 + tvs %icc, 6
5115 +#endif
5116 +
5117 cmp %g7, 0
5118 bl,pn %icc, 2f
5119 mov 0, %o1
5120 @@ -51,7 +61,12 @@ __down_write:
5121 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5122 1:
5123 lduw [%o0], %g3
5124 - add %g3, %g1, %g7
5125 + addcc %g3, %g1, %g7
5126 +
5127 +#ifdef CONFIG_PAX_REFCOUNT
5128 + tvs %icc, 6
5129 +#endif
5130 +
5131 cas [%o0], %g3, %g7
5132 cmp %g3, %g7
5133 bne,pn %icc, 1b
5134 @@ -77,7 +92,12 @@ __down_write_trylock:
5135 cmp %g3, 0
5136 bne,pn %icc, 2f
5137 mov 0, %o1
5138 - add %g3, %g1, %g7
5139 + addcc %g3, %g1, %g7
5140 +
5141 +#ifdef CONFIG_PAX_REFCOUNT
5142 + tvs %icc, 6
5143 +#endif
5144 +
5145 cas [%o0], %g3, %g7
5146 cmp %g3, %g7
5147 bne,pn %icc, 1b
5148 @@ -90,7 +110,12 @@ __down_write_trylock:
5149 __up_read:
5150 1:
5151 lduw [%o0], %g1
5152 - sub %g1, 1, %g7
5153 + subcc %g1, 1, %g7
5154 +
5155 +#ifdef CONFIG_PAX_REFCOUNT
5156 + tvs %icc, 6
5157 +#endif
5158 +
5159 cas [%o0], %g1, %g7
5160 cmp %g1, %g7
5161 bne,pn %icc, 1b
5162 @@ -118,7 +143,12 @@ __up_write:
5163 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5164 1:
5165 lduw [%o0], %g3
5166 - sub %g3, %g1, %g7
5167 + subcc %g3, %g1, %g7
5168 +
5169 +#ifdef CONFIG_PAX_REFCOUNT
5170 + tvs %icc, 6
5171 +#endif
5172 +
5173 cas [%o0], %g3, %g7
5174 cmp %g3, %g7
5175 bne,pn %icc, 1b
5176 @@ -143,7 +173,12 @@ __downgrade_write:
5177 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5178 1:
5179 lduw [%o0], %g3
5180 - sub %g3, %g1, %g7
5181 + subcc %g3, %g1, %g7
5182 +
5183 +#ifdef CONFIG_PAX_REFCOUNT
5184 + tvs %icc, 6
5185 +#endif
5186 +
5187 cas [%o0], %g3, %g7
5188 cmp %g3, %g7
5189 bne,pn %icc, 1b
5190 diff -urNp linux-2.6.32.46/arch/sparc/Makefile linux-2.6.32.46/arch/sparc/Makefile
5191 --- linux-2.6.32.46/arch/sparc/Makefile 2011-03-27 14:31:47.000000000 -0400
5192 +++ linux-2.6.32.46/arch/sparc/Makefile 2011-04-17 15:56:46.000000000 -0400
5193 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5194 # Export what is needed by arch/sparc/boot/Makefile
5195 export VMLINUX_INIT VMLINUX_MAIN
5196 VMLINUX_INIT := $(head-y) $(init-y)
5197 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
5198 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
5199 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
5200 VMLINUX_MAIN += $(drivers-y) $(net-y)
5201
5202 diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_32.c linux-2.6.32.46/arch/sparc/mm/fault_32.c
5203 --- linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-03-27 14:31:47.000000000 -0400
5204 +++ linux-2.6.32.46/arch/sparc/mm/fault_32.c 2011-04-17 15:56:46.000000000 -0400
5205 @@ -21,6 +21,9 @@
5206 #include <linux/interrupt.h>
5207 #include <linux/module.h>
5208 #include <linux/kdebug.h>
5209 +#include <linux/slab.h>
5210 +#include <linux/pagemap.h>
5211 +#include <linux/compiler.h>
5212
5213 #include <asm/system.h>
5214 #include <asm/page.h>
5215 @@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5216 return safe_compute_effective_address(regs, insn);
5217 }
5218
5219 +#ifdef CONFIG_PAX_PAGEEXEC
5220 +#ifdef CONFIG_PAX_DLRESOLVE
5221 +static void pax_emuplt_close(struct vm_area_struct *vma)
5222 +{
5223 + vma->vm_mm->call_dl_resolve = 0UL;
5224 +}
5225 +
5226 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5227 +{
5228 + unsigned int *kaddr;
5229 +
5230 + vmf->page = alloc_page(GFP_HIGHUSER);
5231 + if (!vmf->page)
5232 + return VM_FAULT_OOM;
5233 +
5234 + kaddr = kmap(vmf->page);
5235 + memset(kaddr, 0, PAGE_SIZE);
5236 + kaddr[0] = 0x9DE3BFA8U; /* save */
5237 + flush_dcache_page(vmf->page);
5238 + kunmap(vmf->page);
5239 + return VM_FAULT_MAJOR;
5240 +}
5241 +
5242 +static const struct vm_operations_struct pax_vm_ops = {
5243 + .close = pax_emuplt_close,
5244 + .fault = pax_emuplt_fault
5245 +};
5246 +
5247 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5248 +{
5249 + int ret;
5250 +
5251 + vma->vm_mm = current->mm;
5252 + vma->vm_start = addr;
5253 + vma->vm_end = addr + PAGE_SIZE;
5254 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5255 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5256 + vma->vm_ops = &pax_vm_ops;
5257 +
5258 + ret = insert_vm_struct(current->mm, vma);
5259 + if (ret)
5260 + return ret;
5261 +
5262 + ++current->mm->total_vm;
5263 + return 0;
5264 +}
5265 +#endif
5266 +
5267 +/*
5268 + * PaX: decide what to do with offenders (regs->pc = fault address)
5269 + *
5270 + * returns 1 when task should be killed
5271 + * 2 when patched PLT trampoline was detected
5272 + * 3 when unpatched PLT trampoline was detected
5273 + */
5274 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5275 +{
5276 +
5277 +#ifdef CONFIG_PAX_EMUPLT
5278 + int err;
5279 +
5280 + do { /* PaX: patched PLT emulation #1 */
5281 + unsigned int sethi1, sethi2, jmpl;
5282 +
5283 + err = get_user(sethi1, (unsigned int *)regs->pc);
5284 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5285 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5286 +
5287 + if (err)
5288 + break;
5289 +
5290 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5291 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5292 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5293 + {
5294 + unsigned int addr;
5295 +
5296 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5297 + addr = regs->u_regs[UREG_G1];
5298 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5299 + regs->pc = addr;
5300 + regs->npc = addr+4;
5301 + return 2;
5302 + }
5303 + } while (0);
5304 +
5305 + { /* PaX: patched PLT emulation #2 */
5306 + unsigned int ba;
5307 +
5308 + err = get_user(ba, (unsigned int *)regs->pc);
5309 +
5310 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5311 + unsigned int addr;
5312 +
5313 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5314 + regs->pc = addr;
5315 + regs->npc = addr+4;
5316 + return 2;
5317 + }
5318 + }
5319 +
5320 + do { /* PaX: patched PLT emulation #3 */
5321 + unsigned int sethi, jmpl, nop;
5322 +
5323 + err = get_user(sethi, (unsigned int *)regs->pc);
5324 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5325 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5326 +
5327 + if (err)
5328 + break;
5329 +
5330 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5331 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5332 + nop == 0x01000000U)
5333 + {
5334 + unsigned int addr;
5335 +
5336 + addr = (sethi & 0x003FFFFFU) << 10;
5337 + regs->u_regs[UREG_G1] = addr;
5338 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5339 + regs->pc = addr;
5340 + regs->npc = addr+4;
5341 + return 2;
5342 + }
5343 + } while (0);
5344 +
5345 + do { /* PaX: unpatched PLT emulation step 1 */
5346 + unsigned int sethi, ba, nop;
5347 +
5348 + err = get_user(sethi, (unsigned int *)regs->pc);
5349 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5350 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5351 +
5352 + if (err)
5353 + break;
5354 +
5355 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5356 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5357 + nop == 0x01000000U)
5358 + {
5359 + unsigned int addr, save, call;
5360 +
5361 + if ((ba & 0xFFC00000U) == 0x30800000U)
5362 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5363 + else
5364 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5365 +
5366 + err = get_user(save, (unsigned int *)addr);
5367 + err |= get_user(call, (unsigned int *)(addr+4));
5368 + err |= get_user(nop, (unsigned int *)(addr+8));
5369 + if (err)
5370 + break;
5371 +
5372 +#ifdef CONFIG_PAX_DLRESOLVE
5373 + if (save == 0x9DE3BFA8U &&
5374 + (call & 0xC0000000U) == 0x40000000U &&
5375 + nop == 0x01000000U)
5376 + {
5377 + struct vm_area_struct *vma;
5378 + unsigned long call_dl_resolve;
5379 +
5380 + down_read(&current->mm->mmap_sem);
5381 + call_dl_resolve = current->mm->call_dl_resolve;
5382 + up_read(&current->mm->mmap_sem);
5383 + if (likely(call_dl_resolve))
5384 + goto emulate;
5385 +
5386 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5387 +
5388 + down_write(&current->mm->mmap_sem);
5389 + if (current->mm->call_dl_resolve) {
5390 + call_dl_resolve = current->mm->call_dl_resolve;
5391 + up_write(&current->mm->mmap_sem);
5392 + if (vma)
5393 + kmem_cache_free(vm_area_cachep, vma);
5394 + goto emulate;
5395 + }
5396 +
5397 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5398 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5399 + up_write(&current->mm->mmap_sem);
5400 + if (vma)
5401 + kmem_cache_free(vm_area_cachep, vma);
5402 + return 1;
5403 + }
5404 +
5405 + if (pax_insert_vma(vma, call_dl_resolve)) {
5406 + up_write(&current->mm->mmap_sem);
5407 + kmem_cache_free(vm_area_cachep, vma);
5408 + return 1;
5409 + }
5410 +
5411 + current->mm->call_dl_resolve = call_dl_resolve;
5412 + up_write(&current->mm->mmap_sem);
5413 +
5414 +emulate:
5415 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5416 + regs->pc = call_dl_resolve;
5417 + regs->npc = addr+4;
5418 + return 3;
5419 + }
5420 +#endif
5421 +
5422 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5423 + if ((save & 0xFFC00000U) == 0x05000000U &&
5424 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5425 + nop == 0x01000000U)
5426 + {
5427 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5428 + regs->u_regs[UREG_G2] = addr + 4;
5429 + addr = (save & 0x003FFFFFU) << 10;
5430 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5431 + regs->pc = addr;
5432 + regs->npc = addr+4;
5433 + return 3;
5434 + }
5435 + }
5436 + } while (0);
5437 +
5438 + do { /* PaX: unpatched PLT emulation step 2 */
5439 + unsigned int save, call, nop;
5440 +
5441 + err = get_user(save, (unsigned int *)(regs->pc-4));
5442 + err |= get_user(call, (unsigned int *)regs->pc);
5443 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5444 + if (err)
5445 + break;
5446 +
5447 + if (save == 0x9DE3BFA8U &&
5448 + (call & 0xC0000000U) == 0x40000000U &&
5449 + nop == 0x01000000U)
5450 + {
5451 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5452 +
5453 + regs->u_regs[UREG_RETPC] = regs->pc;
5454 + regs->pc = dl_resolve;
5455 + regs->npc = dl_resolve+4;
5456 + return 3;
5457 + }
5458 + } while (0);
5459 +#endif
5460 +
5461 + return 1;
5462 +}
5463 +
5464 +void pax_report_insns(void *pc, void *sp)
5465 +{
5466 + unsigned long i;
5467 +
5468 + printk(KERN_ERR "PAX: bytes at PC: ");
5469 + for (i = 0; i < 8; i++) {
5470 + unsigned int c;
5471 + if (get_user(c, (unsigned int *)pc+i))
5472 + printk(KERN_CONT "???????? ");
5473 + else
5474 + printk(KERN_CONT "%08x ", c);
5475 + }
5476 + printk("\n");
5477 +}
5478 +#endif
5479 +
5480 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5481 unsigned long address)
5482 {
5483 @@ -231,6 +495,24 @@ good_area:
5484 if(!(vma->vm_flags & VM_WRITE))
5485 goto bad_area;
5486 } else {
5487 +
5488 +#ifdef CONFIG_PAX_PAGEEXEC
5489 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5490 + up_read(&mm->mmap_sem);
5491 + switch (pax_handle_fetch_fault(regs)) {
5492 +
5493 +#ifdef CONFIG_PAX_EMUPLT
5494 + case 2:
5495 + case 3:
5496 + return;
5497 +#endif
5498 +
5499 + }
5500 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5501 + do_group_exit(SIGKILL);
5502 + }
5503 +#endif
5504 +
5505 /* Allow reads even for write-only mappings */
5506 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5507 goto bad_area;
5508 diff -urNp linux-2.6.32.46/arch/sparc/mm/fault_64.c linux-2.6.32.46/arch/sparc/mm/fault_64.c
5509 --- linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-03-27 14:31:47.000000000 -0400
5510 +++ linux-2.6.32.46/arch/sparc/mm/fault_64.c 2011-04-17 15:56:46.000000000 -0400
5511 @@ -20,6 +20,9 @@
5512 #include <linux/kprobes.h>
5513 #include <linux/kdebug.h>
5514 #include <linux/percpu.h>
5515 +#include <linux/slab.h>
5516 +#include <linux/pagemap.h>
5517 +#include <linux/compiler.h>
5518
5519 #include <asm/page.h>
5520 #include <asm/pgtable.h>
5521 @@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5522 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5523 regs->tpc);
5524 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5525 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5526 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5527 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5528 dump_stack();
5529 unhandled_fault(regs->tpc, current, regs);
5530 @@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5531 show_regs(regs);
5532 }
5533
5534 +#ifdef CONFIG_PAX_PAGEEXEC
5535 +#ifdef CONFIG_PAX_DLRESOLVE
5536 +static void pax_emuplt_close(struct vm_area_struct *vma)
5537 +{
5538 + vma->vm_mm->call_dl_resolve = 0UL;
5539 +}
5540 +
5541 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5542 +{
5543 + unsigned int *kaddr;
5544 +
5545 + vmf->page = alloc_page(GFP_HIGHUSER);
5546 + if (!vmf->page)
5547 + return VM_FAULT_OOM;
5548 +
5549 + kaddr = kmap(vmf->page);
5550 + memset(kaddr, 0, PAGE_SIZE);
5551 + kaddr[0] = 0x9DE3BFA8U; /* save */
5552 + flush_dcache_page(vmf->page);
5553 + kunmap(vmf->page);
5554 + return VM_FAULT_MAJOR;
5555 +}
5556 +
5557 +static const struct vm_operations_struct pax_vm_ops = {
5558 + .close = pax_emuplt_close,
5559 + .fault = pax_emuplt_fault
5560 +};
5561 +
5562 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5563 +{
5564 + int ret;
5565 +
5566 + vma->vm_mm = current->mm;
5567 + vma->vm_start = addr;
5568 + vma->vm_end = addr + PAGE_SIZE;
5569 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5570 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5571 + vma->vm_ops = &pax_vm_ops;
5572 +
5573 + ret = insert_vm_struct(current->mm, vma);
5574 + if (ret)
5575 + return ret;
5576 +
5577 + ++current->mm->total_vm;
5578 + return 0;
5579 +}
5580 +#endif
5581 +
5582 +/*
5583 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5584 + *
5585 + * returns 1 when task should be killed
5586 + * 2 when patched PLT trampoline was detected
5587 + * 3 when unpatched PLT trampoline was detected
5588 + */
5589 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5590 +{
5591 +
5592 +#ifdef CONFIG_PAX_EMUPLT
5593 + int err;
5594 +
5595 + do { /* PaX: patched PLT emulation #1 */
5596 + unsigned int sethi1, sethi2, jmpl;
5597 +
5598 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5599 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5600 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5601 +
5602 + if (err)
5603 + break;
5604 +
5605 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5606 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5607 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5608 + {
5609 + unsigned long addr;
5610 +
5611 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5612 + addr = regs->u_regs[UREG_G1];
5613 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5614 +
5615 + if (test_thread_flag(TIF_32BIT))
5616 + addr &= 0xFFFFFFFFUL;
5617 +
5618 + regs->tpc = addr;
5619 + regs->tnpc = addr+4;
5620 + return 2;
5621 + }
5622 + } while (0);
5623 +
5624 + { /* PaX: patched PLT emulation #2 */
5625 + unsigned int ba;
5626 +
5627 + err = get_user(ba, (unsigned int *)regs->tpc);
5628 +
5629 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5630 + unsigned long addr;
5631 +
5632 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5633 +
5634 + if (test_thread_flag(TIF_32BIT))
5635 + addr &= 0xFFFFFFFFUL;
5636 +
5637 + regs->tpc = addr;
5638 + regs->tnpc = addr+4;
5639 + return 2;
5640 + }
5641 + }
5642 +
5643 + do { /* PaX: patched PLT emulation #3 */
5644 + unsigned int sethi, jmpl, nop;
5645 +
5646 + err = get_user(sethi, (unsigned int *)regs->tpc);
5647 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5648 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5649 +
5650 + if (err)
5651 + break;
5652 +
5653 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5654 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5655 + nop == 0x01000000U)
5656 + {
5657 + unsigned long addr;
5658 +
5659 + addr = (sethi & 0x003FFFFFU) << 10;
5660 + regs->u_regs[UREG_G1] = addr;
5661 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5662 +
5663 + if (test_thread_flag(TIF_32BIT))
5664 + addr &= 0xFFFFFFFFUL;
5665 +
5666 + regs->tpc = addr;
5667 + regs->tnpc = addr+4;
5668 + return 2;
5669 + }
5670 + } while (0);
5671 +
5672 + do { /* PaX: patched PLT emulation #4 */
5673 + unsigned int sethi, mov1, call, mov2;
5674 +
5675 + err = get_user(sethi, (unsigned int *)regs->tpc);
5676 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5677 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5678 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5679 +
5680 + if (err)
5681 + break;
5682 +
5683 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5684 + mov1 == 0x8210000FU &&
5685 + (call & 0xC0000000U) == 0x40000000U &&
5686 + mov2 == 0x9E100001U)
5687 + {
5688 + unsigned long addr;
5689 +
5690 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5691 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5692 +
5693 + if (test_thread_flag(TIF_32BIT))
5694 + addr &= 0xFFFFFFFFUL;
5695 +
5696 + regs->tpc = addr;
5697 + regs->tnpc = addr+4;
5698 + return 2;
5699 + }
5700 + } while (0);
5701 +
5702 + do { /* PaX: patched PLT emulation #5 */
5703 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5704 +
5705 + err = get_user(sethi, (unsigned int *)regs->tpc);
5706 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5707 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5708 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5709 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5710 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5711 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5712 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5713 +
5714 + if (err)
5715 + break;
5716 +
5717 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5718 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5719 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5720 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5721 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5722 + sllx == 0x83287020U &&
5723 + jmpl == 0x81C04005U &&
5724 + nop == 0x01000000U)
5725 + {
5726 + unsigned long addr;
5727 +
5728 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5729 + regs->u_regs[UREG_G1] <<= 32;
5730 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5731 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5732 + regs->tpc = addr;
5733 + regs->tnpc = addr+4;
5734 + return 2;
5735 + }
5736 + } while (0);
5737 +
5738 + do { /* PaX: patched PLT emulation #6 */
5739 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5740 +
5741 + err = get_user(sethi, (unsigned int *)regs->tpc);
5742 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5743 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5744 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5745 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5746 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5747 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5748 +
5749 + if (err)
5750 + break;
5751 +
5752 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5753 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5754 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5755 + sllx == 0x83287020U &&
5756 + (or & 0xFFFFE000U) == 0x8A116000U &&
5757 + jmpl == 0x81C04005U &&
5758 + nop == 0x01000000U)
5759 + {
5760 + unsigned long addr;
5761 +
5762 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5763 + regs->u_regs[UREG_G1] <<= 32;
5764 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5765 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5766 + regs->tpc = addr;
5767 + regs->tnpc = addr+4;
5768 + return 2;
5769 + }
5770 + } while (0);
5771 +
5772 + do { /* PaX: unpatched PLT emulation step 1 */
5773 + unsigned int sethi, ba, nop;
5774 +
5775 + err = get_user(sethi, (unsigned int *)regs->tpc);
5776 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5777 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5778 +
5779 + if (err)
5780 + break;
5781 +
5782 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5783 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5784 + nop == 0x01000000U)
5785 + {
5786 + unsigned long addr;
5787 + unsigned int save, call;
5788 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5789 +
5790 + if ((ba & 0xFFC00000U) == 0x30800000U)
5791 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5792 + else
5793 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5794 +
5795 + if (test_thread_flag(TIF_32BIT))
5796 + addr &= 0xFFFFFFFFUL;
5797 +
5798 + err = get_user(save, (unsigned int *)addr);
5799 + err |= get_user(call, (unsigned int *)(addr+4));
5800 + err |= get_user(nop, (unsigned int *)(addr+8));
5801 + if (err)
5802 + break;
5803 +
5804 +#ifdef CONFIG_PAX_DLRESOLVE
5805 + if (save == 0x9DE3BFA8U &&
5806 + (call & 0xC0000000U) == 0x40000000U &&
5807 + nop == 0x01000000U)
5808 + {
5809 + struct vm_area_struct *vma;
5810 + unsigned long call_dl_resolve;
5811 +
5812 + down_read(&current->mm->mmap_sem);
5813 + call_dl_resolve = current->mm->call_dl_resolve;
5814 + up_read(&current->mm->mmap_sem);
5815 + if (likely(call_dl_resolve))
5816 + goto emulate;
5817 +
5818 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5819 +
5820 + down_write(&current->mm->mmap_sem);
5821 + if (current->mm->call_dl_resolve) {
5822 + call_dl_resolve = current->mm->call_dl_resolve;
5823 + up_write(&current->mm->mmap_sem);
5824 + if (vma)
5825 + kmem_cache_free(vm_area_cachep, vma);
5826 + goto emulate;
5827 + }
5828 +
5829 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5830 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5831 + up_write(&current->mm->mmap_sem);
5832 + if (vma)
5833 + kmem_cache_free(vm_area_cachep, vma);
5834 + return 1;
5835 + }
5836 +
5837 + if (pax_insert_vma(vma, call_dl_resolve)) {
5838 + up_write(&current->mm->mmap_sem);
5839 + kmem_cache_free(vm_area_cachep, vma);
5840 + return 1;
5841 + }
5842 +
5843 + current->mm->call_dl_resolve = call_dl_resolve;
5844 + up_write(&current->mm->mmap_sem);
5845 +
5846 +emulate:
5847 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5848 + regs->tpc = call_dl_resolve;
5849 + regs->tnpc = addr+4;
5850 + return 3;
5851 + }
5852 +#endif
5853 +
5854 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5855 + if ((save & 0xFFC00000U) == 0x05000000U &&
5856 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5857 + nop == 0x01000000U)
5858 + {
5859 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5860 + regs->u_regs[UREG_G2] = addr + 4;
5861 + addr = (save & 0x003FFFFFU) << 10;
5862 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5863 +
5864 + if (test_thread_flag(TIF_32BIT))
5865 + addr &= 0xFFFFFFFFUL;
5866 +
5867 + regs->tpc = addr;
5868 + regs->tnpc = addr+4;
5869 + return 3;
5870 + }
5871 +
5872 + /* PaX: 64-bit PLT stub */
5873 + err = get_user(sethi1, (unsigned int *)addr);
5874 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5875 + err |= get_user(or1, (unsigned int *)(addr+8));
5876 + err |= get_user(or2, (unsigned int *)(addr+12));
5877 + err |= get_user(sllx, (unsigned int *)(addr+16));
5878 + err |= get_user(add, (unsigned int *)(addr+20));
5879 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5880 + err |= get_user(nop, (unsigned int *)(addr+28));
5881 + if (err)
5882 + break;
5883 +
5884 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5885 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5886 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5887 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5888 + sllx == 0x89293020U &&
5889 + add == 0x8A010005U &&
5890 + jmpl == 0x89C14000U &&
5891 + nop == 0x01000000U)
5892 + {
5893 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5894 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5895 + regs->u_regs[UREG_G4] <<= 32;
5896 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5897 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5898 + regs->u_regs[UREG_G4] = addr + 24;
5899 + addr = regs->u_regs[UREG_G5];
5900 + regs->tpc = addr;
5901 + regs->tnpc = addr+4;
5902 + return 3;
5903 + }
5904 + }
5905 + } while (0);
5906 +
5907 +#ifdef CONFIG_PAX_DLRESOLVE
5908 + do { /* PaX: unpatched PLT emulation step 2 */
5909 + unsigned int save, call, nop;
5910 +
5911 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5912 + err |= get_user(call, (unsigned int *)regs->tpc);
5913 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5914 + if (err)
5915 + break;
5916 +
5917 + if (save == 0x9DE3BFA8U &&
5918 + (call & 0xC0000000U) == 0x40000000U &&
5919 + nop == 0x01000000U)
5920 + {
5921 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5922 +
5923 + if (test_thread_flag(TIF_32BIT))
5924 + dl_resolve &= 0xFFFFFFFFUL;
5925 +
5926 + regs->u_regs[UREG_RETPC] = regs->tpc;
5927 + regs->tpc = dl_resolve;
5928 + regs->tnpc = dl_resolve+4;
5929 + return 3;
5930 + }
5931 + } while (0);
5932 +#endif
5933 +
5934 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5935 + unsigned int sethi, ba, nop;
5936 +
5937 + err = get_user(sethi, (unsigned int *)regs->tpc);
5938 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5939 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5940 +
5941 + if (err)
5942 + break;
5943 +
5944 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5945 + (ba & 0xFFF00000U) == 0x30600000U &&
5946 + nop == 0x01000000U)
5947 + {
5948 + unsigned long addr;
5949 +
5950 + addr = (sethi & 0x003FFFFFU) << 10;
5951 + regs->u_regs[UREG_G1] = addr;
5952 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5953 +
5954 + if (test_thread_flag(TIF_32BIT))
5955 + addr &= 0xFFFFFFFFUL;
5956 +
5957 + regs->tpc = addr;
5958 + regs->tnpc = addr+4;
5959 + return 2;
5960 + }
5961 + } while (0);
5962 +
5963 +#endif
5964 +
5965 + return 1;
5966 +}
5967 +
5968 +void pax_report_insns(void *pc, void *sp)
5969 +{
5970 + unsigned long i;
5971 +
5972 + printk(KERN_ERR "PAX: bytes at PC: ");
5973 + for (i = 0; i < 8; i++) {
5974 + unsigned int c;
5975 + if (get_user(c, (unsigned int *)pc+i))
5976 + printk(KERN_CONT "???????? ");
5977 + else
5978 + printk(KERN_CONT "%08x ", c);
5979 + }
5980 + printk("\n");
5981 +}
5982 +#endif
5983 +
5984 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5985 {
5986 struct mm_struct *mm = current->mm;
5987 @@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5988 if (!vma)
5989 goto bad_area;
5990
5991 +#ifdef CONFIG_PAX_PAGEEXEC
5992 + /* PaX: detect ITLB misses on non-exec pages */
5993 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5994 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5995 + {
5996 + if (address != regs->tpc)
5997 + goto good_area;
5998 +
5999 + up_read(&mm->mmap_sem);
6000 + switch (pax_handle_fetch_fault(regs)) {
6001 +
6002 +#ifdef CONFIG_PAX_EMUPLT
6003 + case 2:
6004 + case 3:
6005 + return;
6006 +#endif
6007 +
6008 + }
6009 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
6010 + do_group_exit(SIGKILL);
6011 + }
6012 +#endif
6013 +
6014 /* Pure DTLB misses do not tell us whether the fault causing
6015 * load/store/atomic was a write or not, it only says that there
6016 * was no match. So in such a case we (carefully) read the
6017 diff -urNp linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c
6018 --- linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
6019 +++ linux-2.6.32.46/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
6020 @@ -69,7 +69,7 @@ full_search:
6021 }
6022 return -ENOMEM;
6023 }
6024 - if (likely(!vma || addr + len <= vma->vm_start)) {
6025 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6026 /*
6027 * Remember the place where we stopped the search:
6028 */
6029 @@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
6030 /* make sure it can fit in the remaining address space */
6031 if (likely(addr > len)) {
6032 vma = find_vma(mm, addr-len);
6033 - if (!vma || addr <= vma->vm_start) {
6034 + if (check_heap_stack_gap(vma, addr - len, len)) {
6035 /* remember the address as a hint for next time */
6036 return (mm->free_area_cache = addr-len);
6037 }
6038 @@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
6039 if (unlikely(mm->mmap_base < len))
6040 goto bottomup;
6041
6042 - addr = (mm->mmap_base-len) & HPAGE_MASK;
6043 + addr = mm->mmap_base - len;
6044
6045 do {
6046 + addr &= HPAGE_MASK;
6047 /*
6048 * Lookup failure means no vma is above this address,
6049 * else if new region fits below vma->vm_start,
6050 * return with success:
6051 */
6052 vma = find_vma(mm, addr);
6053 - if (likely(!vma || addr+len <= vma->vm_start)) {
6054 + if (likely(check_heap_stack_gap(vma, addr, len))) {
6055 /* remember the address as a hint for next time */
6056 return (mm->free_area_cache = addr);
6057 }
6058 @@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
6059 mm->cached_hole_size = vma->vm_start - addr;
6060
6061 /* try just below the current vma->vm_start */
6062 - addr = (vma->vm_start-len) & HPAGE_MASK;
6063 - } while (likely(len < vma->vm_start));
6064 + addr = skip_heap_stack_gap(vma, len);
6065 + } while (!IS_ERR_VALUE(addr));
6066
6067 bottomup:
6068 /*
6069 @@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
6070 if (addr) {
6071 addr = ALIGN(addr, HPAGE_SIZE);
6072 vma = find_vma(mm, addr);
6073 - if (task_size - len >= addr &&
6074 - (!vma || addr + len <= vma->vm_start))
6075 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6076 return addr;
6077 }
6078 if (mm->get_unmapped_area == arch_get_unmapped_area)
6079 diff -urNp linux-2.6.32.46/arch/sparc/mm/init_32.c linux-2.6.32.46/arch/sparc/mm/init_32.c
6080 --- linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
6081 +++ linux-2.6.32.46/arch/sparc/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
6082 @@ -317,6 +317,9 @@ extern void device_scan(void);
6083 pgprot_t PAGE_SHARED __read_mostly;
6084 EXPORT_SYMBOL(PAGE_SHARED);
6085
6086 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
6087 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
6088 +
6089 void __init paging_init(void)
6090 {
6091 switch(sparc_cpu_model) {
6092 @@ -345,17 +348,17 @@ void __init paging_init(void)
6093
6094 /* Initialize the protection map with non-constant, MMU dependent values. */
6095 protection_map[0] = PAGE_NONE;
6096 - protection_map[1] = PAGE_READONLY;
6097 - protection_map[2] = PAGE_COPY;
6098 - protection_map[3] = PAGE_COPY;
6099 + protection_map[1] = PAGE_READONLY_NOEXEC;
6100 + protection_map[2] = PAGE_COPY_NOEXEC;
6101 + protection_map[3] = PAGE_COPY_NOEXEC;
6102 protection_map[4] = PAGE_READONLY;
6103 protection_map[5] = PAGE_READONLY;
6104 protection_map[6] = PAGE_COPY;
6105 protection_map[7] = PAGE_COPY;
6106 protection_map[8] = PAGE_NONE;
6107 - protection_map[9] = PAGE_READONLY;
6108 - protection_map[10] = PAGE_SHARED;
6109 - protection_map[11] = PAGE_SHARED;
6110 + protection_map[9] = PAGE_READONLY_NOEXEC;
6111 + protection_map[10] = PAGE_SHARED_NOEXEC;
6112 + protection_map[11] = PAGE_SHARED_NOEXEC;
6113 protection_map[12] = PAGE_READONLY;
6114 protection_map[13] = PAGE_READONLY;
6115 protection_map[14] = PAGE_SHARED;
6116 diff -urNp linux-2.6.32.46/arch/sparc/mm/Makefile linux-2.6.32.46/arch/sparc/mm/Makefile
6117 --- linux-2.6.32.46/arch/sparc/mm/Makefile 2011-03-27 14:31:47.000000000 -0400
6118 +++ linux-2.6.32.46/arch/sparc/mm/Makefile 2011-04-17 15:56:46.000000000 -0400
6119 @@ -2,7 +2,7 @@
6120 #
6121
6122 asflags-y := -ansi
6123 -ccflags-y := -Werror
6124 +#ccflags-y := -Werror
6125
6126 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
6127 obj-y += fault_$(BITS).o
6128 diff -urNp linux-2.6.32.46/arch/sparc/mm/srmmu.c linux-2.6.32.46/arch/sparc/mm/srmmu.c
6129 --- linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-03-27 14:31:47.000000000 -0400
6130 +++ linux-2.6.32.46/arch/sparc/mm/srmmu.c 2011-04-17 15:56:46.000000000 -0400
6131 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6132 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6133 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6134 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6135 +
6136 +#ifdef CONFIG_PAX_PAGEEXEC
6137 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6138 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6139 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6140 +#endif
6141 +
6142 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6143 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6144
6145 diff -urNp linux-2.6.32.46/arch/um/include/asm/kmap_types.h linux-2.6.32.46/arch/um/include/asm/kmap_types.h
6146 --- linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
6147 +++ linux-2.6.32.46/arch/um/include/asm/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
6148 @@ -23,6 +23,7 @@ enum km_type {
6149 KM_IRQ1,
6150 KM_SOFTIRQ0,
6151 KM_SOFTIRQ1,
6152 + KM_CLEARPAGE,
6153 KM_TYPE_NR
6154 };
6155
6156 diff -urNp linux-2.6.32.46/arch/um/include/asm/page.h linux-2.6.32.46/arch/um/include/asm/page.h
6157 --- linux-2.6.32.46/arch/um/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
6158 +++ linux-2.6.32.46/arch/um/include/asm/page.h 2011-04-17 15:56:46.000000000 -0400
6159 @@ -14,6 +14,9 @@
6160 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6161 #define PAGE_MASK (~(PAGE_SIZE-1))
6162
6163 +#define ktla_ktva(addr) (addr)
6164 +#define ktva_ktla(addr) (addr)
6165 +
6166 #ifndef __ASSEMBLY__
6167
6168 struct page;
6169 diff -urNp linux-2.6.32.46/arch/um/kernel/process.c linux-2.6.32.46/arch/um/kernel/process.c
6170 --- linux-2.6.32.46/arch/um/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
6171 +++ linux-2.6.32.46/arch/um/kernel/process.c 2011-04-17 15:56:46.000000000 -0400
6172 @@ -393,22 +393,6 @@ int singlestepping(void * t)
6173 return 2;
6174 }
6175
6176 -/*
6177 - * Only x86 and x86_64 have an arch_align_stack().
6178 - * All other arches have "#define arch_align_stack(x) (x)"
6179 - * in their asm/system.h
6180 - * As this is included in UML from asm-um/system-generic.h,
6181 - * we can use it to behave as the subarch does.
6182 - */
6183 -#ifndef arch_align_stack
6184 -unsigned long arch_align_stack(unsigned long sp)
6185 -{
6186 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6187 - sp -= get_random_int() % 8192;
6188 - return sp & ~0xf;
6189 -}
6190 -#endif
6191 -
6192 unsigned long get_wchan(struct task_struct *p)
6193 {
6194 unsigned long stack_page, sp, ip;
6195 diff -urNp linux-2.6.32.46/arch/um/sys-i386/syscalls.c linux-2.6.32.46/arch/um/sys-i386/syscalls.c
6196 --- linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-03-27 14:31:47.000000000 -0400
6197 +++ linux-2.6.32.46/arch/um/sys-i386/syscalls.c 2011-04-17 15:56:46.000000000 -0400
6198 @@ -11,6 +11,21 @@
6199 #include "asm/uaccess.h"
6200 #include "asm/unistd.h"
6201
6202 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6203 +{
6204 + unsigned long pax_task_size = TASK_SIZE;
6205 +
6206 +#ifdef CONFIG_PAX_SEGMEXEC
6207 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6208 + pax_task_size = SEGMEXEC_TASK_SIZE;
6209 +#endif
6210 +
6211 + if (len > pax_task_size || addr > pax_task_size - len)
6212 + return -EINVAL;
6213 +
6214 + return 0;
6215 +}
6216 +
6217 /*
6218 * Perform the select(nd, in, out, ex, tv) and mmap() system
6219 * calls. Linux/i386 didn't use to be able to handle more than
6220 diff -urNp linux-2.6.32.46/arch/x86/boot/bitops.h linux-2.6.32.46/arch/x86/boot/bitops.h
6221 --- linux-2.6.32.46/arch/x86/boot/bitops.h 2011-03-27 14:31:47.000000000 -0400
6222 +++ linux-2.6.32.46/arch/x86/boot/bitops.h 2011-04-17 15:56:46.000000000 -0400
6223 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
6224 u8 v;
6225 const u32 *p = (const u32 *)addr;
6226
6227 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6228 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6229 return v;
6230 }
6231
6232 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
6233
6234 static inline void set_bit(int nr, void *addr)
6235 {
6236 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6237 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6238 }
6239
6240 #endif /* BOOT_BITOPS_H */
6241 diff -urNp linux-2.6.32.46/arch/x86/boot/boot.h linux-2.6.32.46/arch/x86/boot/boot.h
6242 --- linux-2.6.32.46/arch/x86/boot/boot.h 2011-03-27 14:31:47.000000000 -0400
6243 +++ linux-2.6.32.46/arch/x86/boot/boot.h 2011-04-17 15:56:46.000000000 -0400
6244 @@ -82,7 +82,7 @@ static inline void io_delay(void)
6245 static inline u16 ds(void)
6246 {
6247 u16 seg;
6248 - asm("movw %%ds,%0" : "=rm" (seg));
6249 + asm volatile("movw %%ds,%0" : "=rm" (seg));
6250 return seg;
6251 }
6252
6253 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
6254 static inline int memcmp(const void *s1, const void *s2, size_t len)
6255 {
6256 u8 diff;
6257 - asm("repe; cmpsb; setnz %0"
6258 + asm volatile("repe; cmpsb; setnz %0"
6259 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
6260 return diff;
6261 }
6262 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_32.S linux-2.6.32.46/arch/x86/boot/compressed/head_32.S
6263 --- linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-03-27 14:31:47.000000000 -0400
6264 +++ linux-2.6.32.46/arch/x86/boot/compressed/head_32.S 2011-04-17 15:56:46.000000000 -0400
6265 @@ -76,7 +76,7 @@ ENTRY(startup_32)
6266 notl %eax
6267 andl %eax, %ebx
6268 #else
6269 - movl $LOAD_PHYSICAL_ADDR, %ebx
6270 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6271 #endif
6272
6273 /* Target address to relocate to for decompression */
6274 @@ -149,7 +149,7 @@ relocated:
6275 * and where it was actually loaded.
6276 */
6277 movl %ebp, %ebx
6278 - subl $LOAD_PHYSICAL_ADDR, %ebx
6279 + subl $____LOAD_PHYSICAL_ADDR, %ebx
6280 jz 2f /* Nothing to be done if loaded at compiled addr. */
6281 /*
6282 * Process relocations.
6283 @@ -157,8 +157,7 @@ relocated:
6284
6285 1: subl $4, %edi
6286 movl (%edi), %ecx
6287 - testl %ecx, %ecx
6288 - jz 2f
6289 + jecxz 2f
6290 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6291 jmp 1b
6292 2:
6293 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/head_64.S linux-2.6.32.46/arch/x86/boot/compressed/head_64.S
6294 --- linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-03-27 14:31:47.000000000 -0400
6295 +++ linux-2.6.32.46/arch/x86/boot/compressed/head_64.S 2011-07-01 18:53:00.000000000 -0400
6296 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6297 notl %eax
6298 andl %eax, %ebx
6299 #else
6300 - movl $LOAD_PHYSICAL_ADDR, %ebx
6301 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6302 #endif
6303
6304 /* Target address to relocate to for decompression */
6305 @@ -183,7 +183,7 @@ no_longmode:
6306 hlt
6307 jmp 1b
6308
6309 -#include "../../kernel/verify_cpu_64.S"
6310 +#include "../../kernel/verify_cpu.S"
6311
6312 /*
6313 * Be careful here startup_64 needs to be at a predictable
6314 @@ -234,7 +234,7 @@ ENTRY(startup_64)
6315 notq %rax
6316 andq %rax, %rbp
6317 #else
6318 - movq $LOAD_PHYSICAL_ADDR, %rbp
6319 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6320 #endif
6321
6322 /* Target address to relocate to for decompression */
6323 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/Makefile linux-2.6.32.46/arch/x86/boot/compressed/Makefile
6324 --- linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-03-27 14:31:47.000000000 -0400
6325 +++ linux-2.6.32.46/arch/x86/boot/compressed/Makefile 2011-08-07 14:38:34.000000000 -0400
6326 @@ -13,6 +13,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
6327 KBUILD_CFLAGS += $(cflags-y)
6328 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
6329 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
6330 +ifdef CONSTIFY_PLUGIN
6331 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6332 +endif
6333
6334 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6335 GCOV_PROFILE := n
6336 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/misc.c linux-2.6.32.46/arch/x86/boot/compressed/misc.c
6337 --- linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-03-27 14:31:47.000000000 -0400
6338 +++ linux-2.6.32.46/arch/x86/boot/compressed/misc.c 2011-04-17 15:56:46.000000000 -0400
6339 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
6340 case PT_LOAD:
6341 #ifdef CONFIG_RELOCATABLE
6342 dest = output;
6343 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6344 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6345 #else
6346 dest = (void *)(phdr->p_paddr);
6347 #endif
6348 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6349 error("Destination address too large");
6350 #endif
6351 #ifndef CONFIG_RELOCATABLE
6352 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6353 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6354 error("Wrong destination address");
6355 #endif
6356
6357 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c
6358 --- linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-03-27 14:31:47.000000000 -0400
6359 +++ linux-2.6.32.46/arch/x86/boot/compressed/mkpiggy.c 2011-04-17 15:56:46.000000000 -0400
6360 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6361
6362 offs = (olen > ilen) ? olen - ilen : 0;
6363 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6364 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6365 + offs += 64*1024; /* Add 64K bytes slack */
6366 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6367
6368 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6369 diff -urNp linux-2.6.32.46/arch/x86/boot/compressed/relocs.c linux-2.6.32.46/arch/x86/boot/compressed/relocs.c
6370 --- linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-03-27 14:31:47.000000000 -0400
6371 +++ linux-2.6.32.46/arch/x86/boot/compressed/relocs.c 2011-04-17 15:56:46.000000000 -0400
6372 @@ -10,8 +10,11 @@
6373 #define USE_BSD
6374 #include <endian.h>
6375
6376 +#include "../../../../include/linux/autoconf.h"
6377 +
6378 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6379 static Elf32_Ehdr ehdr;
6380 +static Elf32_Phdr *phdr;
6381 static unsigned long reloc_count, reloc_idx;
6382 static unsigned long *relocs;
6383
6384 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6385
6386 static int is_safe_abs_reloc(const char* sym_name)
6387 {
6388 - int i;
6389 + unsigned int i;
6390
6391 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6392 if (!strcmp(sym_name, safe_abs_relocs[i]))
6393 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6394 }
6395 }
6396
6397 +static void read_phdrs(FILE *fp)
6398 +{
6399 + unsigned int i;
6400 +
6401 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6402 + if (!phdr) {
6403 + die("Unable to allocate %d program headers\n",
6404 + ehdr.e_phnum);
6405 + }
6406 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6407 + die("Seek to %d failed: %s\n",
6408 + ehdr.e_phoff, strerror(errno));
6409 + }
6410 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6411 + die("Cannot read ELF program headers: %s\n",
6412 + strerror(errno));
6413 + }
6414 + for(i = 0; i < ehdr.e_phnum; i++) {
6415 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6416 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6417 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6418 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6419 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6420 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6421 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6422 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6423 + }
6424 +
6425 +}
6426 +
6427 static void read_shdrs(FILE *fp)
6428 {
6429 - int i;
6430 + unsigned int i;
6431 Elf32_Shdr shdr;
6432
6433 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6434 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6435
6436 static void read_strtabs(FILE *fp)
6437 {
6438 - int i;
6439 + unsigned int i;
6440 for (i = 0; i < ehdr.e_shnum; i++) {
6441 struct section *sec = &secs[i];
6442 if (sec->shdr.sh_type != SHT_STRTAB) {
6443 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6444
6445 static void read_symtabs(FILE *fp)
6446 {
6447 - int i,j;
6448 + unsigned int i,j;
6449 for (i = 0; i < ehdr.e_shnum; i++) {
6450 struct section *sec = &secs[i];
6451 if (sec->shdr.sh_type != SHT_SYMTAB) {
6452 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6453
6454 static void read_relocs(FILE *fp)
6455 {
6456 - int i,j;
6457 + unsigned int i,j;
6458 + uint32_t base;
6459 +
6460 for (i = 0; i < ehdr.e_shnum; i++) {
6461 struct section *sec = &secs[i];
6462 if (sec->shdr.sh_type != SHT_REL) {
6463 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6464 die("Cannot read symbol table: %s\n",
6465 strerror(errno));
6466 }
6467 + base = 0;
6468 + for (j = 0; j < ehdr.e_phnum; j++) {
6469 + if (phdr[j].p_type != PT_LOAD )
6470 + continue;
6471 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6472 + continue;
6473 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6474 + break;
6475 + }
6476 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6477 Elf32_Rel *rel = &sec->reltab[j];
6478 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6479 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6480 rel->r_info = elf32_to_cpu(rel->r_info);
6481 }
6482 }
6483 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6484
6485 static void print_absolute_symbols(void)
6486 {
6487 - int i;
6488 + unsigned int i;
6489 printf("Absolute symbols\n");
6490 printf(" Num: Value Size Type Bind Visibility Name\n");
6491 for (i = 0; i < ehdr.e_shnum; i++) {
6492 struct section *sec = &secs[i];
6493 char *sym_strtab;
6494 Elf32_Sym *sh_symtab;
6495 - int j;
6496 + unsigned int j;
6497
6498 if (sec->shdr.sh_type != SHT_SYMTAB) {
6499 continue;
6500 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6501
6502 static void print_absolute_relocs(void)
6503 {
6504 - int i, printed = 0;
6505 + unsigned int i, printed = 0;
6506
6507 for (i = 0; i < ehdr.e_shnum; i++) {
6508 struct section *sec = &secs[i];
6509 struct section *sec_applies, *sec_symtab;
6510 char *sym_strtab;
6511 Elf32_Sym *sh_symtab;
6512 - int j;
6513 + unsigned int j;
6514 if (sec->shdr.sh_type != SHT_REL) {
6515 continue;
6516 }
6517 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6518
6519 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6520 {
6521 - int i;
6522 + unsigned int i;
6523 /* Walk through the relocations */
6524 for (i = 0; i < ehdr.e_shnum; i++) {
6525 char *sym_strtab;
6526 Elf32_Sym *sh_symtab;
6527 struct section *sec_applies, *sec_symtab;
6528 - int j;
6529 + unsigned int j;
6530 struct section *sec = &secs[i];
6531
6532 if (sec->shdr.sh_type != SHT_REL) {
6533 @@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6534 if (sym->st_shndx == SHN_ABS) {
6535 continue;
6536 }
6537 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6538 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6539 + continue;
6540 +
6541 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6542 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6543 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6544 + continue;
6545 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6546 + continue;
6547 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6548 + continue;
6549 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6550 + continue;
6551 +#endif
6552 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6553 /*
6554 * NONE can be ignored and and PC relative
6555 @@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6556
6557 static void emit_relocs(int as_text)
6558 {
6559 - int i;
6560 + unsigned int i;
6561 /* Count how many relocations I have and allocate space for them. */
6562 reloc_count = 0;
6563 walk_relocs(count_reloc);
6564 @@ -634,6 +693,7 @@ int main(int argc, char **argv)
6565 fname, strerror(errno));
6566 }
6567 read_ehdr(fp);
6568 + read_phdrs(fp);
6569 read_shdrs(fp);
6570 read_strtabs(fp);
6571 read_symtabs(fp);
6572 diff -urNp linux-2.6.32.46/arch/x86/boot/cpucheck.c linux-2.6.32.46/arch/x86/boot/cpucheck.c
6573 --- linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-03-27 14:31:47.000000000 -0400
6574 +++ linux-2.6.32.46/arch/x86/boot/cpucheck.c 2011-04-17 15:56:46.000000000 -0400
6575 @@ -74,7 +74,7 @@ static int has_fpu(void)
6576 u16 fcw = -1, fsw = -1;
6577 u32 cr0;
6578
6579 - asm("movl %%cr0,%0" : "=r" (cr0));
6580 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6581 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6582 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6583 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6584 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6585 {
6586 u32 f0, f1;
6587
6588 - asm("pushfl ; "
6589 + asm volatile("pushfl ; "
6590 "pushfl ; "
6591 "popl %0 ; "
6592 "movl %0,%1 ; "
6593 @@ -115,7 +115,7 @@ static void get_flags(void)
6594 set_bit(X86_FEATURE_FPU, cpu.flags);
6595
6596 if (has_eflag(X86_EFLAGS_ID)) {
6597 - asm("cpuid"
6598 + asm volatile("cpuid"
6599 : "=a" (max_intel_level),
6600 "=b" (cpu_vendor[0]),
6601 "=d" (cpu_vendor[1]),
6602 @@ -124,7 +124,7 @@ static void get_flags(void)
6603
6604 if (max_intel_level >= 0x00000001 &&
6605 max_intel_level <= 0x0000ffff) {
6606 - asm("cpuid"
6607 + asm volatile("cpuid"
6608 : "=a" (tfms),
6609 "=c" (cpu.flags[4]),
6610 "=d" (cpu.flags[0])
6611 @@ -136,7 +136,7 @@ static void get_flags(void)
6612 cpu.model += ((tfms >> 16) & 0xf) << 4;
6613 }
6614
6615 - asm("cpuid"
6616 + asm volatile("cpuid"
6617 : "=a" (max_amd_level)
6618 : "a" (0x80000000)
6619 : "ebx", "ecx", "edx");
6620 @@ -144,7 +144,7 @@ static void get_flags(void)
6621 if (max_amd_level >= 0x80000001 &&
6622 max_amd_level <= 0x8000ffff) {
6623 u32 eax = 0x80000001;
6624 - asm("cpuid"
6625 + asm volatile("cpuid"
6626 : "+a" (eax),
6627 "=c" (cpu.flags[6]),
6628 "=d" (cpu.flags[1])
6629 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6630 u32 ecx = MSR_K7_HWCR;
6631 u32 eax, edx;
6632
6633 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6634 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6635 eax &= ~(1 << 15);
6636 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6637 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6638
6639 get_flags(); /* Make sure it really did something */
6640 err = check_flags();
6641 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6642 u32 ecx = MSR_VIA_FCR;
6643 u32 eax, edx;
6644
6645 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6646 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6647 eax |= (1<<1)|(1<<7);
6648 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6649 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6650
6651 set_bit(X86_FEATURE_CX8, cpu.flags);
6652 err = check_flags();
6653 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6654 u32 eax, edx;
6655 u32 level = 1;
6656
6657 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6658 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6659 - asm("cpuid"
6660 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6661 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6662 + asm volatile("cpuid"
6663 : "+a" (level), "=d" (cpu.flags[0])
6664 : : "ecx", "ebx");
6665 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6666 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6667
6668 err = check_flags();
6669 }
6670 diff -urNp linux-2.6.32.46/arch/x86/boot/header.S linux-2.6.32.46/arch/x86/boot/header.S
6671 --- linux-2.6.32.46/arch/x86/boot/header.S 2011-03-27 14:31:47.000000000 -0400
6672 +++ linux-2.6.32.46/arch/x86/boot/header.S 2011-04-17 15:56:46.000000000 -0400
6673 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6674 # single linked list of
6675 # struct setup_data
6676
6677 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6678 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6679
6680 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6681 #define VO_INIT_SIZE (VO__end - VO__text)
6682 diff -urNp linux-2.6.32.46/arch/x86/boot/Makefile linux-2.6.32.46/arch/x86/boot/Makefile
6683 --- linux-2.6.32.46/arch/x86/boot/Makefile 2011-03-27 14:31:47.000000000 -0400
6684 +++ linux-2.6.32.46/arch/x86/boot/Makefile 2011-08-07 14:38:13.000000000 -0400
6685 @@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
6686 $(call cc-option, -fno-stack-protector) \
6687 $(call cc-option, -mpreferred-stack-boundary=2)
6688 KBUILD_CFLAGS += $(call cc-option, -m32)
6689 +ifdef CONSTIFY_PLUGIN
6690 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6691 +endif
6692 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6693 GCOV_PROFILE := n
6694
6695 diff -urNp linux-2.6.32.46/arch/x86/boot/memory.c linux-2.6.32.46/arch/x86/boot/memory.c
6696 --- linux-2.6.32.46/arch/x86/boot/memory.c 2011-03-27 14:31:47.000000000 -0400
6697 +++ linux-2.6.32.46/arch/x86/boot/memory.c 2011-04-17 15:56:46.000000000 -0400
6698 @@ -19,7 +19,7 @@
6699
6700 static int detect_memory_e820(void)
6701 {
6702 - int count = 0;
6703 + unsigned int count = 0;
6704 struct biosregs ireg, oreg;
6705 struct e820entry *desc = boot_params.e820_map;
6706 static struct e820entry buf; /* static so it is zeroed */
6707 diff -urNp linux-2.6.32.46/arch/x86/boot/video.c linux-2.6.32.46/arch/x86/boot/video.c
6708 --- linux-2.6.32.46/arch/x86/boot/video.c 2011-03-27 14:31:47.000000000 -0400
6709 +++ linux-2.6.32.46/arch/x86/boot/video.c 2011-04-17 15:56:46.000000000 -0400
6710 @@ -90,7 +90,7 @@ static void store_mode_params(void)
6711 static unsigned int get_entry(void)
6712 {
6713 char entry_buf[4];
6714 - int i, len = 0;
6715 + unsigned int i, len = 0;
6716 int key;
6717 unsigned int v;
6718
6719 diff -urNp linux-2.6.32.46/arch/x86/boot/video-vesa.c linux-2.6.32.46/arch/x86/boot/video-vesa.c
6720 --- linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-03-27 14:31:47.000000000 -0400
6721 +++ linux-2.6.32.46/arch/x86/boot/video-vesa.c 2011-04-17 15:56:46.000000000 -0400
6722 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6723
6724 boot_params.screen_info.vesapm_seg = oreg.es;
6725 boot_params.screen_info.vesapm_off = oreg.di;
6726 + boot_params.screen_info.vesapm_size = oreg.cx;
6727 }
6728
6729 /*
6730 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_aout.c linux-2.6.32.46/arch/x86/ia32/ia32_aout.c
6731 --- linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400
6732 +++ linux-2.6.32.46/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400
6733 @@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6734 unsigned long dump_start, dump_size;
6735 struct user32 dump;
6736
6737 + memset(&dump, 0, sizeof(dump));
6738 +
6739 fs = get_fs();
6740 set_fs(KERNEL_DS);
6741 has_dumped = 1;
6742 @@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6743 dump_size = dump.u_ssize << PAGE_SHIFT;
6744 DUMP_WRITE(dump_start, dump_size);
6745 }
6746 - /*
6747 - * Finally dump the task struct. Not be used by gdb, but
6748 - * could be useful
6749 - */
6750 - set_fs(KERNEL_DS);
6751 - DUMP_WRITE(current, sizeof(*current));
6752 end_coredump:
6753 set_fs(fs);
6754 return has_dumped;
6755 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32entry.S linux-2.6.32.46/arch/x86/ia32/ia32entry.S
6756 --- linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-03-27 14:31:47.000000000 -0400
6757 +++ linux-2.6.32.46/arch/x86/ia32/ia32entry.S 2011-08-25 17:42:18.000000000 -0400
6758 @@ -13,6 +13,7 @@
6759 #include <asm/thread_info.h>
6760 #include <asm/segment.h>
6761 #include <asm/irqflags.h>
6762 +#include <asm/pgtable.h>
6763 #include <linux/linkage.h>
6764
6765 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6766 @@ -93,6 +94,29 @@ ENTRY(native_irq_enable_sysexit)
6767 ENDPROC(native_irq_enable_sysexit)
6768 #endif
6769
6770 + .macro pax_enter_kernel_user
6771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6772 + call pax_enter_kernel_user
6773 +#endif
6774 + .endm
6775 +
6776 + .macro pax_exit_kernel_user
6777 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6778 + call pax_exit_kernel_user
6779 +#endif
6780 +#ifdef CONFIG_PAX_RANDKSTACK
6781 + pushq %rax
6782 + call pax_randomize_kstack
6783 + popq %rax
6784 +#endif
6785 + .endm
6786 +
6787 +.macro pax_erase_kstack
6788 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6789 + call pax_erase_kstack
6790 +#endif
6791 +.endm
6792 +
6793 /*
6794 * 32bit SYSENTER instruction entry.
6795 *
6796 @@ -119,7 +143,7 @@ ENTRY(ia32_sysenter_target)
6797 CFI_REGISTER rsp,rbp
6798 SWAPGS_UNSAFE_STACK
6799 movq PER_CPU_VAR(kernel_stack), %rsp
6800 - addq $(KERNEL_STACK_OFFSET),%rsp
6801 + pax_enter_kernel_user
6802 /*
6803 * No need to follow this irqs on/off section: the syscall
6804 * disabled irqs, here we enable it straight after entry:
6805 @@ -135,7 +159,8 @@ ENTRY(ia32_sysenter_target)
6806 pushfq
6807 CFI_ADJUST_CFA_OFFSET 8
6808 /*CFI_REL_OFFSET rflags,0*/
6809 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6810 + GET_THREAD_INFO(%r10)
6811 + movl TI_sysenter_return(%r10), %r10d
6812 CFI_REGISTER rip,r10
6813 pushq $__USER32_CS
6814 CFI_ADJUST_CFA_OFFSET 8
6815 @@ -150,6 +175,12 @@ ENTRY(ia32_sysenter_target)
6816 SAVE_ARGS 0,0,1
6817 /* no need to do an access_ok check here because rbp has been
6818 32bit zero extended */
6819 +
6820 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6821 + mov $PAX_USER_SHADOW_BASE,%r10
6822 + add %r10,%rbp
6823 +#endif
6824 +
6825 1: movl (%rbp),%ebp
6826 .section __ex_table,"a"
6827 .quad 1b,ia32_badarg
6828 @@ -172,6 +203,8 @@ sysenter_dispatch:
6829 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6830 jnz sysexit_audit
6831 sysexit_from_sys_call:
6832 + pax_exit_kernel_user
6833 + pax_erase_kstack
6834 andl $~TS_COMPAT,TI_status(%r10)
6835 /* clear IF, that popfq doesn't enable interrupts early */
6836 andl $~0x200,EFLAGS-R11(%rsp)
6837 @@ -200,6 +233,9 @@ sysexit_from_sys_call:
6838 movl %eax,%esi /* 2nd arg: syscall number */
6839 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6840 call audit_syscall_entry
6841 +
6842 + pax_erase_kstack
6843 +
6844 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6845 cmpq $(IA32_NR_syscalls-1),%rax
6846 ja ia32_badsys
6847 @@ -252,6 +288,9 @@ sysenter_tracesys:
6848 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6849 movq %rsp,%rdi /* &pt_regs -> arg1 */
6850 call syscall_trace_enter
6851 +
6852 + pax_erase_kstack
6853 +
6854 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6855 RESTORE_REST
6856 cmpq $(IA32_NR_syscalls-1),%rax
6857 @@ -283,19 +322,24 @@ ENDPROC(ia32_sysenter_target)
6858 ENTRY(ia32_cstar_target)
6859 CFI_STARTPROC32 simple
6860 CFI_SIGNAL_FRAME
6861 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6862 + CFI_DEF_CFA rsp,0
6863 CFI_REGISTER rip,rcx
6864 /*CFI_REGISTER rflags,r11*/
6865 SWAPGS_UNSAFE_STACK
6866 movl %esp,%r8d
6867 CFI_REGISTER rsp,r8
6868 movq PER_CPU_VAR(kernel_stack),%rsp
6869 +
6870 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6871 + pax_enter_kernel_user
6872 +#endif
6873 +
6874 /*
6875 * No need to follow this irqs on/off section: the syscall
6876 * disabled irqs and here we enable it straight after entry:
6877 */
6878 ENABLE_INTERRUPTS(CLBR_NONE)
6879 - SAVE_ARGS 8,1,1
6880 + SAVE_ARGS 8*6,1,1
6881 movl %eax,%eax /* zero extension */
6882 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6883 movq %rcx,RIP-ARGOFFSET(%rsp)
6884 @@ -311,6 +355,12 @@ ENTRY(ia32_cstar_target)
6885 /* no need to do an access_ok check here because r8 has been
6886 32bit zero extended */
6887 /* hardware stack frame is complete now */
6888 +
6889 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6890 + mov $PAX_USER_SHADOW_BASE,%r10
6891 + add %r10,%r8
6892 +#endif
6893 +
6894 1: movl (%r8),%r9d
6895 .section __ex_table,"a"
6896 .quad 1b,ia32_badarg
6897 @@ -333,6 +383,8 @@ cstar_dispatch:
6898 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6899 jnz sysretl_audit
6900 sysretl_from_sys_call:
6901 + pax_exit_kernel_user
6902 + pax_erase_kstack
6903 andl $~TS_COMPAT,TI_status(%r10)
6904 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6905 movl RIP-ARGOFFSET(%rsp),%ecx
6906 @@ -370,6 +422,9 @@ cstar_tracesys:
6907 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6908 movq %rsp,%rdi /* &pt_regs -> arg1 */
6909 call syscall_trace_enter
6910 +
6911 + pax_erase_kstack
6912 +
6913 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6914 RESTORE_REST
6915 xchgl %ebp,%r9d
6916 @@ -415,6 +470,7 @@ ENTRY(ia32_syscall)
6917 CFI_REL_OFFSET rip,RIP-RIP
6918 PARAVIRT_ADJUST_EXCEPTION_FRAME
6919 SWAPGS
6920 + pax_enter_kernel_user
6921 /*
6922 * No need to follow this irqs on/off section: the syscall
6923 * disabled irqs and here we enable it straight after entry:
6924 @@ -448,6 +504,9 @@ ia32_tracesys:
6925 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6926 movq %rsp,%rdi /* &pt_regs -> arg1 */
6927 call syscall_trace_enter
6928 +
6929 + pax_erase_kstack
6930 +
6931 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6932 RESTORE_REST
6933 cmpq $(IA32_NR_syscalls-1),%rax
6934 diff -urNp linux-2.6.32.46/arch/x86/ia32/ia32_signal.c linux-2.6.32.46/arch/x86/ia32/ia32_signal.c
6935 --- linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400
6936 +++ linux-2.6.32.46/arch/x86/ia32/ia32_signal.c 2011-04-17 15:56:46.000000000 -0400
6937 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6938 sp -= frame_size;
6939 /* Align the stack pointer according to the i386 ABI,
6940 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6941 - sp = ((sp + 4) & -16ul) - 4;
6942 + sp = ((sp - 12) & -16ul) - 4;
6943 return (void __user *) sp;
6944 }
6945
6946 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6947 * These are actually not used anymore, but left because some
6948 * gdb versions depend on them as a marker.
6949 */
6950 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6951 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6952 } put_user_catch(err);
6953
6954 if (err)
6955 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6956 0xb8,
6957 __NR_ia32_rt_sigreturn,
6958 0x80cd,
6959 - 0,
6960 + 0
6961 };
6962
6963 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6964 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6965
6966 if (ka->sa.sa_flags & SA_RESTORER)
6967 restorer = ka->sa.sa_restorer;
6968 + else if (current->mm->context.vdso)
6969 + /* Return stub is in 32bit vsyscall page */
6970 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6971 else
6972 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6973 - rt_sigreturn);
6974 + restorer = &frame->retcode;
6975 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6976
6977 /*
6978 * Not actually used anymore, but left because some gdb
6979 * versions need it.
6980 */
6981 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6982 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6983 } put_user_catch(err);
6984
6985 if (err)
6986 diff -urNp linux-2.6.32.46/arch/x86/include/asm/alternative.h linux-2.6.32.46/arch/x86/include/asm/alternative.h
6987 --- linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400
6988 +++ linux-2.6.32.46/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400
6989 @@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
6990 " .byte 662b-661b\n" /* sourcelen */ \
6991 " .byte 664f-663f\n" /* replacementlen */ \
6992 ".previous\n" \
6993 - ".section .altinstr_replacement, \"ax\"\n" \
6994 + ".section .altinstr_replacement, \"a\"\n" \
6995 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6996 ".previous"
6997
6998 diff -urNp linux-2.6.32.46/arch/x86/include/asm/apic.h linux-2.6.32.46/arch/x86/include/asm/apic.h
6999 --- linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-03-27 14:31:47.000000000 -0400
7000 +++ linux-2.6.32.46/arch/x86/include/asm/apic.h 2011-08-17 20:01:15.000000000 -0400
7001 @@ -46,7 +46,7 @@ static inline void generic_apic_probe(vo
7002
7003 #ifdef CONFIG_X86_LOCAL_APIC
7004
7005 -extern unsigned int apic_verbosity;
7006 +extern int apic_verbosity;
7007 extern int local_apic_timer_c2_ok;
7008
7009 extern int disable_apic;
7010 diff -urNp linux-2.6.32.46/arch/x86/include/asm/apm.h linux-2.6.32.46/arch/x86/include/asm/apm.h
7011 --- linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-03-27 14:31:47.000000000 -0400
7012 +++ linux-2.6.32.46/arch/x86/include/asm/apm.h 2011-04-17 15:56:46.000000000 -0400
7013 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
7014 __asm__ __volatile__(APM_DO_ZERO_SEGS
7015 "pushl %%edi\n\t"
7016 "pushl %%ebp\n\t"
7017 - "lcall *%%cs:apm_bios_entry\n\t"
7018 + "lcall *%%ss:apm_bios_entry\n\t"
7019 "setc %%al\n\t"
7020 "popl %%ebp\n\t"
7021 "popl %%edi\n\t"
7022 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
7023 __asm__ __volatile__(APM_DO_ZERO_SEGS
7024 "pushl %%edi\n\t"
7025 "pushl %%ebp\n\t"
7026 - "lcall *%%cs:apm_bios_entry\n\t"
7027 + "lcall *%%ss:apm_bios_entry\n\t"
7028 "setc %%bl\n\t"
7029 "popl %%ebp\n\t"
7030 "popl %%edi\n\t"
7031 diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_32.h linux-2.6.32.46/arch/x86/include/asm/atomic_32.h
7032 --- linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-03-27 14:31:47.000000000 -0400
7033 +++ linux-2.6.32.46/arch/x86/include/asm/atomic_32.h 2011-05-04 17:56:20.000000000 -0400
7034 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
7035 }
7036
7037 /**
7038 + * atomic_read_unchecked - read atomic variable
7039 + * @v: pointer of type atomic_unchecked_t
7040 + *
7041 + * Atomically reads the value of @v.
7042 + */
7043 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7044 +{
7045 + return v->counter;
7046 +}
7047 +
7048 +/**
7049 * atomic_set - set atomic variable
7050 * @v: pointer of type atomic_t
7051 * @i: required value
7052 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
7053 }
7054
7055 /**
7056 + * atomic_set_unchecked - set atomic variable
7057 + * @v: pointer of type atomic_unchecked_t
7058 + * @i: required value
7059 + *
7060 + * Atomically sets the value of @v to @i.
7061 + */
7062 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7063 +{
7064 + v->counter = i;
7065 +}
7066 +
7067 +/**
7068 * atomic_add - add integer to atomic variable
7069 * @i: integer value to add
7070 * @v: pointer of type atomic_t
7071 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
7072 */
7073 static inline void atomic_add(int i, atomic_t *v)
7074 {
7075 - asm volatile(LOCK_PREFIX "addl %1,%0"
7076 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7077 +
7078 +#ifdef CONFIG_PAX_REFCOUNT
7079 + "jno 0f\n"
7080 + LOCK_PREFIX "subl %1,%0\n"
7081 + "int $4\n0:\n"
7082 + _ASM_EXTABLE(0b, 0b)
7083 +#endif
7084 +
7085 + : "+m" (v->counter)
7086 + : "ir" (i));
7087 +}
7088 +
7089 +/**
7090 + * atomic_add_unchecked - add integer to atomic variable
7091 + * @i: integer value to add
7092 + * @v: pointer of type atomic_unchecked_t
7093 + *
7094 + * Atomically adds @i to @v.
7095 + */
7096 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7097 +{
7098 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7099 : "+m" (v->counter)
7100 : "ir" (i));
7101 }
7102 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
7103 */
7104 static inline void atomic_sub(int i, atomic_t *v)
7105 {
7106 - asm volatile(LOCK_PREFIX "subl %1,%0"
7107 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7108 +
7109 +#ifdef CONFIG_PAX_REFCOUNT
7110 + "jno 0f\n"
7111 + LOCK_PREFIX "addl %1,%0\n"
7112 + "int $4\n0:\n"
7113 + _ASM_EXTABLE(0b, 0b)
7114 +#endif
7115 +
7116 + : "+m" (v->counter)
7117 + : "ir" (i));
7118 +}
7119 +
7120 +/**
7121 + * atomic_sub_unchecked - subtract integer from atomic variable
7122 + * @i: integer value to subtract
7123 + * @v: pointer of type atomic_unchecked_t
7124 + *
7125 + * Atomically subtracts @i from @v.
7126 + */
7127 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7128 +{
7129 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7130 : "+m" (v->counter)
7131 : "ir" (i));
7132 }
7133 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
7134 {
7135 unsigned char c;
7136
7137 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7138 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7139 +
7140 +#ifdef CONFIG_PAX_REFCOUNT
7141 + "jno 0f\n"
7142 + LOCK_PREFIX "addl %2,%0\n"
7143 + "int $4\n0:\n"
7144 + _ASM_EXTABLE(0b, 0b)
7145 +#endif
7146 +
7147 + "sete %1\n"
7148 : "+m" (v->counter), "=qm" (c)
7149 : "ir" (i) : "memory");
7150 return c;
7151 @@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
7152 */
7153 static inline void atomic_inc(atomic_t *v)
7154 {
7155 - asm volatile(LOCK_PREFIX "incl %0"
7156 + asm volatile(LOCK_PREFIX "incl %0\n"
7157 +
7158 +#ifdef CONFIG_PAX_REFCOUNT
7159 + "jno 0f\n"
7160 + LOCK_PREFIX "decl %0\n"
7161 + "int $4\n0:\n"
7162 + _ASM_EXTABLE(0b, 0b)
7163 +#endif
7164 +
7165 + : "+m" (v->counter));
7166 +}
7167 +
7168 +/**
7169 + * atomic_inc_unchecked - increment atomic variable
7170 + * @v: pointer of type atomic_unchecked_t
7171 + *
7172 + * Atomically increments @v by 1.
7173 + */
7174 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7175 +{
7176 + asm volatile(LOCK_PREFIX "incl %0\n"
7177 : "+m" (v->counter));
7178 }
7179
7180 @@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
7181 */
7182 static inline void atomic_dec(atomic_t *v)
7183 {
7184 - asm volatile(LOCK_PREFIX "decl %0"
7185 + asm volatile(LOCK_PREFIX "decl %0\n"
7186 +
7187 +#ifdef CONFIG_PAX_REFCOUNT
7188 + "jno 0f\n"
7189 + LOCK_PREFIX "incl %0\n"
7190 + "int $4\n0:\n"
7191 + _ASM_EXTABLE(0b, 0b)
7192 +#endif
7193 +
7194 + : "+m" (v->counter));
7195 +}
7196 +
7197 +/**
7198 + * atomic_dec_unchecked - decrement atomic variable
7199 + * @v: pointer of type atomic_unchecked_t
7200 + *
7201 + * Atomically decrements @v by 1.
7202 + */
7203 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7204 +{
7205 + asm volatile(LOCK_PREFIX "decl %0\n"
7206 : "+m" (v->counter));
7207 }
7208
7209 @@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
7210 {
7211 unsigned char c;
7212
7213 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7214 + asm volatile(LOCK_PREFIX "decl %0\n"
7215 +
7216 +#ifdef CONFIG_PAX_REFCOUNT
7217 + "jno 0f\n"
7218 + LOCK_PREFIX "incl %0\n"
7219 + "int $4\n0:\n"
7220 + _ASM_EXTABLE(0b, 0b)
7221 +#endif
7222 +
7223 + "sete %1\n"
7224 : "+m" (v->counter), "=qm" (c)
7225 : : "memory");
7226 return c != 0;
7227 @@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
7228 {
7229 unsigned char c;
7230
7231 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7232 + asm volatile(LOCK_PREFIX "incl %0\n"
7233 +
7234 +#ifdef CONFIG_PAX_REFCOUNT
7235 + "jno 0f\n"
7236 + LOCK_PREFIX "decl %0\n"
7237 + "into\n0:\n"
7238 + _ASM_EXTABLE(0b, 0b)
7239 +#endif
7240 +
7241 + "sete %1\n"
7242 + : "+m" (v->counter), "=qm" (c)
7243 + : : "memory");
7244 + return c != 0;
7245 +}
7246 +
7247 +/**
7248 + * atomic_inc_and_test_unchecked - increment and test
7249 + * @v: pointer of type atomic_unchecked_t
7250 + *
7251 + * Atomically increments @v by 1
7252 + * and returns true if the result is zero, or false for all
7253 + * other cases.
7254 + */
7255 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7256 +{
7257 + unsigned char c;
7258 +
7259 + asm volatile(LOCK_PREFIX "incl %0\n"
7260 + "sete %1\n"
7261 : "+m" (v->counter), "=qm" (c)
7262 : : "memory");
7263 return c != 0;
7264 @@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
7265 {
7266 unsigned char c;
7267
7268 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7269 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7270 +
7271 +#ifdef CONFIG_PAX_REFCOUNT
7272 + "jno 0f\n"
7273 + LOCK_PREFIX "subl %2,%0\n"
7274 + "int $4\n0:\n"
7275 + _ASM_EXTABLE(0b, 0b)
7276 +#endif
7277 +
7278 + "sets %1\n"
7279 : "+m" (v->counter), "=qm" (c)
7280 : "ir" (i) : "memory");
7281 return c;
7282 @@ -179,6 +341,46 @@ static inline int atomic_add_return(int
7283 #endif
7284 /* Modern 486+ processor */
7285 __i = i;
7286 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7287 +
7288 +#ifdef CONFIG_PAX_REFCOUNT
7289 + "jno 0f\n"
7290 + "movl %0, %1\n"
7291 + "int $4\n0:\n"
7292 + _ASM_EXTABLE(0b, 0b)
7293 +#endif
7294 +
7295 + : "+r" (i), "+m" (v->counter)
7296 + : : "memory");
7297 + return i + __i;
7298 +
7299 +#ifdef CONFIG_M386
7300 +no_xadd: /* Legacy 386 processor */
7301 + local_irq_save(flags);
7302 + __i = atomic_read(v);
7303 + atomic_set(v, i + __i);
7304 + local_irq_restore(flags);
7305 + return i + __i;
7306 +#endif
7307 +}
7308 +
7309 +/**
7310 + * atomic_add_return_unchecked - add integer and return
7311 + * @v: pointer of type atomic_unchecked_t
7312 + * @i: integer value to add
7313 + *
7314 + * Atomically adds @i to @v and returns @i + @v
7315 + */
7316 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7317 +{
7318 + int __i;
7319 +#ifdef CONFIG_M386
7320 + unsigned long flags;
7321 + if (unlikely(boot_cpu_data.x86 <= 3))
7322 + goto no_xadd;
7323 +#endif
7324 + /* Modern 486+ processor */
7325 + __i = i;
7326 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7327 : "+r" (i), "+m" (v->counter)
7328 : : "memory");
7329 @@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
7330 return cmpxchg(&v->counter, old, new);
7331 }
7332
7333 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7334 +{
7335 + return cmpxchg(&v->counter, old, new);
7336 +}
7337 +
7338 static inline int atomic_xchg(atomic_t *v, int new)
7339 {
7340 return xchg(&v->counter, new);
7341 }
7342
7343 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7344 +{
7345 + return xchg(&v->counter, new);
7346 +}
7347 +
7348 /**
7349 * atomic_add_unless - add unless the number is already a given value
7350 * @v: pointer of type atomic_t
7351 @@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7352 */
7353 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7354 {
7355 - int c, old;
7356 + int c, old, new;
7357 c = atomic_read(v);
7358 for (;;) {
7359 - if (unlikely(c == (u)))
7360 + if (unlikely(c == u))
7361 break;
7362 - old = atomic_cmpxchg((v), c, c + (a));
7363 +
7364 + asm volatile("addl %2,%0\n"
7365 +
7366 +#ifdef CONFIG_PAX_REFCOUNT
7367 + "jno 0f\n"
7368 + "subl %2,%0\n"
7369 + "int $4\n0:\n"
7370 + _ASM_EXTABLE(0b, 0b)
7371 +#endif
7372 +
7373 + : "=r" (new)
7374 + : "0" (c), "ir" (a));
7375 +
7376 + old = atomic_cmpxchg(v, c, new);
7377 if (likely(old == c))
7378 break;
7379 c = old;
7380 }
7381 - return c != (u);
7382 + return c != u;
7383 }
7384
7385 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7386
7387 #define atomic_inc_return(v) (atomic_add_return(1, v))
7388 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7389 +{
7390 + return atomic_add_return_unchecked(1, v);
7391 +}
7392 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7393
7394 /* These are x86-specific, used by some header files */
7395 @@ -266,9 +495,18 @@ typedef struct {
7396 u64 __aligned(8) counter;
7397 } atomic64_t;
7398
7399 +#ifdef CONFIG_PAX_REFCOUNT
7400 +typedef struct {
7401 + u64 __aligned(8) counter;
7402 +} atomic64_unchecked_t;
7403 +#else
7404 +typedef atomic64_t atomic64_unchecked_t;
7405 +#endif
7406 +
7407 #define ATOMIC64_INIT(val) { (val) }
7408
7409 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7410 +extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7411
7412 /**
7413 * atomic64_xchg - xchg atomic64 variable
7414 @@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7415 * the old value.
7416 */
7417 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7418 +extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7419
7420 /**
7421 * atomic64_set - set atomic64 variable
7422 @@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7423 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7424
7425 /**
7426 + * atomic64_unchecked_set - set atomic64 variable
7427 + * @ptr: pointer to type atomic64_unchecked_t
7428 + * @new_val: value to assign
7429 + *
7430 + * Atomically sets the value of @ptr to @new_val.
7431 + */
7432 +extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7433 +
7434 +/**
7435 * atomic64_read - read atomic64 variable
7436 * @ptr: pointer to type atomic64_t
7437 *
7438 @@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7439 return res;
7440 }
7441
7442 -extern u64 atomic64_read(atomic64_t *ptr);
7443 +/**
7444 + * atomic64_read_unchecked - read atomic64 variable
7445 + * @ptr: pointer to type atomic64_unchecked_t
7446 + *
7447 + * Atomically reads the value of @ptr and returns it.
7448 + */
7449 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7450 +{
7451 + u64 res;
7452 +
7453 + /*
7454 + * Note, we inline this atomic64_unchecked_t primitive because
7455 + * it only clobbers EAX/EDX and leaves the others
7456 + * untouched. We also (somewhat subtly) rely on the
7457 + * fact that cmpxchg8b returns the current 64-bit value
7458 + * of the memory location we are touching:
7459 + */
7460 + asm volatile(
7461 + "mov %%ebx, %%eax\n\t"
7462 + "mov %%ecx, %%edx\n\t"
7463 + LOCK_PREFIX "cmpxchg8b %1\n"
7464 + : "=&A" (res)
7465 + : "m" (*ptr)
7466 + );
7467 +
7468 + return res;
7469 +}
7470
7471 /**
7472 * atomic64_add_return - add and return
7473 @@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7474 * Other variants with different arithmetic operators:
7475 */
7476 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7477 +extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7478 extern u64 atomic64_inc_return(atomic64_t *ptr);
7479 +extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7480 extern u64 atomic64_dec_return(atomic64_t *ptr);
7481 +extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7482
7483 /**
7484 * atomic64_add - add integer to atomic64 variable
7485 @@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7486 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7487
7488 /**
7489 + * atomic64_add_unchecked - add integer to atomic64 variable
7490 + * @delta: integer value to add
7491 + * @ptr: pointer to type atomic64_unchecked_t
7492 + *
7493 + * Atomically adds @delta to @ptr.
7494 + */
7495 +extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7496 +
7497 +/**
7498 * atomic64_sub - subtract the atomic64 variable
7499 * @delta: integer value to subtract
7500 * @ptr: pointer to type atomic64_t
7501 @@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7502 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7503
7504 /**
7505 + * atomic64_sub_unchecked - subtract the atomic64 variable
7506 + * @delta: integer value to subtract
7507 + * @ptr: pointer to type atomic64_unchecked_t
7508 + *
7509 + * Atomically subtracts @delta from @ptr.
7510 + */
7511 +extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7512 +
7513 +/**
7514 * atomic64_sub_and_test - subtract value from variable and test result
7515 * @delta: integer value to subtract
7516 * @ptr: pointer to type atomic64_t
7517 @@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7518 extern void atomic64_inc(atomic64_t *ptr);
7519
7520 /**
7521 + * atomic64_inc_unchecked - increment atomic64 variable
7522 + * @ptr: pointer to type atomic64_unchecked_t
7523 + *
7524 + * Atomically increments @ptr by 1.
7525 + */
7526 +extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7527 +
7528 +/**
7529 * atomic64_dec - decrement atomic64 variable
7530 * @ptr: pointer to type atomic64_t
7531 *
7532 @@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7533 extern void atomic64_dec(atomic64_t *ptr);
7534
7535 /**
7536 + * atomic64_dec_unchecked - decrement atomic64 variable
7537 + * @ptr: pointer to type atomic64_unchecked_t
7538 + *
7539 + * Atomically decrements @ptr by 1.
7540 + */
7541 +extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7542 +
7543 +/**
7544 * atomic64_dec_and_test - decrement and test
7545 * @ptr: pointer to type atomic64_t
7546 *
7547 diff -urNp linux-2.6.32.46/arch/x86/include/asm/atomic_64.h linux-2.6.32.46/arch/x86/include/asm/atomic_64.h
7548 --- linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
7549 +++ linux-2.6.32.46/arch/x86/include/asm/atomic_64.h 2011-05-04 18:35:31.000000000 -0400
7550 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7551 }
7552
7553 /**
7554 + * atomic_read_unchecked - read atomic variable
7555 + * @v: pointer of type atomic_unchecked_t
7556 + *
7557 + * Atomically reads the value of @v.
7558 + */
7559 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7560 +{
7561 + return v->counter;
7562 +}
7563 +
7564 +/**
7565 * atomic_set - set atomic variable
7566 * @v: pointer of type atomic_t
7567 * @i: required value
7568 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7569 }
7570
7571 /**
7572 + * atomic_set_unchecked - set atomic variable
7573 + * @v: pointer of type atomic_unchecked_t
7574 + * @i: required value
7575 + *
7576 + * Atomically sets the value of @v to @i.
7577 + */
7578 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7579 +{
7580 + v->counter = i;
7581 +}
7582 +
7583 +/**
7584 * atomic_add - add integer to atomic variable
7585 * @i: integer value to add
7586 * @v: pointer of type atomic_t
7587 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7588 */
7589 static inline void atomic_add(int i, atomic_t *v)
7590 {
7591 - asm volatile(LOCK_PREFIX "addl %1,%0"
7592 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7593 +
7594 +#ifdef CONFIG_PAX_REFCOUNT
7595 + "jno 0f\n"
7596 + LOCK_PREFIX "subl %1,%0\n"
7597 + "int $4\n0:\n"
7598 + _ASM_EXTABLE(0b, 0b)
7599 +#endif
7600 +
7601 + : "=m" (v->counter)
7602 + : "ir" (i), "m" (v->counter));
7603 +}
7604 +
7605 +/**
7606 + * atomic_add_unchecked - add integer to atomic variable
7607 + * @i: integer value to add
7608 + * @v: pointer of type atomic_unchecked_t
7609 + *
7610 + * Atomically adds @i to @v.
7611 + */
7612 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7613 +{
7614 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7615 : "=m" (v->counter)
7616 : "ir" (i), "m" (v->counter));
7617 }
7618 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7619 */
7620 static inline void atomic_sub(int i, atomic_t *v)
7621 {
7622 - asm volatile(LOCK_PREFIX "subl %1,%0"
7623 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7624 +
7625 +#ifdef CONFIG_PAX_REFCOUNT
7626 + "jno 0f\n"
7627 + LOCK_PREFIX "addl %1,%0\n"
7628 + "int $4\n0:\n"
7629 + _ASM_EXTABLE(0b, 0b)
7630 +#endif
7631 +
7632 + : "=m" (v->counter)
7633 + : "ir" (i), "m" (v->counter));
7634 +}
7635 +
7636 +/**
7637 + * atomic_sub_unchecked - subtract the atomic variable
7638 + * @i: integer value to subtract
7639 + * @v: pointer of type atomic_unchecked_t
7640 + *
7641 + * Atomically subtracts @i from @v.
7642 + */
7643 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7644 +{
7645 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7646 : "=m" (v->counter)
7647 : "ir" (i), "m" (v->counter));
7648 }
7649 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7650 {
7651 unsigned char c;
7652
7653 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7654 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7655 +
7656 +#ifdef CONFIG_PAX_REFCOUNT
7657 + "jno 0f\n"
7658 + LOCK_PREFIX "addl %2,%0\n"
7659 + "int $4\n0:\n"
7660 + _ASM_EXTABLE(0b, 0b)
7661 +#endif
7662 +
7663 + "sete %1\n"
7664 : "=m" (v->counter), "=qm" (c)
7665 : "ir" (i), "m" (v->counter) : "memory");
7666 return c;
7667 @@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7668 */
7669 static inline void atomic_inc(atomic_t *v)
7670 {
7671 - asm volatile(LOCK_PREFIX "incl %0"
7672 + asm volatile(LOCK_PREFIX "incl %0\n"
7673 +
7674 +#ifdef CONFIG_PAX_REFCOUNT
7675 + "jno 0f\n"
7676 + LOCK_PREFIX "decl %0\n"
7677 + "int $4\n0:\n"
7678 + _ASM_EXTABLE(0b, 0b)
7679 +#endif
7680 +
7681 + : "=m" (v->counter)
7682 + : "m" (v->counter));
7683 +}
7684 +
7685 +/**
7686 + * atomic_inc_unchecked - increment atomic variable
7687 + * @v: pointer of type atomic_unchecked_t
7688 + *
7689 + * Atomically increments @v by 1.
7690 + */
7691 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7692 +{
7693 + asm volatile(LOCK_PREFIX "incl %0\n"
7694 : "=m" (v->counter)
7695 : "m" (v->counter));
7696 }
7697 @@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7698 */
7699 static inline void atomic_dec(atomic_t *v)
7700 {
7701 - asm volatile(LOCK_PREFIX "decl %0"
7702 + asm volatile(LOCK_PREFIX "decl %0\n"
7703 +
7704 +#ifdef CONFIG_PAX_REFCOUNT
7705 + "jno 0f\n"
7706 + LOCK_PREFIX "incl %0\n"
7707 + "int $4\n0:\n"
7708 + _ASM_EXTABLE(0b, 0b)
7709 +#endif
7710 +
7711 + : "=m" (v->counter)
7712 + : "m" (v->counter));
7713 +}
7714 +
7715 +/**
7716 + * atomic_dec_unchecked - decrement atomic variable
7717 + * @v: pointer of type atomic_unchecked_t
7718 + *
7719 + * Atomically decrements @v by 1.
7720 + */
7721 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7722 +{
7723 + asm volatile(LOCK_PREFIX "decl %0\n"
7724 : "=m" (v->counter)
7725 : "m" (v->counter));
7726 }
7727 @@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7728 {
7729 unsigned char c;
7730
7731 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7732 + asm volatile(LOCK_PREFIX "decl %0\n"
7733 +
7734 +#ifdef CONFIG_PAX_REFCOUNT
7735 + "jno 0f\n"
7736 + LOCK_PREFIX "incl %0\n"
7737 + "int $4\n0:\n"
7738 + _ASM_EXTABLE(0b, 0b)
7739 +#endif
7740 +
7741 + "sete %1\n"
7742 : "=m" (v->counter), "=qm" (c)
7743 : "m" (v->counter) : "memory");
7744 return c != 0;
7745 @@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7746 {
7747 unsigned char c;
7748
7749 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7750 + asm volatile(LOCK_PREFIX "incl %0\n"
7751 +
7752 +#ifdef CONFIG_PAX_REFCOUNT
7753 + "jno 0f\n"
7754 + LOCK_PREFIX "decl %0\n"
7755 + "int $4\n0:\n"
7756 + _ASM_EXTABLE(0b, 0b)
7757 +#endif
7758 +
7759 + "sete %1\n"
7760 + : "=m" (v->counter), "=qm" (c)
7761 + : "m" (v->counter) : "memory");
7762 + return c != 0;
7763 +}
7764 +
7765 +/**
7766 + * atomic_inc_and_test_unchecked - increment and test
7767 + * @v: pointer of type atomic_unchecked_t
7768 + *
7769 + * Atomically increments @v by 1
7770 + * and returns true if the result is zero, or false for all
7771 + * other cases.
7772 + */
7773 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7774 +{
7775 + unsigned char c;
7776 +
7777 + asm volatile(LOCK_PREFIX "incl %0\n"
7778 + "sete %1\n"
7779 : "=m" (v->counter), "=qm" (c)
7780 : "m" (v->counter) : "memory");
7781 return c != 0;
7782 @@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
7783 {
7784 unsigned char c;
7785
7786 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7787 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7788 +
7789 +#ifdef CONFIG_PAX_REFCOUNT
7790 + "jno 0f\n"
7791 + LOCK_PREFIX "subl %2,%0\n"
7792 + "int $4\n0:\n"
7793 + _ASM_EXTABLE(0b, 0b)
7794 +#endif
7795 +
7796 + "sets %1\n"
7797 : "=m" (v->counter), "=qm" (c)
7798 : "ir" (i), "m" (v->counter) : "memory");
7799 return c;
7800 @@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
7801 static inline int atomic_add_return(int i, atomic_t *v)
7802 {
7803 int __i = i;
7804 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
7805 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7806 +
7807 +#ifdef CONFIG_PAX_REFCOUNT
7808 + "jno 0f\n"
7809 + "movl %0, %1\n"
7810 + "int $4\n0:\n"
7811 + _ASM_EXTABLE(0b, 0b)
7812 +#endif
7813 +
7814 + : "+r" (i), "+m" (v->counter)
7815 + : : "memory");
7816 + return i + __i;
7817 +}
7818 +
7819 +/**
7820 + * atomic_add_return_unchecked - add and return
7821 + * @i: integer value to add
7822 + * @v: pointer of type atomic_unchecked_t
7823 + *
7824 + * Atomically adds @i to @v and returns @i + @v
7825 + */
7826 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7827 +{
7828 + int __i = i;
7829 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7830 : "+r" (i), "+m" (v->counter)
7831 : : "memory");
7832 return i + __i;
7833 @@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
7834 }
7835
7836 #define atomic_inc_return(v) (atomic_add_return(1, v))
7837 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7838 +{
7839 + return atomic_add_return_unchecked(1, v);
7840 +}
7841 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7842
7843 /* The 64-bit atomic type */
7844 @@ -204,6 +396,18 @@ static inline long atomic64_read(const a
7845 }
7846
7847 /**
7848 + * atomic64_read_unchecked - read atomic64 variable
7849 + * @v: pointer of type atomic64_unchecked_t
7850 + *
7851 + * Atomically reads the value of @v.
7852 + * Doesn't imply a read memory barrier.
7853 + */
7854 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
7855 +{
7856 + return v->counter;
7857 +}
7858 +
7859 +/**
7860 * atomic64_set - set atomic64 variable
7861 * @v: pointer to type atomic64_t
7862 * @i: required value
7863 @@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
7864 }
7865
7866 /**
7867 + * atomic64_set_unchecked - set atomic64 variable
7868 + * @v: pointer to type atomic64_unchecked_t
7869 + * @i: required value
7870 + *
7871 + * Atomically sets the value of @v to @i.
7872 + */
7873 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
7874 +{
7875 + v->counter = i;
7876 +}
7877 +
7878 +/**
7879 * atomic64_add - add integer to atomic64 variable
7880 * @i: integer value to add
7881 * @v: pointer to type atomic64_t
7882 @@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
7883 */
7884 static inline void atomic64_add(long i, atomic64_t *v)
7885 {
7886 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
7887 +
7888 +#ifdef CONFIG_PAX_REFCOUNT
7889 + "jno 0f\n"
7890 + LOCK_PREFIX "subq %1,%0\n"
7891 + "int $4\n0:\n"
7892 + _ASM_EXTABLE(0b, 0b)
7893 +#endif
7894 +
7895 + : "=m" (v->counter)
7896 + : "er" (i), "m" (v->counter));
7897 +}
7898 +
7899 +/**
7900 + * atomic64_add_unchecked - add integer to atomic64 variable
7901 + * @i: integer value to add
7902 + * @v: pointer to type atomic64_unchecked_t
7903 + *
7904 + * Atomically adds @i to @v.
7905 + */
7906 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
7907 +{
7908 asm volatile(LOCK_PREFIX "addq %1,%0"
7909 : "=m" (v->counter)
7910 : "er" (i), "m" (v->counter));
7911 @@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
7912 */
7913 static inline void atomic64_sub(long i, atomic64_t *v)
7914 {
7915 - asm volatile(LOCK_PREFIX "subq %1,%0"
7916 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
7917 +
7918 +#ifdef CONFIG_PAX_REFCOUNT
7919 + "jno 0f\n"
7920 + LOCK_PREFIX "addq %1,%0\n"
7921 + "int $4\n0:\n"
7922 + _ASM_EXTABLE(0b, 0b)
7923 +#endif
7924 +
7925 : "=m" (v->counter)
7926 : "er" (i), "m" (v->counter));
7927 }
7928 @@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
7929 {
7930 unsigned char c;
7931
7932 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
7933 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
7934 +
7935 +#ifdef CONFIG_PAX_REFCOUNT
7936 + "jno 0f\n"
7937 + LOCK_PREFIX "addq %2,%0\n"
7938 + "int $4\n0:\n"
7939 + _ASM_EXTABLE(0b, 0b)
7940 +#endif
7941 +
7942 + "sete %1\n"
7943 : "=m" (v->counter), "=qm" (c)
7944 : "er" (i), "m" (v->counter) : "memory");
7945 return c;
7946 @@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
7947 */
7948 static inline void atomic64_inc(atomic64_t *v)
7949 {
7950 + asm volatile(LOCK_PREFIX "incq %0\n"
7951 +
7952 +#ifdef CONFIG_PAX_REFCOUNT
7953 + "jno 0f\n"
7954 + LOCK_PREFIX "decq %0\n"
7955 + "int $4\n0:\n"
7956 + _ASM_EXTABLE(0b, 0b)
7957 +#endif
7958 +
7959 + : "=m" (v->counter)
7960 + : "m" (v->counter));
7961 +}
7962 +
7963 +/**
7964 + * atomic64_inc_unchecked - increment atomic64 variable
7965 + * @v: pointer to type atomic64_unchecked_t
7966 + *
7967 + * Atomically increments @v by 1.
7968 + */
7969 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
7970 +{
7971 asm volatile(LOCK_PREFIX "incq %0"
7972 : "=m" (v->counter)
7973 : "m" (v->counter));
7974 @@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
7975 */
7976 static inline void atomic64_dec(atomic64_t *v)
7977 {
7978 - asm volatile(LOCK_PREFIX "decq %0"
7979 + asm volatile(LOCK_PREFIX "decq %0\n"
7980 +
7981 +#ifdef CONFIG_PAX_REFCOUNT
7982 + "jno 0f\n"
7983 + LOCK_PREFIX "incq %0\n"
7984 + "int $4\n0:\n"
7985 + _ASM_EXTABLE(0b, 0b)
7986 +#endif
7987 +
7988 + : "=m" (v->counter)
7989 + : "m" (v->counter));
7990 +}
7991 +
7992 +/**
7993 + * atomic64_dec_unchecked - decrement atomic64 variable
7994 + * @v: pointer to type atomic64_t
7995 + *
7996 + * Atomically decrements @v by 1.
7997 + */
7998 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
7999 +{
8000 + asm volatile(LOCK_PREFIX "decq %0\n"
8001 : "=m" (v->counter)
8002 : "m" (v->counter));
8003 }
8004 @@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
8005 {
8006 unsigned char c;
8007
8008 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
8009 + asm volatile(LOCK_PREFIX "decq %0\n"
8010 +
8011 +#ifdef CONFIG_PAX_REFCOUNT
8012 + "jno 0f\n"
8013 + LOCK_PREFIX "incq %0\n"
8014 + "int $4\n0:\n"
8015 + _ASM_EXTABLE(0b, 0b)
8016 +#endif
8017 +
8018 + "sete %1\n"
8019 : "=m" (v->counter), "=qm" (c)
8020 : "m" (v->counter) : "memory");
8021 return c != 0;
8022 @@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
8023 {
8024 unsigned char c;
8025
8026 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
8027 + asm volatile(LOCK_PREFIX "incq %0\n"
8028 +
8029 +#ifdef CONFIG_PAX_REFCOUNT
8030 + "jno 0f\n"
8031 + LOCK_PREFIX "decq %0\n"
8032 + "int $4\n0:\n"
8033 + _ASM_EXTABLE(0b, 0b)
8034 +#endif
8035 +
8036 + "sete %1\n"
8037 : "=m" (v->counter), "=qm" (c)
8038 : "m" (v->counter) : "memory");
8039 return c != 0;
8040 @@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
8041 {
8042 unsigned char c;
8043
8044 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8045 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
8046 +
8047 +#ifdef CONFIG_PAX_REFCOUNT
8048 + "jno 0f\n"
8049 + LOCK_PREFIX "subq %2,%0\n"
8050 + "int $4\n0:\n"
8051 + _ASM_EXTABLE(0b, 0b)
8052 +#endif
8053 +
8054 + "sets %1\n"
8055 : "=m" (v->counter), "=qm" (c)
8056 : "er" (i), "m" (v->counter) : "memory");
8057 return c;
8058 @@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
8059 static inline long atomic64_add_return(long i, atomic64_t *v)
8060 {
8061 long __i = i;
8062 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8063 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8064 +
8065 +#ifdef CONFIG_PAX_REFCOUNT
8066 + "jno 0f\n"
8067 + "movq %0, %1\n"
8068 + "int $4\n0:\n"
8069 + _ASM_EXTABLE(0b, 0b)
8070 +#endif
8071 +
8072 + : "+r" (i), "+m" (v->counter)
8073 + : : "memory");
8074 + return i + __i;
8075 +}
8076 +
8077 +/**
8078 + * atomic64_add_return_unchecked - add and return
8079 + * @i: integer value to add
8080 + * @v: pointer to type atomic64_unchecked_t
8081 + *
8082 + * Atomically adds @i to @v and returns @i + @v
8083 + */
8084 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8085 +{
8086 + long __i = i;
8087 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
8088 : "+r" (i), "+m" (v->counter)
8089 : : "memory");
8090 return i + __i;
8091 @@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
8092 }
8093
8094 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8095 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8096 +{
8097 + return atomic64_add_return_unchecked(1, v);
8098 +}
8099 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8100
8101 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8102 @@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
8103 return cmpxchg(&v->counter, old, new);
8104 }
8105
8106 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8107 +{
8108 + return cmpxchg(&v->counter, old, new);
8109 +}
8110 +
8111 static inline long atomic64_xchg(atomic64_t *v, long new)
8112 {
8113 return xchg(&v->counter, new);
8114 }
8115
8116 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8117 +{
8118 + return xchg(&v->counter, new);
8119 +}
8120 +
8121 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
8122 {
8123 return cmpxchg(&v->counter, old, new);
8124 }
8125
8126 +static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8127 +{
8128 + return cmpxchg(&v->counter, old, new);
8129 +}
8130 +
8131 static inline long atomic_xchg(atomic_t *v, int new)
8132 {
8133 return xchg(&v->counter, new);
8134 }
8135
8136 +static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8137 +{
8138 + return xchg(&v->counter, new);
8139 +}
8140 +
8141 /**
8142 * atomic_add_unless - add unless the number is a given value
8143 * @v: pointer of type atomic_t
8144 @@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
8145 */
8146 static inline int atomic_add_unless(atomic_t *v, int a, int u)
8147 {
8148 - int c, old;
8149 + int c, old, new;
8150 c = atomic_read(v);
8151 for (;;) {
8152 - if (unlikely(c == (u)))
8153 + if (unlikely(c == u))
8154 break;
8155 - old = atomic_cmpxchg((v), c, c + (a));
8156 +
8157 + asm volatile("addl %2,%0\n"
8158 +
8159 +#ifdef CONFIG_PAX_REFCOUNT
8160 + "jno 0f\n"
8161 + "subl %2,%0\n"
8162 + "int $4\n0:\n"
8163 + _ASM_EXTABLE(0b, 0b)
8164 +#endif
8165 +
8166 + : "=r" (new)
8167 + : "0" (c), "ir" (a));
8168 +
8169 + old = atomic_cmpxchg(v, c, new);
8170 if (likely(old == c))
8171 break;
8172 c = old;
8173 }
8174 - return c != (u);
8175 + return c != u;
8176 }
8177
8178 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8179 @@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
8180 */
8181 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8182 {
8183 - long c, old;
8184 + long c, old, new;
8185 c = atomic64_read(v);
8186 for (;;) {
8187 - if (unlikely(c == (u)))
8188 + if (unlikely(c == u))
8189 break;
8190 - old = atomic64_cmpxchg((v), c, c + (a));
8191 +
8192 + asm volatile("addq %2,%0\n"
8193 +
8194 +#ifdef CONFIG_PAX_REFCOUNT
8195 + "jno 0f\n"
8196 + "subq %2,%0\n"
8197 + "int $4\n0:\n"
8198 + _ASM_EXTABLE(0b, 0b)
8199 +#endif
8200 +
8201 + : "=r" (new)
8202 + : "0" (c), "er" (a));
8203 +
8204 + old = atomic64_cmpxchg(v, c, new);
8205 if (likely(old == c))
8206 break;
8207 c = old;
8208 }
8209 - return c != (u);
8210 + return c != u;
8211 }
8212
8213 /**
8214 diff -urNp linux-2.6.32.46/arch/x86/include/asm/bitops.h linux-2.6.32.46/arch/x86/include/asm/bitops.h
8215 --- linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-03-27 14:31:47.000000000 -0400
8216 +++ linux-2.6.32.46/arch/x86/include/asm/bitops.h 2011-04-17 15:56:46.000000000 -0400
8217 @@ -38,7 +38,7 @@
8218 * a mask operation on a byte.
8219 */
8220 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
8221 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
8222 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
8223 #define CONST_MASK(nr) (1 << ((nr) & 7))
8224
8225 /**
8226 diff -urNp linux-2.6.32.46/arch/x86/include/asm/boot.h linux-2.6.32.46/arch/x86/include/asm/boot.h
8227 --- linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-03-27 14:31:47.000000000 -0400
8228 +++ linux-2.6.32.46/arch/x86/include/asm/boot.h 2011-04-17 15:56:46.000000000 -0400
8229 @@ -11,10 +11,15 @@
8230 #include <asm/pgtable_types.h>
8231
8232 /* Physical address where kernel should be loaded. */
8233 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8234 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8235 + (CONFIG_PHYSICAL_ALIGN - 1)) \
8236 & ~(CONFIG_PHYSICAL_ALIGN - 1))
8237
8238 +#ifndef __ASSEMBLY__
8239 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
8240 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
8241 +#endif
8242 +
8243 /* Minimum kernel alignment, as a power of two */
8244 #ifdef CONFIG_X86_64
8245 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
8246 diff -urNp linux-2.6.32.46/arch/x86/include/asm/cacheflush.h linux-2.6.32.46/arch/x86/include/asm/cacheflush.h
8247 --- linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-03-27 14:31:47.000000000 -0400
8248 +++ linux-2.6.32.46/arch/x86/include/asm/cacheflush.h 2011-04-17 15:56:46.000000000 -0400
8249 @@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
8250 static inline unsigned long get_page_memtype(struct page *pg)
8251 {
8252 if (!PageUncached(pg) && !PageWC(pg))
8253 - return -1;
8254 + return ~0UL;
8255 else if (!PageUncached(pg) && PageWC(pg))
8256 return _PAGE_CACHE_WC;
8257 else if (PageUncached(pg) && !PageWC(pg))
8258 @@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
8259 SetPageWC(pg);
8260 break;
8261 default:
8262 - case -1:
8263 + case ~0UL:
8264 ClearPageUncached(pg);
8265 ClearPageWC(pg);
8266 break;
8267 diff -urNp linux-2.6.32.46/arch/x86/include/asm/cache.h linux-2.6.32.46/arch/x86/include/asm/cache.h
8268 --- linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
8269 +++ linux-2.6.32.46/arch/x86/include/asm/cache.h 2011-07-06 19:53:33.000000000 -0400
8270 @@ -5,9 +5,10 @@
8271
8272 /* L1 cache line size */
8273 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
8274 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8275 +#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8276
8277 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
8278 +#define __read_only __attribute__((__section__(".data.read_only")))
8279
8280 #ifdef CONFIG_X86_VSMP
8281 /* vSMP Internode cacheline shift */
8282 diff -urNp linux-2.6.32.46/arch/x86/include/asm/checksum_32.h linux-2.6.32.46/arch/x86/include/asm/checksum_32.h
8283 --- linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400
8284 +++ linux-2.6.32.46/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400
8285 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
8286 int len, __wsum sum,
8287 int *src_err_ptr, int *dst_err_ptr);
8288
8289 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
8290 + int len, __wsum sum,
8291 + int *src_err_ptr, int *dst_err_ptr);
8292 +
8293 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
8294 + int len, __wsum sum,
8295 + int *src_err_ptr, int *dst_err_ptr);
8296 +
8297 /*
8298 * Note: when you get a NULL pointer exception here this means someone
8299 * passed in an incorrect kernel address to one of these functions.
8300 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
8301 int *err_ptr)
8302 {
8303 might_sleep();
8304 - return csum_partial_copy_generic((__force void *)src, dst,
8305 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
8306 len, sum, err_ptr, NULL);
8307 }
8308
8309 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
8310 {
8311 might_sleep();
8312 if (access_ok(VERIFY_WRITE, dst, len))
8313 - return csum_partial_copy_generic(src, (__force void *)dst,
8314 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
8315 len, sum, NULL, err_ptr);
8316
8317 if (len)
8318 diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc_defs.h linux-2.6.32.46/arch/x86/include/asm/desc_defs.h
8319 --- linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-03-27 14:31:47.000000000 -0400
8320 +++ linux-2.6.32.46/arch/x86/include/asm/desc_defs.h 2011-04-17 15:56:46.000000000 -0400
8321 @@ -31,6 +31,12 @@ struct desc_struct {
8322 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
8323 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
8324 };
8325 + struct {
8326 + u16 offset_low;
8327 + u16 seg;
8328 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
8329 + unsigned offset_high: 16;
8330 + } gate;
8331 };
8332 } __attribute__((packed));
8333
8334 diff -urNp linux-2.6.32.46/arch/x86/include/asm/desc.h linux-2.6.32.46/arch/x86/include/asm/desc.h
8335 --- linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-03-27 14:31:47.000000000 -0400
8336 +++ linux-2.6.32.46/arch/x86/include/asm/desc.h 2011-04-23 12:56:10.000000000 -0400
8337 @@ -4,6 +4,7 @@
8338 #include <asm/desc_defs.h>
8339 #include <asm/ldt.h>
8340 #include <asm/mmu.h>
8341 +#include <asm/pgtable.h>
8342 #include <linux/smp.h>
8343
8344 static inline void fill_ldt(struct desc_struct *desc,
8345 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8346 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8347 desc->type = (info->read_exec_only ^ 1) << 1;
8348 desc->type |= info->contents << 2;
8349 + desc->type |= info->seg_not_present ^ 1;
8350 desc->s = 1;
8351 desc->dpl = 0x3;
8352 desc->p = info->seg_not_present ^ 1;
8353 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8354 }
8355
8356 extern struct desc_ptr idt_descr;
8357 -extern gate_desc idt_table[];
8358 -
8359 -struct gdt_page {
8360 - struct desc_struct gdt[GDT_ENTRIES];
8361 -} __attribute__((aligned(PAGE_SIZE)));
8362 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8363 +extern gate_desc idt_table[256];
8364
8365 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8366 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8367 {
8368 - return per_cpu(gdt_page, cpu).gdt;
8369 + return cpu_gdt_table[cpu];
8370 }
8371
8372 #ifdef CONFIG_X86_64
8373 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8374 unsigned long base, unsigned dpl, unsigned flags,
8375 unsigned short seg)
8376 {
8377 - gate->a = (seg << 16) | (base & 0xffff);
8378 - gate->b = (base & 0xffff0000) |
8379 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8380 + gate->gate.offset_low = base;
8381 + gate->gate.seg = seg;
8382 + gate->gate.reserved = 0;
8383 + gate->gate.type = type;
8384 + gate->gate.s = 0;
8385 + gate->gate.dpl = dpl;
8386 + gate->gate.p = 1;
8387 + gate->gate.offset_high = base >> 16;
8388 }
8389
8390 #endif
8391 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8392 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8393 const gate_desc *gate)
8394 {
8395 + pax_open_kernel();
8396 memcpy(&idt[entry], gate, sizeof(*gate));
8397 + pax_close_kernel();
8398 }
8399
8400 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8401 const void *desc)
8402 {
8403 + pax_open_kernel();
8404 memcpy(&ldt[entry], desc, 8);
8405 + pax_close_kernel();
8406 }
8407
8408 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8409 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8410 size = sizeof(struct desc_struct);
8411 break;
8412 }
8413 +
8414 + pax_open_kernel();
8415 memcpy(&gdt[entry], desc, size);
8416 + pax_close_kernel();
8417 }
8418
8419 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8420 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8421
8422 static inline void native_load_tr_desc(void)
8423 {
8424 + pax_open_kernel();
8425 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8426 + pax_close_kernel();
8427 }
8428
8429 static inline void native_load_gdt(const struct desc_ptr *dtr)
8430 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8431 unsigned int i;
8432 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8433
8434 + pax_open_kernel();
8435 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8436 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8437 + pax_close_kernel();
8438 }
8439
8440 #define _LDT_empty(info) \
8441 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8442 desc->limit = (limit >> 16) & 0xf;
8443 }
8444
8445 -static inline void _set_gate(int gate, unsigned type, void *addr,
8446 +static inline void _set_gate(int gate, unsigned type, const void *addr,
8447 unsigned dpl, unsigned ist, unsigned seg)
8448 {
8449 gate_desc s;
8450 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8451 * Pentium F0 0F bugfix can have resulted in the mapped
8452 * IDT being write-protected.
8453 */
8454 -static inline void set_intr_gate(unsigned int n, void *addr)
8455 +static inline void set_intr_gate(unsigned int n, const void *addr)
8456 {
8457 BUG_ON((unsigned)n > 0xFF);
8458 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8459 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8460 /*
8461 * This routine sets up an interrupt gate at directory privilege level 3.
8462 */
8463 -static inline void set_system_intr_gate(unsigned int n, void *addr)
8464 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
8465 {
8466 BUG_ON((unsigned)n > 0xFF);
8467 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8468 }
8469
8470 -static inline void set_system_trap_gate(unsigned int n, void *addr)
8471 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
8472 {
8473 BUG_ON((unsigned)n > 0xFF);
8474 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8475 }
8476
8477 -static inline void set_trap_gate(unsigned int n, void *addr)
8478 +static inline void set_trap_gate(unsigned int n, const void *addr)
8479 {
8480 BUG_ON((unsigned)n > 0xFF);
8481 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8482 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8483 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8484 {
8485 BUG_ON((unsigned)n > 0xFF);
8486 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8487 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8488 }
8489
8490 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8491 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8492 {
8493 BUG_ON((unsigned)n > 0xFF);
8494 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8495 }
8496
8497 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8498 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8499 {
8500 BUG_ON((unsigned)n > 0xFF);
8501 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8502 }
8503
8504 +#ifdef CONFIG_X86_32
8505 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8506 +{
8507 + struct desc_struct d;
8508 +
8509 + if (likely(limit))
8510 + limit = (limit - 1UL) >> PAGE_SHIFT;
8511 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
8512 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8513 +}
8514 +#endif
8515 +
8516 #endif /* _ASM_X86_DESC_H */
8517 diff -urNp linux-2.6.32.46/arch/x86/include/asm/device.h linux-2.6.32.46/arch/x86/include/asm/device.h
8518 --- linux-2.6.32.46/arch/x86/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
8519 +++ linux-2.6.32.46/arch/x86/include/asm/device.h 2011-04-17 15:56:46.000000000 -0400
8520 @@ -6,7 +6,7 @@ struct dev_archdata {
8521 void *acpi_handle;
8522 #endif
8523 #ifdef CONFIG_X86_64
8524 -struct dma_map_ops *dma_ops;
8525 + const struct dma_map_ops *dma_ops;
8526 #endif
8527 #ifdef CONFIG_DMAR
8528 void *iommu; /* hook for IOMMU specific extension */
8529 diff -urNp linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h
8530 --- linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
8531 +++ linux-2.6.32.46/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
8532 @@ -25,9 +25,9 @@ extern int iommu_merge;
8533 extern struct device x86_dma_fallback_dev;
8534 extern int panic_on_overflow;
8535
8536 -extern struct dma_map_ops *dma_ops;
8537 +extern const struct dma_map_ops *dma_ops;
8538
8539 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8540 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8541 {
8542 #ifdef CONFIG_X86_32
8543 return dma_ops;
8544 @@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8545 /* Make sure we keep the same behaviour */
8546 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8547 {
8548 - struct dma_map_ops *ops = get_dma_ops(dev);
8549 + const struct dma_map_ops *ops = get_dma_ops(dev);
8550 if (ops->mapping_error)
8551 return ops->mapping_error(dev, dma_addr);
8552
8553 @@ -122,7 +122,7 @@ static inline void *
8554 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8555 gfp_t gfp)
8556 {
8557 - struct dma_map_ops *ops = get_dma_ops(dev);
8558 + const struct dma_map_ops *ops = get_dma_ops(dev);
8559 void *memory;
8560
8561 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8562 @@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8563 static inline void dma_free_coherent(struct device *dev, size_t size,
8564 void *vaddr, dma_addr_t bus)
8565 {
8566 - struct dma_map_ops *ops = get_dma_ops(dev);
8567 + const struct dma_map_ops *ops = get_dma_ops(dev);
8568
8569 WARN_ON(irqs_disabled()); /* for portability */
8570
8571 diff -urNp linux-2.6.32.46/arch/x86/include/asm/e820.h linux-2.6.32.46/arch/x86/include/asm/e820.h
8572 --- linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-03-27 14:31:47.000000000 -0400
8573 +++ linux-2.6.32.46/arch/x86/include/asm/e820.h 2011-04-17 15:56:46.000000000 -0400
8574 @@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8575 #define ISA_END_ADDRESS 0x100000
8576 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8577
8578 -#define BIOS_BEGIN 0x000a0000
8579 +#define BIOS_BEGIN 0x000c0000
8580 #define BIOS_END 0x00100000
8581
8582 #ifdef __KERNEL__
8583 diff -urNp linux-2.6.32.46/arch/x86/include/asm/elf.h linux-2.6.32.46/arch/x86/include/asm/elf.h
8584 --- linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
8585 +++ linux-2.6.32.46/arch/x86/include/asm/elf.h 2011-08-23 20:24:19.000000000 -0400
8586 @@ -257,7 +257,25 @@ extern int force_personality32;
8587 the loader. We need to make sure that it is out of the way of the program
8588 that it will "exec", and that there is sufficient room for the brk. */
8589
8590 +#ifdef CONFIG_PAX_SEGMEXEC
8591 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8592 +#else
8593 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8594 +#endif
8595 +
8596 +#ifdef CONFIG_PAX_ASLR
8597 +#ifdef CONFIG_X86_32
8598 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8599 +
8600 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8601 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8602 +#else
8603 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
8604 +
8605 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8606 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8607 +#endif
8608 +#endif
8609
8610 /* This yields a mask that user programs can use to figure out what
8611 instruction set this CPU supports. This could be done in user space,
8612 @@ -310,9 +328,7 @@ do { \
8613
8614 #define ARCH_DLINFO \
8615 do { \
8616 - if (vdso_enabled) \
8617 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8618 - (unsigned long)current->mm->context.vdso); \
8619 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
8620 } while (0)
8621
8622 #define AT_SYSINFO 32
8623 @@ -323,7 +339,7 @@ do { \
8624
8625 #endif /* !CONFIG_X86_32 */
8626
8627 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8628 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8629
8630 #define VDSO_ENTRY \
8631 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8632 @@ -337,7 +353,4 @@ extern int arch_setup_additional_pages(s
8633 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8634 #define compat_arch_setup_additional_pages syscall32_setup_pages
8635
8636 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8637 -#define arch_randomize_brk arch_randomize_brk
8638 -
8639 #endif /* _ASM_X86_ELF_H */
8640 diff -urNp linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h
8641 --- linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
8642 +++ linux-2.6.32.46/arch/x86/include/asm/emergency-restart.h 2011-05-22 23:02:06.000000000 -0400
8643 @@ -15,6 +15,6 @@ enum reboot_type {
8644
8645 extern enum reboot_type reboot_type;
8646
8647 -extern void machine_emergency_restart(void);
8648 +extern void machine_emergency_restart(void) __noreturn;
8649
8650 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8651 diff -urNp linux-2.6.32.46/arch/x86/include/asm/futex.h linux-2.6.32.46/arch/x86/include/asm/futex.h
8652 --- linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400
8653 +++ linux-2.6.32.46/arch/x86/include/asm/futex.h 2011-04-17 15:56:46.000000000 -0400
8654 @@ -12,16 +12,18 @@
8655 #include <asm/system.h>
8656
8657 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8658 + typecheck(u32 *, uaddr); \
8659 asm volatile("1:\t" insn "\n" \
8660 "2:\t.section .fixup,\"ax\"\n" \
8661 "3:\tmov\t%3, %1\n" \
8662 "\tjmp\t2b\n" \
8663 "\t.previous\n" \
8664 _ASM_EXTABLE(1b, 3b) \
8665 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8666 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
8667 : "i" (-EFAULT), "0" (oparg), "1" (0))
8668
8669 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8670 + typecheck(u32 *, uaddr); \
8671 asm volatile("1:\tmovl %2, %0\n" \
8672 "\tmovl\t%0, %3\n" \
8673 "\t" insn "\n" \
8674 @@ -34,10 +36,10 @@
8675 _ASM_EXTABLE(1b, 4b) \
8676 _ASM_EXTABLE(2b, 4b) \
8677 : "=&a" (oldval), "=&r" (ret), \
8678 - "+m" (*uaddr), "=&r" (tem) \
8679 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
8680 : "r" (oparg), "i" (-EFAULT), "1" (0))
8681
8682 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8683 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8684 {
8685 int op = (encoded_op >> 28) & 7;
8686 int cmp = (encoded_op >> 24) & 15;
8687 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8688
8689 switch (op) {
8690 case FUTEX_OP_SET:
8691 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8692 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8693 break;
8694 case FUTEX_OP_ADD:
8695 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8696 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
8697 uaddr, oparg);
8698 break;
8699 case FUTEX_OP_OR:
8700 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
8701 return ret;
8702 }
8703
8704 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
8705 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
8706 int newval)
8707 {
8708
8709 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
8710 return -ENOSYS;
8711 #endif
8712
8713 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
8714 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
8715 return -EFAULT;
8716
8717 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
8718 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
8719 "2:\t.section .fixup, \"ax\"\n"
8720 "3:\tmov %2, %0\n"
8721 "\tjmp 2b\n"
8722 "\t.previous\n"
8723 _ASM_EXTABLE(1b, 3b)
8724 - : "=a" (oldval), "+m" (*uaddr)
8725 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
8726 : "i" (-EFAULT), "r" (newval), "0" (oldval)
8727 : "memory"
8728 );
8729 diff -urNp linux-2.6.32.46/arch/x86/include/asm/hw_irq.h linux-2.6.32.46/arch/x86/include/asm/hw_irq.h
8730 --- linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-03-27 14:31:47.000000000 -0400
8731 +++ linux-2.6.32.46/arch/x86/include/asm/hw_irq.h 2011-05-04 17:56:28.000000000 -0400
8732 @@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
8733 extern void enable_IO_APIC(void);
8734
8735 /* Statistics */
8736 -extern atomic_t irq_err_count;
8737 -extern atomic_t irq_mis_count;
8738 +extern atomic_unchecked_t irq_err_count;
8739 +extern atomic_unchecked_t irq_mis_count;
8740
8741 /* EISA */
8742 extern void eisa_set_level_irq(unsigned int irq);
8743 diff -urNp linux-2.6.32.46/arch/x86/include/asm/i387.h linux-2.6.32.46/arch/x86/include/asm/i387.h
8744 --- linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-03-27 14:31:47.000000000 -0400
8745 +++ linux-2.6.32.46/arch/x86/include/asm/i387.h 2011-04-17 15:56:46.000000000 -0400
8746 @@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
8747 {
8748 int err;
8749
8750 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8751 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8752 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
8753 +#endif
8754 +
8755 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
8756 "2:\n"
8757 ".section .fixup,\"ax\"\n"
8758 @@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
8759 {
8760 int err;
8761
8762 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8763 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8764 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
8765 +#endif
8766 +
8767 asm volatile("1: rex64/fxsave (%[fx])\n\t"
8768 "2:\n"
8769 ".section .fixup,\"ax\"\n"
8770 @@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
8771 }
8772
8773 /* We need a safe address that is cheap to find and that is already
8774 - in L1 during context switch. The best choices are unfortunately
8775 - different for UP and SMP */
8776 -#ifdef CONFIG_SMP
8777 -#define safe_address (__per_cpu_offset[0])
8778 -#else
8779 -#define safe_address (kstat_cpu(0).cpustat.user)
8780 -#endif
8781 + in L1 during context switch. */
8782 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
8783
8784 /*
8785 * These must be called with preempt disabled
8786 @@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
8787 struct thread_info *me = current_thread_info();
8788 preempt_disable();
8789 if (me->status & TS_USEDFPU)
8790 - __save_init_fpu(me->task);
8791 + __save_init_fpu(current);
8792 else
8793 clts();
8794 }
8795 diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_32.h linux-2.6.32.46/arch/x86/include/asm/io_32.h
8796 --- linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-03-27 14:31:47.000000000 -0400
8797 +++ linux-2.6.32.46/arch/x86/include/asm/io_32.h 2011-04-17 15:56:46.000000000 -0400
8798 @@ -3,6 +3,7 @@
8799
8800 #include <linux/string.h>
8801 #include <linux/compiler.h>
8802 +#include <asm/processor.h>
8803
8804 /*
8805 * This file contains the definitions for the x86 IO instructions
8806 @@ -42,6 +43,17 @@
8807
8808 #ifdef __KERNEL__
8809
8810 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8811 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8812 +{
8813 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8814 +}
8815 +
8816 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8817 +{
8818 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8819 +}
8820 +
8821 #include <asm-generic/iomap.h>
8822
8823 #include <linux/vmalloc.h>
8824 diff -urNp linux-2.6.32.46/arch/x86/include/asm/io_64.h linux-2.6.32.46/arch/x86/include/asm/io_64.h
8825 --- linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-03-27 14:31:47.000000000 -0400
8826 +++ linux-2.6.32.46/arch/x86/include/asm/io_64.h 2011-04-17 15:56:46.000000000 -0400
8827 @@ -140,6 +140,17 @@ __OUTS(l)
8828
8829 #include <linux/vmalloc.h>
8830
8831 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8832 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8833 +{
8834 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8835 +}
8836 +
8837 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8838 +{
8839 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8840 +}
8841 +
8842 #include <asm-generic/iomap.h>
8843
8844 void __memcpy_fromio(void *, unsigned long, unsigned);
8845 diff -urNp linux-2.6.32.46/arch/x86/include/asm/iommu.h linux-2.6.32.46/arch/x86/include/asm/iommu.h
8846 --- linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
8847 +++ linux-2.6.32.46/arch/x86/include/asm/iommu.h 2011-04-17 15:56:46.000000000 -0400
8848 @@ -3,7 +3,7 @@
8849
8850 extern void pci_iommu_shutdown(void);
8851 extern void no_iommu_init(void);
8852 -extern struct dma_map_ops nommu_dma_ops;
8853 +extern const struct dma_map_ops nommu_dma_ops;
8854 extern int force_iommu, no_iommu;
8855 extern int iommu_detected;
8856 extern int iommu_pass_through;
8857 diff -urNp linux-2.6.32.46/arch/x86/include/asm/irqflags.h linux-2.6.32.46/arch/x86/include/asm/irqflags.h
8858 --- linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-03-27 14:31:47.000000000 -0400
8859 +++ linux-2.6.32.46/arch/x86/include/asm/irqflags.h 2011-04-17 15:56:46.000000000 -0400
8860 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
8861 sti; \
8862 sysexit
8863
8864 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
8865 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
8866 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
8867 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
8868 +
8869 #else
8870 #define INTERRUPT_RETURN iret
8871 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
8872 diff -urNp linux-2.6.32.46/arch/x86/include/asm/kprobes.h linux-2.6.32.46/arch/x86/include/asm/kprobes.h
8873 --- linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-03-27 14:31:47.000000000 -0400
8874 +++ linux-2.6.32.46/arch/x86/include/asm/kprobes.h 2011-04-23 12:56:12.000000000 -0400
8875 @@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
8876 #define BREAKPOINT_INSTRUCTION 0xcc
8877 #define RELATIVEJUMP_INSTRUCTION 0xe9
8878 #define MAX_INSN_SIZE 16
8879 -#define MAX_STACK_SIZE 64
8880 -#define MIN_STACK_SIZE(ADDR) \
8881 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
8882 - THREAD_SIZE - (unsigned long)(ADDR))) \
8883 - ? (MAX_STACK_SIZE) \
8884 - : (((unsigned long)current_thread_info()) + \
8885 - THREAD_SIZE - (unsigned long)(ADDR)))
8886 +#define MAX_STACK_SIZE 64UL
8887 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
8888
8889 #define flush_insn_slot(p) do { } while (0)
8890
8891 diff -urNp linux-2.6.32.46/arch/x86/include/asm/kvm_host.h linux-2.6.32.46/arch/x86/include/asm/kvm_host.h
8892 --- linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:01.000000000 -0400
8893 +++ linux-2.6.32.46/arch/x86/include/asm/kvm_host.h 2011-08-26 20:19:09.000000000 -0400
8894 @@ -534,9 +534,9 @@ struct kvm_x86_ops {
8895 bool (*gb_page_enable)(void);
8896
8897 const struct trace_print_flags *exit_reasons_str;
8898 -};
8899 +} __do_const;
8900
8901 -extern struct kvm_x86_ops *kvm_x86_ops;
8902 +extern const struct kvm_x86_ops *kvm_x86_ops;
8903
8904 int kvm_mmu_module_init(void);
8905 void kvm_mmu_module_exit(void);
8906 diff -urNp linux-2.6.32.46/arch/x86/include/asm/local.h linux-2.6.32.46/arch/x86/include/asm/local.h
8907 --- linux-2.6.32.46/arch/x86/include/asm/local.h 2011-03-27 14:31:47.000000000 -0400
8908 +++ linux-2.6.32.46/arch/x86/include/asm/local.h 2011-04-17 15:56:46.000000000 -0400
8909 @@ -18,26 +18,58 @@ typedef struct {
8910
8911 static inline void local_inc(local_t *l)
8912 {
8913 - asm volatile(_ASM_INC "%0"
8914 + asm volatile(_ASM_INC "%0\n"
8915 +
8916 +#ifdef CONFIG_PAX_REFCOUNT
8917 + "jno 0f\n"
8918 + _ASM_DEC "%0\n"
8919 + "int $4\n0:\n"
8920 + _ASM_EXTABLE(0b, 0b)
8921 +#endif
8922 +
8923 : "+m" (l->a.counter));
8924 }
8925
8926 static inline void local_dec(local_t *l)
8927 {
8928 - asm volatile(_ASM_DEC "%0"
8929 + asm volatile(_ASM_DEC "%0\n"
8930 +
8931 +#ifdef CONFIG_PAX_REFCOUNT
8932 + "jno 0f\n"
8933 + _ASM_INC "%0\n"
8934 + "int $4\n0:\n"
8935 + _ASM_EXTABLE(0b, 0b)
8936 +#endif
8937 +
8938 : "+m" (l->a.counter));
8939 }
8940
8941 static inline void local_add(long i, local_t *l)
8942 {
8943 - asm volatile(_ASM_ADD "%1,%0"
8944 + asm volatile(_ASM_ADD "%1,%0\n"
8945 +
8946 +#ifdef CONFIG_PAX_REFCOUNT
8947 + "jno 0f\n"
8948 + _ASM_SUB "%1,%0\n"
8949 + "int $4\n0:\n"
8950 + _ASM_EXTABLE(0b, 0b)
8951 +#endif
8952 +
8953 : "+m" (l->a.counter)
8954 : "ir" (i));
8955 }
8956
8957 static inline void local_sub(long i, local_t *l)
8958 {
8959 - asm volatile(_ASM_SUB "%1,%0"
8960 + asm volatile(_ASM_SUB "%1,%0\n"
8961 +
8962 +#ifdef CONFIG_PAX_REFCOUNT
8963 + "jno 0f\n"
8964 + _ASM_ADD "%1,%0\n"
8965 + "int $4\n0:\n"
8966 + _ASM_EXTABLE(0b, 0b)
8967 +#endif
8968 +
8969 : "+m" (l->a.counter)
8970 : "ir" (i));
8971 }
8972 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
8973 {
8974 unsigned char c;
8975
8976 - asm volatile(_ASM_SUB "%2,%0; sete %1"
8977 + asm volatile(_ASM_SUB "%2,%0\n"
8978 +
8979 +#ifdef CONFIG_PAX_REFCOUNT
8980 + "jno 0f\n"
8981 + _ASM_ADD "%2,%0\n"
8982 + "int $4\n0:\n"
8983 + _ASM_EXTABLE(0b, 0b)
8984 +#endif
8985 +
8986 + "sete %1\n"
8987 : "+m" (l->a.counter), "=qm" (c)
8988 : "ir" (i) : "memory");
8989 return c;
8990 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
8991 {
8992 unsigned char c;
8993
8994 - asm volatile(_ASM_DEC "%0; sete %1"
8995 + asm volatile(_ASM_DEC "%0\n"
8996 +
8997 +#ifdef CONFIG_PAX_REFCOUNT
8998 + "jno 0f\n"
8999 + _ASM_INC "%0\n"
9000 + "int $4\n0:\n"
9001 + _ASM_EXTABLE(0b, 0b)
9002 +#endif
9003 +
9004 + "sete %1\n"
9005 : "+m" (l->a.counter), "=qm" (c)
9006 : : "memory");
9007 return c != 0;
9008 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
9009 {
9010 unsigned char c;
9011
9012 - asm volatile(_ASM_INC "%0; sete %1"
9013 + asm volatile(_ASM_INC "%0\n"
9014 +
9015 +#ifdef CONFIG_PAX_REFCOUNT
9016 + "jno 0f\n"
9017 + _ASM_DEC "%0\n"
9018 + "int $4\n0:\n"
9019 + _ASM_EXTABLE(0b, 0b)
9020 +#endif
9021 +
9022 + "sete %1\n"
9023 : "+m" (l->a.counter), "=qm" (c)
9024 : : "memory");
9025 return c != 0;
9026 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
9027 {
9028 unsigned char c;
9029
9030 - asm volatile(_ASM_ADD "%2,%0; sets %1"
9031 + asm volatile(_ASM_ADD "%2,%0\n"
9032 +
9033 +#ifdef CONFIG_PAX_REFCOUNT
9034 + "jno 0f\n"
9035 + _ASM_SUB "%2,%0\n"
9036 + "int $4\n0:\n"
9037 + _ASM_EXTABLE(0b, 0b)
9038 +#endif
9039 +
9040 + "sets %1\n"
9041 : "+m" (l->a.counter), "=qm" (c)
9042 : "ir" (i) : "memory");
9043 return c;
9044 @@ -133,7 +201,15 @@ static inline long local_add_return(long
9045 #endif
9046 /* Modern 486+ processor */
9047 __i = i;
9048 - asm volatile(_ASM_XADD "%0, %1;"
9049 + asm volatile(_ASM_XADD "%0, %1\n"
9050 +
9051 +#ifdef CONFIG_PAX_REFCOUNT
9052 + "jno 0f\n"
9053 + _ASM_MOV "%0,%1\n"
9054 + "int $4\n0:\n"
9055 + _ASM_EXTABLE(0b, 0b)
9056 +#endif
9057 +
9058 : "+r" (i), "+m" (l->a.counter)
9059 : : "memory");
9060 return i + __i;
9061 diff -urNp linux-2.6.32.46/arch/x86/include/asm/microcode.h linux-2.6.32.46/arch/x86/include/asm/microcode.h
9062 --- linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-03-27 14:31:47.000000000 -0400
9063 +++ linux-2.6.32.46/arch/x86/include/asm/microcode.h 2011-04-17 15:56:46.000000000 -0400
9064 @@ -12,13 +12,13 @@ struct device;
9065 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
9066
9067 struct microcode_ops {
9068 - enum ucode_state (*request_microcode_user) (int cpu,
9069 + enum ucode_state (* const request_microcode_user) (int cpu,
9070 const void __user *buf, size_t size);
9071
9072 - enum ucode_state (*request_microcode_fw) (int cpu,
9073 + enum ucode_state (* const request_microcode_fw) (int cpu,
9074 struct device *device);
9075
9076 - void (*microcode_fini_cpu) (int cpu);
9077 + void (* const microcode_fini_cpu) (int cpu);
9078
9079 /*
9080 * The generic 'microcode_core' part guarantees that
9081 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
9082 extern struct ucode_cpu_info ucode_cpu_info[];
9083
9084 #ifdef CONFIG_MICROCODE_INTEL
9085 -extern struct microcode_ops * __init init_intel_microcode(void);
9086 +extern const struct microcode_ops * __init init_intel_microcode(void);
9087 #else
9088 -static inline struct microcode_ops * __init init_intel_microcode(void)
9089 +static inline const struct microcode_ops * __init init_intel_microcode(void)
9090 {
9091 return NULL;
9092 }
9093 #endif /* CONFIG_MICROCODE_INTEL */
9094
9095 #ifdef CONFIG_MICROCODE_AMD
9096 -extern struct microcode_ops * __init init_amd_microcode(void);
9097 +extern const struct microcode_ops * __init init_amd_microcode(void);
9098 #else
9099 -static inline struct microcode_ops * __init init_amd_microcode(void)
9100 +static inline const struct microcode_ops * __init init_amd_microcode(void)
9101 {
9102 return NULL;
9103 }
9104 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mman.h linux-2.6.32.46/arch/x86/include/asm/mman.h
9105 --- linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-03-27 14:31:47.000000000 -0400
9106 +++ linux-2.6.32.46/arch/x86/include/asm/mman.h 2011-04-17 15:56:46.000000000 -0400
9107 @@ -5,4 +5,14 @@
9108
9109 #include <asm-generic/mman.h>
9110
9111 +#ifdef __KERNEL__
9112 +#ifndef __ASSEMBLY__
9113 +#ifdef CONFIG_X86_32
9114 +#define arch_mmap_check i386_mmap_check
9115 +int i386_mmap_check(unsigned long addr, unsigned long len,
9116 + unsigned long flags);
9117 +#endif
9118 +#endif
9119 +#endif
9120 +
9121 #endif /* _ASM_X86_MMAN_H */
9122 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu_context.h linux-2.6.32.46/arch/x86/include/asm/mmu_context.h
9123 --- linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-03-27 14:31:47.000000000 -0400
9124 +++ linux-2.6.32.46/arch/x86/include/asm/mmu_context.h 2011-08-23 20:24:19.000000000 -0400
9125 @@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
9126
9127 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
9128 {
9129 +
9130 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9131 + unsigned int i;
9132 + pgd_t *pgd;
9133 +
9134 + pax_open_kernel();
9135 + pgd = get_cpu_pgd(smp_processor_id());
9136 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
9137 + set_pgd_batched(pgd+i, native_make_pgd(0));
9138 + pax_close_kernel();
9139 +#endif
9140 +
9141 #ifdef CONFIG_SMP
9142 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
9143 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
9144 @@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
9145 struct task_struct *tsk)
9146 {
9147 unsigned cpu = smp_processor_id();
9148 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) && defined(CONFIG_SMP)
9149 + int tlbstate = TLBSTATE_OK;
9150 +#endif
9151
9152 if (likely(prev != next)) {
9153 #ifdef CONFIG_SMP
9154 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9155 + tlbstate = percpu_read(cpu_tlbstate.state);
9156 +#endif
9157 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9158 percpu_write(cpu_tlbstate.active_mm, next);
9159 #endif
9160 cpumask_set_cpu(cpu, mm_cpumask(next));
9161
9162 /* Re-load page tables */
9163 +#ifdef CONFIG_PAX_PER_CPU_PGD
9164 + pax_open_kernel();
9165 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9166 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9167 + pax_close_kernel();
9168 + load_cr3(get_cpu_pgd(cpu));
9169 +#else
9170 load_cr3(next->pgd);
9171 +#endif
9172
9173 /* stop flush ipis for the previous mm */
9174 cpumask_clear_cpu(cpu, mm_cpumask(prev));
9175 @@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
9176 */
9177 if (unlikely(prev->context.ldt != next->context.ldt))
9178 load_LDT_nolock(&next->context);
9179 - }
9180 +
9181 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9182 + if (!nx_enabled) {
9183 + smp_mb__before_clear_bit();
9184 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
9185 + smp_mb__after_clear_bit();
9186 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9187 + }
9188 +#endif
9189 +
9190 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9191 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
9192 + prev->context.user_cs_limit != next->context.user_cs_limit))
9193 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9194 #ifdef CONFIG_SMP
9195 + else if (unlikely(tlbstate != TLBSTATE_OK))
9196 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9197 +#endif
9198 +#endif
9199 +
9200 + }
9201 else {
9202 +
9203 +#ifdef CONFIG_PAX_PER_CPU_PGD
9204 + pax_open_kernel();
9205 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9206 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9207 + pax_close_kernel();
9208 + load_cr3(get_cpu_pgd(cpu));
9209 +#endif
9210 +
9211 +#ifdef CONFIG_SMP
9212 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9213 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
9214
9215 @@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
9216 * tlb flush IPI delivery. We must reload CR3
9217 * to make sure to use no freed page tables.
9218 */
9219 +
9220 +#ifndef CONFIG_PAX_PER_CPU_PGD
9221 load_cr3(next->pgd);
9222 +#endif
9223 +
9224 load_LDT_nolock(&next->context);
9225 +
9226 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
9227 + if (!nx_enabled)
9228 + cpu_set(cpu, next->context.cpu_user_cs_mask);
9229 +#endif
9230 +
9231 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9232 +#ifdef CONFIG_PAX_PAGEEXEC
9233 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
9234 +#endif
9235 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9236 +#endif
9237 +
9238 }
9239 - }
9240 #endif
9241 + }
9242 }
9243
9244 #define activate_mm(prev, next) \
9245 diff -urNp linux-2.6.32.46/arch/x86/include/asm/mmu.h linux-2.6.32.46/arch/x86/include/asm/mmu.h
9246 --- linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-03-27 14:31:47.000000000 -0400
9247 +++ linux-2.6.32.46/arch/x86/include/asm/mmu.h 2011-04-17 15:56:46.000000000 -0400
9248 @@ -9,10 +9,23 @@
9249 * we put the segment information here.
9250 */
9251 typedef struct {
9252 - void *ldt;
9253 + struct desc_struct *ldt;
9254 int size;
9255 struct mutex lock;
9256 - void *vdso;
9257 + unsigned long vdso;
9258 +
9259 +#ifdef CONFIG_X86_32
9260 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
9261 + unsigned long user_cs_base;
9262 + unsigned long user_cs_limit;
9263 +
9264 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9265 + cpumask_t cpu_user_cs_mask;
9266 +#endif
9267 +
9268 +#endif
9269 +#endif
9270 +
9271 } mm_context_t;
9272
9273 #ifdef CONFIG_SMP
9274 diff -urNp linux-2.6.32.46/arch/x86/include/asm/module.h linux-2.6.32.46/arch/x86/include/asm/module.h
9275 --- linux-2.6.32.46/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400
9276 +++ linux-2.6.32.46/arch/x86/include/asm/module.h 2011-04-23 13:18:57.000000000 -0400
9277 @@ -5,6 +5,7 @@
9278
9279 #ifdef CONFIG_X86_64
9280 /* X86_64 does not define MODULE_PROC_FAMILY */
9281 +#define MODULE_PROC_FAMILY ""
9282 #elif defined CONFIG_M386
9283 #define MODULE_PROC_FAMILY "386 "
9284 #elif defined CONFIG_M486
9285 @@ -59,13 +60,36 @@
9286 #error unknown processor family
9287 #endif
9288
9289 -#ifdef CONFIG_X86_32
9290 -# ifdef CONFIG_4KSTACKS
9291 -# define MODULE_STACKSIZE "4KSTACKS "
9292 -# else
9293 -# define MODULE_STACKSIZE ""
9294 -# endif
9295 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
9296 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9297 +#define MODULE_PAX_UDEREF "UDEREF "
9298 +#else
9299 +#define MODULE_PAX_UDEREF ""
9300 +#endif
9301 +
9302 +#ifdef CONFIG_PAX_KERNEXEC
9303 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
9304 +#else
9305 +#define MODULE_PAX_KERNEXEC ""
9306 +#endif
9307 +
9308 +#ifdef CONFIG_PAX_REFCOUNT
9309 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
9310 +#else
9311 +#define MODULE_PAX_REFCOUNT ""
9312 #endif
9313
9314 +#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
9315 +#define MODULE_STACKSIZE "4KSTACKS "
9316 +#else
9317 +#define MODULE_STACKSIZE ""
9318 +#endif
9319 +
9320 +#ifdef CONFIG_GRKERNSEC
9321 +#define MODULE_GRSEC "GRSECURITY "
9322 +#else
9323 +#define MODULE_GRSEC ""
9324 +#endif
9325 +
9326 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
9327 +
9328 #endif /* _ASM_X86_MODULE_H */
9329 diff -urNp linux-2.6.32.46/arch/x86/include/asm/page_64_types.h linux-2.6.32.46/arch/x86/include/asm/page_64_types.h
9330 --- linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-03-27 14:31:47.000000000 -0400
9331 +++ linux-2.6.32.46/arch/x86/include/asm/page_64_types.h 2011-04-17 15:56:46.000000000 -0400
9332 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
9333
9334 /* duplicated to the one in bootmem.h */
9335 extern unsigned long max_pfn;
9336 -extern unsigned long phys_base;
9337 +extern const unsigned long phys_base;
9338
9339 extern unsigned long __phys_addr(unsigned long);
9340 #define __phys_reloc_hide(x) (x)
9341 diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt.h linux-2.6.32.46/arch/x86/include/asm/paravirt.h
9342 --- linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-03-27 14:31:47.000000000 -0400
9343 +++ linux-2.6.32.46/arch/x86/include/asm/paravirt.h 2011-08-23 21:36:48.000000000 -0400
9344 @@ -648,6 +648,18 @@ static inline void set_pgd(pgd_t *pgdp,
9345 val);
9346 }
9347
9348 +static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9349 +{
9350 + pgdval_t val = native_pgd_val(pgd);
9351 +
9352 + if (sizeof(pgdval_t) > sizeof(long))
9353 + PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
9354 + val, (u64)val >> 32);
9355 + else
9356 + PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
9357 + val);
9358 +}
9359 +
9360 static inline void pgd_clear(pgd_t *pgdp)
9361 {
9362 set_pgd(pgdp, __pgd(0));
9363 @@ -729,6 +741,21 @@ static inline void __set_fixmap(unsigned
9364 pv_mmu_ops.set_fixmap(idx, phys, flags);
9365 }
9366
9367 +#ifdef CONFIG_PAX_KERNEXEC
9368 +static inline unsigned long pax_open_kernel(void)
9369 +{
9370 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9371 +}
9372 +
9373 +static inline unsigned long pax_close_kernel(void)
9374 +{
9375 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9376 +}
9377 +#else
9378 +static inline unsigned long pax_open_kernel(void) { return 0; }
9379 +static inline unsigned long pax_close_kernel(void) { return 0; }
9380 +#endif
9381 +
9382 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9383
9384 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9385 @@ -945,7 +972,7 @@ extern void default_banner(void);
9386
9387 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9388 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9389 -#define PARA_INDIRECT(addr) *%cs:addr
9390 +#define PARA_INDIRECT(addr) *%ss:addr
9391 #endif
9392
9393 #define INTERRUPT_RETURN \
9394 @@ -1022,6 +1049,21 @@ extern void default_banner(void);
9395 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9396 CLBR_NONE, \
9397 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9398 +
9399 +#define GET_CR0_INTO_RDI \
9400 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9401 + mov %rax,%rdi
9402 +
9403 +#define SET_RDI_INTO_CR0 \
9404 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9405 +
9406 +#define GET_CR3_INTO_RDI \
9407 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9408 + mov %rax,%rdi
9409 +
9410 +#define SET_RDI_INTO_CR3 \
9411 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9412 +
9413 #endif /* CONFIG_X86_32 */
9414
9415 #endif /* __ASSEMBLY__ */
9416 diff -urNp linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h
9417 --- linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-03-27 14:31:47.000000000 -0400
9418 +++ linux-2.6.32.46/arch/x86/include/asm/paravirt_types.h 2011-08-23 20:24:19.000000000 -0400
9419 @@ -78,19 +78,19 @@ struct pv_init_ops {
9420 */
9421 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
9422 unsigned long addr, unsigned len);
9423 -};
9424 +} __no_const;
9425
9426
9427 struct pv_lazy_ops {
9428 /* Set deferred update mode, used for batching operations. */
9429 void (*enter)(void);
9430 void (*leave)(void);
9431 -};
9432 +} __no_const;
9433
9434 struct pv_time_ops {
9435 unsigned long long (*sched_clock)(void);
9436 unsigned long (*get_tsc_khz)(void);
9437 -};
9438 +} __no_const;
9439
9440 struct pv_cpu_ops {
9441 /* hooks for various privileged instructions */
9442 @@ -186,7 +186,7 @@ struct pv_cpu_ops {
9443
9444 void (*start_context_switch)(struct task_struct *prev);
9445 void (*end_context_switch)(struct task_struct *next);
9446 -};
9447 +} __no_const;
9448
9449 struct pv_irq_ops {
9450 /*
9451 @@ -217,7 +217,7 @@ struct pv_apic_ops {
9452 unsigned long start_eip,
9453 unsigned long start_esp);
9454 #endif
9455 -};
9456 +} __no_const;
9457
9458 struct pv_mmu_ops {
9459 unsigned long (*read_cr2)(void);
9460 @@ -301,6 +301,7 @@ struct pv_mmu_ops {
9461 struct paravirt_callee_save make_pud;
9462
9463 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
9464 + void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
9465 #endif /* PAGETABLE_LEVELS == 4 */
9466 #endif /* PAGETABLE_LEVELS >= 3 */
9467
9468 @@ -316,6 +317,12 @@ struct pv_mmu_ops {
9469 an mfn. We can tell which is which from the index. */
9470 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9471 phys_addr_t phys, pgprot_t flags);
9472 +
9473 +#ifdef CONFIG_PAX_KERNEXEC
9474 + unsigned long (*pax_open_kernel)(void);
9475 + unsigned long (*pax_close_kernel)(void);
9476 +#endif
9477 +
9478 };
9479
9480 struct raw_spinlock;
9481 @@ -326,7 +333,7 @@ struct pv_lock_ops {
9482 void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
9483 int (*spin_trylock)(struct raw_spinlock *lock);
9484 void (*spin_unlock)(struct raw_spinlock *lock);
9485 -};
9486 +} __no_const;
9487
9488 /* This contains all the paravirt structures: we get a convenient
9489 * number for each function using the offset which we use to indicate
9490 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pci_x86.h linux-2.6.32.46/arch/x86/include/asm/pci_x86.h
9491 --- linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-03-27 14:31:47.000000000 -0400
9492 +++ linux-2.6.32.46/arch/x86/include/asm/pci_x86.h 2011-04-17 15:56:46.000000000 -0400
9493 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9494 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9495
9496 struct pci_raw_ops {
9497 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9498 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9499 int reg, int len, u32 *val);
9500 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9501 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9502 int reg, int len, u32 val);
9503 };
9504
9505 -extern struct pci_raw_ops *raw_pci_ops;
9506 -extern struct pci_raw_ops *raw_pci_ext_ops;
9507 +extern const struct pci_raw_ops *raw_pci_ops;
9508 +extern const struct pci_raw_ops *raw_pci_ext_ops;
9509
9510 -extern struct pci_raw_ops pci_direct_conf1;
9511 +extern const struct pci_raw_ops pci_direct_conf1;
9512 extern bool port_cf9_safe;
9513
9514 /* arch_initcall level */
9515 diff -urNp linux-2.6.32.46/arch/x86/include/asm/percpu.h linux-2.6.32.46/arch/x86/include/asm/percpu.h
9516 --- linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-03-27 14:31:47.000000000 -0400
9517 +++ linux-2.6.32.46/arch/x86/include/asm/percpu.h 2011-08-17 19:33:59.000000000 -0400
9518 @@ -78,6 +78,7 @@ do { \
9519 if (0) { \
9520 T__ tmp__; \
9521 tmp__ = (val); \
9522 + (void)tmp__; \
9523 } \
9524 switch (sizeof(var)) { \
9525 case 1: \
9526 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgalloc.h linux-2.6.32.46/arch/x86/include/asm/pgalloc.h
9527 --- linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-03-27 14:31:47.000000000 -0400
9528 +++ linux-2.6.32.46/arch/x86/include/asm/pgalloc.h 2011-04-17 15:56:46.000000000 -0400
9529 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9530 pmd_t *pmd, pte_t *pte)
9531 {
9532 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9533 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9534 +}
9535 +
9536 +static inline void pmd_populate_user(struct mm_struct *mm,
9537 + pmd_t *pmd, pte_t *pte)
9538 +{
9539 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9540 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9541 }
9542
9543 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h
9544 --- linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-03-27 14:31:47.000000000 -0400
9545 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:56:46.000000000 -0400
9546 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9547
9548 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9549 {
9550 + pax_open_kernel();
9551 *pmdp = pmd;
9552 + pax_close_kernel();
9553 }
9554
9555 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9556 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h
9557 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
9558 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
9559 @@ -26,9 +26,6 @@
9560 struct mm_struct;
9561 struct vm_area_struct;
9562
9563 -extern pgd_t swapper_pg_dir[1024];
9564 -extern pgd_t trampoline_pg_dir[1024];
9565 -
9566 static inline void pgtable_cache_init(void) { }
9567 static inline void check_pgt_cache(void) { }
9568 void paging_init(void);
9569 @@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9570 # include <asm/pgtable-2level.h>
9571 #endif
9572
9573 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9574 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9575 +#ifdef CONFIG_X86_PAE
9576 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9577 +#endif
9578 +
9579 #if defined(CONFIG_HIGHPTE)
9580 #define __KM_PTE \
9581 (in_nmi() ? KM_NMI_PTE : \
9582 @@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9583 /* Clear a kernel PTE and flush it from the TLB */
9584 #define kpte_clear_flush(ptep, vaddr) \
9585 do { \
9586 + pax_open_kernel(); \
9587 pte_clear(&init_mm, (vaddr), (ptep)); \
9588 + pax_close_kernel(); \
9589 __flush_tlb_one((vaddr)); \
9590 } while (0)
9591
9592 @@ -85,6 +90,9 @@ do { \
9593
9594 #endif /* !__ASSEMBLY__ */
9595
9596 +#define HAVE_ARCH_UNMAPPED_AREA
9597 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9598 +
9599 /*
9600 * kern_addr_valid() is (1) for FLATMEM and (0) for
9601 * SPARSEMEM and DISCONTIGMEM
9602 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h
9603 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-03-27 14:31:47.000000000 -0400
9604 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:56:46.000000000 -0400
9605 @@ -8,7 +8,7 @@
9606 */
9607 #ifdef CONFIG_X86_PAE
9608 # include <asm/pgtable-3level_types.h>
9609 -# define PMD_SIZE (1UL << PMD_SHIFT)
9610 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9611 # define PMD_MASK (~(PMD_SIZE - 1))
9612 #else
9613 # include <asm/pgtable-2level_types.h>
9614 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9615 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9616 #endif
9617
9618 +#ifdef CONFIG_PAX_KERNEXEC
9619 +#ifndef __ASSEMBLY__
9620 +extern unsigned char MODULES_EXEC_VADDR[];
9621 +extern unsigned char MODULES_EXEC_END[];
9622 +#endif
9623 +#include <asm/boot.h>
9624 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9625 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9626 +#else
9627 +#define ktla_ktva(addr) (addr)
9628 +#define ktva_ktla(addr) (addr)
9629 +#endif
9630 +
9631 #define MODULES_VADDR VMALLOC_START
9632 #define MODULES_END VMALLOC_END
9633 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9634 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h
9635 --- linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-03-27 14:31:47.000000000 -0400
9636 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:56:46.000000000 -0400
9637 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9638
9639 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9640 {
9641 + pax_open_kernel();
9642 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9643 + pax_close_kernel();
9644 }
9645
9646 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9647 {
9648 + pax_open_kernel();
9649 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9650 + pax_close_kernel();
9651 }
9652
9653 /*
9654 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h
9655 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-03-27 14:31:47.000000000 -0400
9656 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64.h 2011-08-23 20:24:19.000000000 -0400
9657 @@ -16,10 +16,13 @@
9658
9659 extern pud_t level3_kernel_pgt[512];
9660 extern pud_t level3_ident_pgt[512];
9661 +extern pud_t level3_vmalloc_pgt[512];
9662 +extern pud_t level3_vmemmap_pgt[512];
9663 +extern pud_t level2_vmemmap_pgt[512];
9664 extern pmd_t level2_kernel_pgt[512];
9665 extern pmd_t level2_fixmap_pgt[512];
9666 -extern pmd_t level2_ident_pgt[512];
9667 -extern pgd_t init_level4_pgt[];
9668 +extern pmd_t level2_ident_pgt[512*2];
9669 +extern pgd_t init_level4_pgt[512];
9670
9671 #define swapper_pg_dir init_level4_pgt
9672
9673 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9674
9675 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9676 {
9677 + pax_open_kernel();
9678 *pmdp = pmd;
9679 + pax_close_kernel();
9680 }
9681
9682 static inline void native_pmd_clear(pmd_t *pmd)
9683 @@ -94,6 +99,13 @@ static inline void native_pud_clear(pud_
9684
9685 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9686 {
9687 + pax_open_kernel();
9688 + *pgdp = pgd;
9689 + pax_close_kernel();
9690 +}
9691 +
9692 +static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9693 +{
9694 *pgdp = pgd;
9695 }
9696
9697 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h
9698 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-03-27 14:31:47.000000000 -0400
9699 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:56:46.000000000 -0400
9700 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9701 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9702 #define MODULES_END _AC(0xffffffffff000000, UL)
9703 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9704 +#define MODULES_EXEC_VADDR MODULES_VADDR
9705 +#define MODULES_EXEC_END MODULES_END
9706 +
9707 +#define ktla_ktva(addr) (addr)
9708 +#define ktva_ktla(addr) (addr)
9709
9710 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
9711 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable.h linux-2.6.32.46/arch/x86/include/asm/pgtable.h
9712 --- linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
9713 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable.h 2011-08-23 20:24:19.000000000 -0400
9714 @@ -39,6 +39,7 @@ extern struct list_head pgd_list;
9715
9716 #ifndef __PAGETABLE_PUD_FOLDED
9717 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
9718 +#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
9719 #define pgd_clear(pgd) native_pgd_clear(pgd)
9720 #endif
9721
9722 @@ -74,12 +75,51 @@ extern struct list_head pgd_list;
9723
9724 #define arch_end_context_switch(prev) do {} while(0)
9725
9726 +#define pax_open_kernel() native_pax_open_kernel()
9727 +#define pax_close_kernel() native_pax_close_kernel()
9728 #endif /* CONFIG_PARAVIRT */
9729
9730 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
9731 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
9732 +
9733 +#ifdef CONFIG_PAX_KERNEXEC
9734 +static inline unsigned long native_pax_open_kernel(void)
9735 +{
9736 + unsigned long cr0;
9737 +
9738 + preempt_disable();
9739 + barrier();
9740 + cr0 = read_cr0() ^ X86_CR0_WP;
9741 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
9742 + write_cr0(cr0);
9743 + return cr0 ^ X86_CR0_WP;
9744 +}
9745 +
9746 +static inline unsigned long native_pax_close_kernel(void)
9747 +{
9748 + unsigned long cr0;
9749 +
9750 + cr0 = read_cr0() ^ X86_CR0_WP;
9751 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
9752 + write_cr0(cr0);
9753 + barrier();
9754 + preempt_enable_no_resched();
9755 + return cr0 ^ X86_CR0_WP;
9756 +}
9757 +#else
9758 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
9759 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
9760 +#endif
9761 +
9762 /*
9763 * The following only work if pte_present() is true.
9764 * Undefined behaviour if not..
9765 */
9766 +static inline int pte_user(pte_t pte)
9767 +{
9768 + return pte_val(pte) & _PAGE_USER;
9769 +}
9770 +
9771 static inline int pte_dirty(pte_t pte)
9772 {
9773 return pte_flags(pte) & _PAGE_DIRTY;
9774 @@ -167,9 +207,29 @@ static inline pte_t pte_wrprotect(pte_t
9775 return pte_clear_flags(pte, _PAGE_RW);
9776 }
9777
9778 +static inline pte_t pte_mkread(pte_t pte)
9779 +{
9780 + return __pte(pte_val(pte) | _PAGE_USER);
9781 +}
9782 +
9783 static inline pte_t pte_mkexec(pte_t pte)
9784 {
9785 - return pte_clear_flags(pte, _PAGE_NX);
9786 +#ifdef CONFIG_X86_PAE
9787 + if (__supported_pte_mask & _PAGE_NX)
9788 + return pte_clear_flags(pte, _PAGE_NX);
9789 + else
9790 +#endif
9791 + return pte_set_flags(pte, _PAGE_USER);
9792 +}
9793 +
9794 +static inline pte_t pte_exprotect(pte_t pte)
9795 +{
9796 +#ifdef CONFIG_X86_PAE
9797 + if (__supported_pte_mask & _PAGE_NX)
9798 + return pte_set_flags(pte, _PAGE_NX);
9799 + else
9800 +#endif
9801 + return pte_clear_flags(pte, _PAGE_USER);
9802 }
9803
9804 static inline pte_t pte_mkdirty(pte_t pte)
9805 @@ -302,6 +362,15 @@ pte_t *populate_extra_pte(unsigned long
9806 #endif
9807
9808 #ifndef __ASSEMBLY__
9809 +
9810 +#ifdef CONFIG_PAX_PER_CPU_PGD
9811 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
9812 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
9813 +{
9814 + return cpu_pgd[cpu];
9815 +}
9816 +#endif
9817 +
9818 #include <linux/mm_types.h>
9819
9820 static inline int pte_none(pte_t pte)
9821 @@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
9822
9823 static inline int pgd_bad(pgd_t pgd)
9824 {
9825 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
9826 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
9827 }
9828
9829 static inline int pgd_none(pgd_t pgd)
9830 @@ -495,7 +564,12 @@ static inline int pgd_none(pgd_t pgd)
9831 * pgd_offset() returns a (pgd_t *)
9832 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
9833 */
9834 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
9835 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
9836 +
9837 +#ifdef CONFIG_PAX_PER_CPU_PGD
9838 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
9839 +#endif
9840 +
9841 /*
9842 * a shortcut which implies the use of the kernel's pgd, instead
9843 * of a process's
9844 @@ -506,6 +580,20 @@ static inline int pgd_none(pgd_t pgd)
9845 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
9846 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
9847
9848 +#ifdef CONFIG_X86_32
9849 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
9850 +#else
9851 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
9852 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
9853 +
9854 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9855 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
9856 +#else
9857 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
9858 +#endif
9859 +
9860 +#endif
9861 +
9862 #ifndef __ASSEMBLY__
9863
9864 extern int direct_gbpages;
9865 @@ -611,11 +699,23 @@ static inline void ptep_set_wrprotect(st
9866 * dst and src can be on the same page, but the range must not overlap,
9867 * and must not cross a page boundary.
9868 */
9869 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
9870 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
9871 {
9872 - memcpy(dst, src, count * sizeof(pgd_t));
9873 + pax_open_kernel();
9874 + while (count--)
9875 + *dst++ = *src++;
9876 + pax_close_kernel();
9877 }
9878
9879 +#ifdef CONFIG_PAX_PER_CPU_PGD
9880 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9881 +#endif
9882 +
9883 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9884 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9885 +#else
9886 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
9887 +#endif
9888
9889 #include <asm-generic/pgtable.h>
9890 #endif /* __ASSEMBLY__ */
9891 diff -urNp linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h
9892 --- linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-03-27 14:31:47.000000000 -0400
9893 +++ linux-2.6.32.46/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:56:46.000000000 -0400
9894 @@ -16,12 +16,11 @@
9895 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
9896 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
9897 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
9898 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
9899 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
9900 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
9901 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
9902 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
9903 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
9904 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
9905 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
9906 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
9907
9908 /* If _PAGE_BIT_PRESENT is clear, we use these: */
9909 @@ -39,7 +38,6 @@
9910 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
9911 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
9912 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
9913 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
9914 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
9915 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
9916 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
9917 @@ -55,8 +53,10 @@
9918
9919 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
9920 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
9921 -#else
9922 +#elif defined(CONFIG_KMEMCHECK)
9923 #define _PAGE_NX (_AT(pteval_t, 0))
9924 +#else
9925 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
9926 #endif
9927
9928 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
9929 @@ -93,6 +93,9 @@
9930 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
9931 _PAGE_ACCESSED)
9932
9933 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
9934 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
9935 +
9936 #define __PAGE_KERNEL_EXEC \
9937 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
9938 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
9939 @@ -103,8 +106,8 @@
9940 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
9941 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
9942 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
9943 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
9944 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
9945 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
9946 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
9947 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
9948 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
9949 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
9950 @@ -163,8 +166,8 @@
9951 * bits are combined, this will alow user to access the high address mapped
9952 * VDSO in the presence of CONFIG_COMPAT_VDSO
9953 */
9954 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
9955 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
9956 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9957 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9958 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
9959 #endif
9960
9961 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
9962 {
9963 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
9964 }
9965 +#endif
9966
9967 +#if PAGETABLE_LEVELS == 3
9968 +#include <asm-generic/pgtable-nopud.h>
9969 +#endif
9970 +
9971 +#if PAGETABLE_LEVELS == 2
9972 +#include <asm-generic/pgtable-nopmd.h>
9973 +#endif
9974 +
9975 +#ifndef __ASSEMBLY__
9976 #if PAGETABLE_LEVELS > 3
9977 typedef struct { pudval_t pud; } pud_t;
9978
9979 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
9980 return pud.pud;
9981 }
9982 #else
9983 -#include <asm-generic/pgtable-nopud.h>
9984 -
9985 static inline pudval_t native_pud_val(pud_t pud)
9986 {
9987 return native_pgd_val(pud.pgd);
9988 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
9989 return pmd.pmd;
9990 }
9991 #else
9992 -#include <asm-generic/pgtable-nopmd.h>
9993 -
9994 static inline pmdval_t native_pmd_val(pmd_t pmd)
9995 {
9996 return native_pgd_val(pmd.pud.pgd);
9997 @@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
9998
9999 extern pteval_t __supported_pte_mask;
10000 extern void set_nx(void);
10001 +
10002 +#ifdef CONFIG_X86_32
10003 +#ifdef CONFIG_X86_PAE
10004 extern int nx_enabled;
10005 +#else
10006 +#define nx_enabled (0)
10007 +#endif
10008 +#else
10009 +#define nx_enabled (1)
10010 +#endif
10011
10012 #define pgprot_writecombine pgprot_writecombine
10013 extern pgprot_t pgprot_writecombine(pgprot_t prot);
10014 diff -urNp linux-2.6.32.46/arch/x86/include/asm/processor.h linux-2.6.32.46/arch/x86/include/asm/processor.h
10015 --- linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-04-22 19:16:29.000000000 -0400
10016 +++ linux-2.6.32.46/arch/x86/include/asm/processor.h 2011-05-11 18:25:15.000000000 -0400
10017 @@ -272,7 +272,7 @@ struct tss_struct {
10018
10019 } ____cacheline_aligned;
10020
10021 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
10022 +extern struct tss_struct init_tss[NR_CPUS];
10023
10024 /*
10025 * Save the original ist values for checking stack pointers during debugging
10026 @@ -888,11 +888,18 @@ static inline void spin_lock_prefetch(co
10027 */
10028 #define TASK_SIZE PAGE_OFFSET
10029 #define TASK_SIZE_MAX TASK_SIZE
10030 +
10031 +#ifdef CONFIG_PAX_SEGMEXEC
10032 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
10033 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
10034 +#else
10035 #define STACK_TOP TASK_SIZE
10036 -#define STACK_TOP_MAX STACK_TOP
10037 +#endif
10038 +
10039 +#define STACK_TOP_MAX TASK_SIZE
10040
10041 #define INIT_THREAD { \
10042 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10043 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10044 .vm86_info = NULL, \
10045 .sysenter_cs = __KERNEL_CS, \
10046 .io_bitmap_ptr = NULL, \
10047 @@ -906,7 +913,7 @@ static inline void spin_lock_prefetch(co
10048 */
10049 #define INIT_TSS { \
10050 .x86_tss = { \
10051 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
10052 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10053 .ss0 = __KERNEL_DS, \
10054 .ss1 = __KERNEL_CS, \
10055 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
10056 @@ -917,11 +924,7 @@ static inline void spin_lock_prefetch(co
10057 extern unsigned long thread_saved_pc(struct task_struct *tsk);
10058
10059 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
10060 -#define KSTK_TOP(info) \
10061 -({ \
10062 - unsigned long *__ptr = (unsigned long *)(info); \
10063 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
10064 -})
10065 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
10066
10067 /*
10068 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
10069 @@ -936,7 +939,7 @@ extern unsigned long thread_saved_pc(str
10070 #define task_pt_regs(task) \
10071 ({ \
10072 struct pt_regs *__regs__; \
10073 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
10074 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
10075 __regs__ - 1; \
10076 })
10077
10078 @@ -946,13 +949,13 @@ extern unsigned long thread_saved_pc(str
10079 /*
10080 * User space process size. 47bits minus one guard page.
10081 */
10082 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
10083 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
10084
10085 /* This decides where the kernel will search for a free chunk of vm
10086 * space during mmap's.
10087 */
10088 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
10089 - 0xc0000000 : 0xFFFFe000)
10090 + 0xc0000000 : 0xFFFFf000)
10091
10092 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
10093 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
10094 @@ -963,11 +966,11 @@ extern unsigned long thread_saved_pc(str
10095 #define STACK_TOP_MAX TASK_SIZE_MAX
10096
10097 #define INIT_THREAD { \
10098 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10099 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10100 }
10101
10102 #define INIT_TSS { \
10103 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10104 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10105 }
10106
10107 /*
10108 @@ -989,6 +992,10 @@ extern void start_thread(struct pt_regs
10109 */
10110 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
10111
10112 +#ifdef CONFIG_PAX_SEGMEXEC
10113 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
10114 +#endif
10115 +
10116 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
10117
10118 /* Get/set a process' ability to use the timestamp counter instruction */
10119 diff -urNp linux-2.6.32.46/arch/x86/include/asm/ptrace.h linux-2.6.32.46/arch/x86/include/asm/ptrace.h
10120 --- linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
10121 +++ linux-2.6.32.46/arch/x86/include/asm/ptrace.h 2011-04-17 15:56:46.000000000 -0400
10122 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
10123 }
10124
10125 /*
10126 - * user_mode_vm(regs) determines whether a register set came from user mode.
10127 + * user_mode(regs) determines whether a register set came from user mode.
10128 * This is true if V8086 mode was enabled OR if the register set was from
10129 * protected mode with RPL-3 CS value. This tricky test checks that with
10130 * one comparison. Many places in the kernel can bypass this full check
10131 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
10132 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
10133 + * be used.
10134 */
10135 -static inline int user_mode(struct pt_regs *regs)
10136 +static inline int user_mode_novm(struct pt_regs *regs)
10137 {
10138 #ifdef CONFIG_X86_32
10139 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
10140 #else
10141 - return !!(regs->cs & 3);
10142 + return !!(regs->cs & SEGMENT_RPL_MASK);
10143 #endif
10144 }
10145
10146 -static inline int user_mode_vm(struct pt_regs *regs)
10147 +static inline int user_mode(struct pt_regs *regs)
10148 {
10149 #ifdef CONFIG_X86_32
10150 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
10151 USER_RPL;
10152 #else
10153 - return user_mode(regs);
10154 + return user_mode_novm(regs);
10155 #endif
10156 }
10157
10158 diff -urNp linux-2.6.32.46/arch/x86/include/asm/reboot.h linux-2.6.32.46/arch/x86/include/asm/reboot.h
10159 --- linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
10160 +++ linux-2.6.32.46/arch/x86/include/asm/reboot.h 2011-08-05 20:33:55.000000000 -0400
10161 @@ -6,19 +6,19 @@
10162 struct pt_regs;
10163
10164 struct machine_ops {
10165 - void (*restart)(char *cmd);
10166 - void (*halt)(void);
10167 - void (*power_off)(void);
10168 + void (* __noreturn restart)(char *cmd);
10169 + void (* __noreturn halt)(void);
10170 + void (* __noreturn power_off)(void);
10171 void (*shutdown)(void);
10172 void (*crash_shutdown)(struct pt_regs *);
10173 - void (*emergency_restart)(void);
10174 -};
10175 + void (* __noreturn emergency_restart)(void);
10176 +} __no_const;
10177
10178 extern struct machine_ops machine_ops;
10179
10180 void native_machine_crash_shutdown(struct pt_regs *regs);
10181 void native_machine_shutdown(void);
10182 -void machine_real_restart(const unsigned char *code, int length);
10183 +void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
10184
10185 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
10186 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
10187 diff -urNp linux-2.6.32.46/arch/x86/include/asm/rwsem.h linux-2.6.32.46/arch/x86/include/asm/rwsem.h
10188 --- linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-03-27 14:31:47.000000000 -0400
10189 +++ linux-2.6.32.46/arch/x86/include/asm/rwsem.h 2011-04-17 15:56:46.000000000 -0400
10190 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
10191 {
10192 asm volatile("# beginning down_read\n\t"
10193 LOCK_PREFIX _ASM_INC "(%1)\n\t"
10194 +
10195 +#ifdef CONFIG_PAX_REFCOUNT
10196 + "jno 0f\n"
10197 + LOCK_PREFIX _ASM_DEC "(%1)\n\t"
10198 + "int $4\n0:\n"
10199 + _ASM_EXTABLE(0b, 0b)
10200 +#endif
10201 +
10202 /* adds 0x00000001, returns the old value */
10203 " jns 1f\n"
10204 " call call_rwsem_down_read_failed\n"
10205 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
10206 "1:\n\t"
10207 " mov %1,%2\n\t"
10208 " add %3,%2\n\t"
10209 +
10210 +#ifdef CONFIG_PAX_REFCOUNT
10211 + "jno 0f\n"
10212 + "sub %3,%2\n"
10213 + "int $4\n0:\n"
10214 + _ASM_EXTABLE(0b, 0b)
10215 +#endif
10216 +
10217 " jle 2f\n\t"
10218 LOCK_PREFIX " cmpxchg %2,%0\n\t"
10219 " jnz 1b\n\t"
10220 @@ -160,6 +176,14 @@ static inline void __down_write_nested(s
10221 tmp = RWSEM_ACTIVE_WRITE_BIAS;
10222 asm volatile("# beginning down_write\n\t"
10223 LOCK_PREFIX " xadd %1,(%2)\n\t"
10224 +
10225 +#ifdef CONFIG_PAX_REFCOUNT
10226 + "jno 0f\n"
10227 + "mov %1,(%2)\n"
10228 + "int $4\n0:\n"
10229 + _ASM_EXTABLE(0b, 0b)
10230 +#endif
10231 +
10232 /* subtract 0x0000ffff, returns the old value */
10233 " test %1,%1\n\t"
10234 /* was the count 0 before? */
10235 @@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
10236 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
10237 asm volatile("# beginning __up_read\n\t"
10238 LOCK_PREFIX " xadd %1,(%2)\n\t"
10239 +
10240 +#ifdef CONFIG_PAX_REFCOUNT
10241 + "jno 0f\n"
10242 + "mov %1,(%2)\n"
10243 + "int $4\n0:\n"
10244 + _ASM_EXTABLE(0b, 0b)
10245 +#endif
10246 +
10247 /* subtracts 1, returns the old value */
10248 " jns 1f\n\t"
10249 " call call_rwsem_wake\n"
10250 @@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
10251 rwsem_count_t tmp;
10252 asm volatile("# beginning __up_write\n\t"
10253 LOCK_PREFIX " xadd %1,(%2)\n\t"
10254 +
10255 +#ifdef CONFIG_PAX_REFCOUNT
10256 + "jno 0f\n"
10257 + "mov %1,(%2)\n"
10258 + "int $4\n0:\n"
10259 + _ASM_EXTABLE(0b, 0b)
10260 +#endif
10261 +
10262 /* tries to transition
10263 0xffff0001 -> 0x00000000 */
10264 " jz 1f\n"
10265 @@ -234,6 +274,14 @@ static inline void __downgrade_write(str
10266 {
10267 asm volatile("# beginning __downgrade_write\n\t"
10268 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
10269 +
10270 +#ifdef CONFIG_PAX_REFCOUNT
10271 + "jno 0f\n"
10272 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
10273 + "int $4\n0:\n"
10274 + _ASM_EXTABLE(0b, 0b)
10275 +#endif
10276 +
10277 /*
10278 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
10279 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
10280 @@ -253,7 +301,15 @@ static inline void __downgrade_write(str
10281 static inline void rwsem_atomic_add(rwsem_count_t delta,
10282 struct rw_semaphore *sem)
10283 {
10284 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
10285 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
10286 +
10287 +#ifdef CONFIG_PAX_REFCOUNT
10288 + "jno 0f\n"
10289 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
10290 + "int $4\n0:\n"
10291 + _ASM_EXTABLE(0b, 0b)
10292 +#endif
10293 +
10294 : "+m" (sem->count)
10295 : "er" (delta));
10296 }
10297 @@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
10298 {
10299 rwsem_count_t tmp = delta;
10300
10301 - asm volatile(LOCK_PREFIX "xadd %0,%1"
10302 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
10303 +
10304 +#ifdef CONFIG_PAX_REFCOUNT
10305 + "jno 0f\n"
10306 + "mov %0,%1\n"
10307 + "int $4\n0:\n"
10308 + _ASM_EXTABLE(0b, 0b)
10309 +#endif
10310 +
10311 : "+r" (tmp), "+m" (sem->count)
10312 : : "memory");
10313
10314 diff -urNp linux-2.6.32.46/arch/x86/include/asm/segment.h linux-2.6.32.46/arch/x86/include/asm/segment.h
10315 --- linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400
10316 +++ linux-2.6.32.46/arch/x86/include/asm/segment.h 2011-04-17 15:56:46.000000000 -0400
10317 @@ -62,8 +62,8 @@
10318 * 26 - ESPFIX small SS
10319 * 27 - per-cpu [ offset to per-cpu data area ]
10320 * 28 - stack_canary-20 [ for stack protector ]
10321 - * 29 - unused
10322 - * 30 - unused
10323 + * 29 - PCI BIOS CS
10324 + * 30 - PCI BIOS DS
10325 * 31 - TSS for double fault handler
10326 */
10327 #define GDT_ENTRY_TLS_MIN 6
10328 @@ -77,6 +77,8 @@
10329
10330 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
10331
10332 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
10333 +
10334 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
10335
10336 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
10337 @@ -88,7 +90,7 @@
10338 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
10339 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
10340
10341 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10342 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10343 #ifdef CONFIG_SMP
10344 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
10345 #else
10346 @@ -102,6 +104,12 @@
10347 #define __KERNEL_STACK_CANARY 0
10348 #endif
10349
10350 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
10351 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
10352 +
10353 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
10354 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
10355 +
10356 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
10357
10358 /*
10359 @@ -139,7 +147,7 @@
10360 */
10361
10362 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
10363 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
10364 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
10365
10366
10367 #else
10368 @@ -163,6 +171,8 @@
10369 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
10370 #define __USER32_DS __USER_DS
10371
10372 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
10373 +
10374 #define GDT_ENTRY_TSS 8 /* needs two entries */
10375 #define GDT_ENTRY_LDT 10 /* needs two entries */
10376 #define GDT_ENTRY_TLS_MIN 12
10377 @@ -183,6 +193,7 @@
10378 #endif
10379
10380 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
10381 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
10382 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
10383 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
10384 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
10385 diff -urNp linux-2.6.32.46/arch/x86/include/asm/smp.h linux-2.6.32.46/arch/x86/include/asm/smp.h
10386 --- linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-03-27 14:31:47.000000000 -0400
10387 +++ linux-2.6.32.46/arch/x86/include/asm/smp.h 2011-08-05 20:33:55.000000000 -0400
10388 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
10389 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
10390 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
10391 DECLARE_PER_CPU(u16, cpu_llc_id);
10392 -DECLARE_PER_CPU(int, cpu_number);
10393 +DECLARE_PER_CPU(unsigned int, cpu_number);
10394
10395 static inline struct cpumask *cpu_sibling_mask(int cpu)
10396 {
10397 @@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
10398 DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
10399
10400 /* Static state in head.S used to set up a CPU */
10401 -extern struct {
10402 - void *sp;
10403 - unsigned short ss;
10404 -} stack_start;
10405 +extern unsigned long stack_start; /* Initial stack pointer address */
10406
10407 struct smp_ops {
10408 void (*smp_prepare_boot_cpu)(void);
10409 @@ -60,7 +57,7 @@ struct smp_ops {
10410
10411 void (*send_call_func_ipi)(const struct cpumask *mask);
10412 void (*send_call_func_single_ipi)(int cpu);
10413 -};
10414 +} __no_const;
10415
10416 /* Globals due to paravirt */
10417 extern void set_cpu_sibling_map(int cpu);
10418 @@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
10419 extern int safe_smp_processor_id(void);
10420
10421 #elif defined(CONFIG_X86_64_SMP)
10422 -#define raw_smp_processor_id() (percpu_read(cpu_number))
10423 -
10424 -#define stack_smp_processor_id() \
10425 -({ \
10426 - struct thread_info *ti; \
10427 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
10428 - ti->cpu; \
10429 -})
10430 +#define raw_smp_processor_id() (percpu_read(cpu_number))
10431 +#define stack_smp_processor_id() raw_smp_processor_id()
10432 #define safe_smp_processor_id() smp_processor_id()
10433
10434 #endif
10435 diff -urNp linux-2.6.32.46/arch/x86/include/asm/spinlock.h linux-2.6.32.46/arch/x86/include/asm/spinlock.h
10436 --- linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
10437 +++ linux-2.6.32.46/arch/x86/include/asm/spinlock.h 2011-04-17 15:56:46.000000000 -0400
10438 @@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
10439 static inline void __raw_read_lock(raw_rwlock_t *rw)
10440 {
10441 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
10442 +
10443 +#ifdef CONFIG_PAX_REFCOUNT
10444 + "jno 0f\n"
10445 + LOCK_PREFIX " addl $1,(%0)\n"
10446 + "int $4\n0:\n"
10447 + _ASM_EXTABLE(0b, 0b)
10448 +#endif
10449 +
10450 "jns 1f\n"
10451 "call __read_lock_failed\n\t"
10452 "1:\n"
10453 @@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
10454 static inline void __raw_write_lock(raw_rwlock_t *rw)
10455 {
10456 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
10457 +
10458 +#ifdef CONFIG_PAX_REFCOUNT
10459 + "jno 0f\n"
10460 + LOCK_PREFIX " addl %1,(%0)\n"
10461 + "int $4\n0:\n"
10462 + _ASM_EXTABLE(0b, 0b)
10463 +#endif
10464 +
10465 "jz 1f\n"
10466 "call __write_lock_failed\n\t"
10467 "1:\n"
10468 @@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10469
10470 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10471 {
10472 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10473 + asm volatile(LOCK_PREFIX "incl %0\n"
10474 +
10475 +#ifdef CONFIG_PAX_REFCOUNT
10476 + "jno 0f\n"
10477 + LOCK_PREFIX "decl %0\n"
10478 + "int $4\n0:\n"
10479 + _ASM_EXTABLE(0b, 0b)
10480 +#endif
10481 +
10482 + :"+m" (rw->lock) : : "memory");
10483 }
10484
10485 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10486 {
10487 - asm volatile(LOCK_PREFIX "addl %1, %0"
10488 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
10489 +
10490 +#ifdef CONFIG_PAX_REFCOUNT
10491 + "jno 0f\n"
10492 + LOCK_PREFIX "subl %1, %0\n"
10493 + "int $4\n0:\n"
10494 + _ASM_EXTABLE(0b, 0b)
10495 +#endif
10496 +
10497 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10498 }
10499
10500 diff -urNp linux-2.6.32.46/arch/x86/include/asm/stackprotector.h linux-2.6.32.46/arch/x86/include/asm/stackprotector.h
10501 --- linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-03-27 14:31:47.000000000 -0400
10502 +++ linux-2.6.32.46/arch/x86/include/asm/stackprotector.h 2011-07-06 19:53:33.000000000 -0400
10503 @@ -48,7 +48,7 @@
10504 * head_32 for boot CPU and setup_per_cpu_areas() for others.
10505 */
10506 #define GDT_STACK_CANARY_INIT \
10507 - [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
10508 + [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
10509
10510 /*
10511 * Initialize the stackprotector canary value.
10512 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10513
10514 static inline void load_stack_canary_segment(void)
10515 {
10516 -#ifdef CONFIG_X86_32
10517 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10518 asm volatile ("mov %0, %%gs" : : "r" (0));
10519 #endif
10520 }
10521 diff -urNp linux-2.6.32.46/arch/x86/include/asm/system.h linux-2.6.32.46/arch/x86/include/asm/system.h
10522 --- linux-2.6.32.46/arch/x86/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
10523 +++ linux-2.6.32.46/arch/x86/include/asm/system.h 2011-05-22 23:02:03.000000000 -0400
10524 @@ -132,7 +132,7 @@ do { \
10525 "thread_return:\n\t" \
10526 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10527 __switch_canary \
10528 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
10529 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10530 "movq %%rax,%%rdi\n\t" \
10531 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10532 "jnz ret_from_fork\n\t" \
10533 @@ -143,7 +143,7 @@ do { \
10534 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10535 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10536 [_tif_fork] "i" (_TIF_FORK), \
10537 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
10538 + [thread_info] "m" (per_cpu_var(current_tinfo)), \
10539 [current_task] "m" (per_cpu_var(current_task)) \
10540 __switch_canary_iparam \
10541 : "memory", "cc" __EXTRA_CLOBBER)
10542 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10543 {
10544 unsigned long __limit;
10545 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10546 - return __limit + 1;
10547 + return __limit;
10548 }
10549
10550 static inline void native_clts(void)
10551 @@ -340,12 +340,12 @@ void enable_hlt(void);
10552
10553 void cpu_idle_wait(void);
10554
10555 -extern unsigned long arch_align_stack(unsigned long sp);
10556 +#define arch_align_stack(x) ((x) & ~0xfUL)
10557 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10558
10559 void default_idle(void);
10560
10561 -void stop_this_cpu(void *dummy);
10562 +void stop_this_cpu(void *dummy) __noreturn;
10563
10564 /*
10565 * Force strict CPU ordering.
10566 diff -urNp linux-2.6.32.46/arch/x86/include/asm/thread_info.h linux-2.6.32.46/arch/x86/include/asm/thread_info.h
10567 --- linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-03-27 14:31:47.000000000 -0400
10568 +++ linux-2.6.32.46/arch/x86/include/asm/thread_info.h 2011-05-17 19:26:34.000000000 -0400
10569 @@ -10,6 +10,7 @@
10570 #include <linux/compiler.h>
10571 #include <asm/page.h>
10572 #include <asm/types.h>
10573 +#include <asm/percpu.h>
10574
10575 /*
10576 * low level task data that entry.S needs immediate access to
10577 @@ -24,7 +25,6 @@ struct exec_domain;
10578 #include <asm/atomic.h>
10579
10580 struct thread_info {
10581 - struct task_struct *task; /* main task structure */
10582 struct exec_domain *exec_domain; /* execution domain */
10583 __u32 flags; /* low level flags */
10584 __u32 status; /* thread synchronous flags */
10585 @@ -34,18 +34,12 @@ struct thread_info {
10586 mm_segment_t addr_limit;
10587 struct restart_block restart_block;
10588 void __user *sysenter_return;
10589 -#ifdef CONFIG_X86_32
10590 - unsigned long previous_esp; /* ESP of the previous stack in
10591 - case of nested (IRQ) stacks
10592 - */
10593 - __u8 supervisor_stack[0];
10594 -#endif
10595 + unsigned long lowest_stack;
10596 int uaccess_err;
10597 };
10598
10599 -#define INIT_THREAD_INFO(tsk) \
10600 +#define INIT_THREAD_INFO \
10601 { \
10602 - .task = &tsk, \
10603 .exec_domain = &default_exec_domain, \
10604 .flags = 0, \
10605 .cpu = 0, \
10606 @@ -56,7 +50,7 @@ struct thread_info {
10607 }, \
10608 }
10609
10610 -#define init_thread_info (init_thread_union.thread_info)
10611 +#define init_thread_info (init_thread_union.stack)
10612 #define init_stack (init_thread_union.stack)
10613
10614 #else /* !__ASSEMBLY__ */
10615 @@ -163,6 +157,23 @@ struct thread_info {
10616 #define alloc_thread_info(tsk) \
10617 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10618
10619 +#ifdef __ASSEMBLY__
10620 +/* how to get the thread information struct from ASM */
10621 +#define GET_THREAD_INFO(reg) \
10622 + mov PER_CPU_VAR(current_tinfo), reg
10623 +
10624 +/* use this one if reg already contains %esp */
10625 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10626 +#else
10627 +/* how to get the thread information struct from C */
10628 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10629 +
10630 +static __always_inline struct thread_info *current_thread_info(void)
10631 +{
10632 + return percpu_read_stable(current_tinfo);
10633 +}
10634 +#endif
10635 +
10636 #ifdef CONFIG_X86_32
10637
10638 #define STACK_WARN (THREAD_SIZE/8)
10639 @@ -173,35 +184,13 @@ struct thread_info {
10640 */
10641 #ifndef __ASSEMBLY__
10642
10643 -
10644 /* how to get the current stack pointer from C */
10645 register unsigned long current_stack_pointer asm("esp") __used;
10646
10647 -/* how to get the thread information struct from C */
10648 -static inline struct thread_info *current_thread_info(void)
10649 -{
10650 - return (struct thread_info *)
10651 - (current_stack_pointer & ~(THREAD_SIZE - 1));
10652 -}
10653 -
10654 -#else /* !__ASSEMBLY__ */
10655 -
10656 -/* how to get the thread information struct from ASM */
10657 -#define GET_THREAD_INFO(reg) \
10658 - movl $-THREAD_SIZE, reg; \
10659 - andl %esp, reg
10660 -
10661 -/* use this one if reg already contains %esp */
10662 -#define GET_THREAD_INFO_WITH_ESP(reg) \
10663 - andl $-THREAD_SIZE, reg
10664 -
10665 #endif
10666
10667 #else /* X86_32 */
10668
10669 -#include <asm/percpu.h>
10670 -#define KERNEL_STACK_OFFSET (5*8)
10671 -
10672 /*
10673 * macros/functions for gaining access to the thread information structure
10674 * preempt_count needs to be 1 initially, until the scheduler is functional.
10675 @@ -209,21 +198,8 @@ static inline struct thread_info *curren
10676 #ifndef __ASSEMBLY__
10677 DECLARE_PER_CPU(unsigned long, kernel_stack);
10678
10679 -static inline struct thread_info *current_thread_info(void)
10680 -{
10681 - struct thread_info *ti;
10682 - ti = (void *)(percpu_read_stable(kernel_stack) +
10683 - KERNEL_STACK_OFFSET - THREAD_SIZE);
10684 - return ti;
10685 -}
10686 -
10687 -#else /* !__ASSEMBLY__ */
10688 -
10689 -/* how to get the thread information struct from ASM */
10690 -#define GET_THREAD_INFO(reg) \
10691 - movq PER_CPU_VAR(kernel_stack),reg ; \
10692 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10693 -
10694 +/* how to get the current stack pointer from C */
10695 +register unsigned long current_stack_pointer asm("rsp") __used;
10696 #endif
10697
10698 #endif /* !X86_32 */
10699 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10700 extern void free_thread_info(struct thread_info *ti);
10701 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
10702 #define arch_task_cache_init arch_task_cache_init
10703 +
10704 +#define __HAVE_THREAD_FUNCTIONS
10705 +#define task_thread_info(task) (&(task)->tinfo)
10706 +#define task_stack_page(task) ((task)->stack)
10707 +#define setup_thread_stack(p, org) do {} while (0)
10708 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
10709 +
10710 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
10711 +extern struct task_struct *alloc_task_struct(void);
10712 +extern void free_task_struct(struct task_struct *);
10713 +
10714 #endif
10715 #endif /* _ASM_X86_THREAD_INFO_H */
10716 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h
10717 --- linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
10718 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:46:57.000000000 -0400
10719 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
10720 static __always_inline unsigned long __must_check
10721 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
10722 {
10723 + pax_track_stack();
10724 +
10725 + if ((long)n < 0)
10726 + return n;
10727 +
10728 if (__builtin_constant_p(n)) {
10729 unsigned long ret;
10730
10731 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
10732 return ret;
10733 }
10734 }
10735 + if (!__builtin_constant_p(n))
10736 + check_object_size(from, n, true);
10737 return __copy_to_user_ll(to, from, n);
10738 }
10739
10740 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
10741 __copy_to_user(void __user *to, const void *from, unsigned long n)
10742 {
10743 might_fault();
10744 +
10745 return __copy_to_user_inatomic(to, from, n);
10746 }
10747
10748 static __always_inline unsigned long
10749 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
10750 {
10751 + if ((long)n < 0)
10752 + return n;
10753 +
10754 /* Avoid zeroing the tail if the copy fails..
10755 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
10756 * but as the zeroing behaviour is only significant when n is not
10757 @@ -138,6 +149,12 @@ static __always_inline unsigned long
10758 __copy_from_user(void *to, const void __user *from, unsigned long n)
10759 {
10760 might_fault();
10761 +
10762 + pax_track_stack();
10763 +
10764 + if ((long)n < 0)
10765 + return n;
10766 +
10767 if (__builtin_constant_p(n)) {
10768 unsigned long ret;
10769
10770 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
10771 return ret;
10772 }
10773 }
10774 + if (!__builtin_constant_p(n))
10775 + check_object_size(to, n, false);
10776 return __copy_from_user_ll(to, from, n);
10777 }
10778
10779 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
10780 const void __user *from, unsigned long n)
10781 {
10782 might_fault();
10783 +
10784 + if ((long)n < 0)
10785 + return n;
10786 +
10787 if (__builtin_constant_p(n)) {
10788 unsigned long ret;
10789
10790 @@ -182,14 +205,62 @@ static __always_inline unsigned long
10791 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
10792 unsigned long n)
10793 {
10794 - return __copy_from_user_ll_nocache_nozero(to, from, n);
10795 + if ((long)n < 0)
10796 + return n;
10797 +
10798 + return __copy_from_user_ll_nocache_nozero(to, from, n);
10799 +}
10800 +
10801 +/**
10802 + * copy_to_user: - Copy a block of data into user space.
10803 + * @to: Destination address, in user space.
10804 + * @from: Source address, in kernel space.
10805 + * @n: Number of bytes to copy.
10806 + *
10807 + * Context: User context only. This function may sleep.
10808 + *
10809 + * Copy data from kernel space to user space.
10810 + *
10811 + * Returns number of bytes that could not be copied.
10812 + * On success, this will be zero.
10813 + */
10814 +static __always_inline unsigned long __must_check
10815 +copy_to_user(void __user *to, const void *from, unsigned long n)
10816 +{
10817 + if (access_ok(VERIFY_WRITE, to, n))
10818 + n = __copy_to_user(to, from, n);
10819 + return n;
10820 +}
10821 +
10822 +/**
10823 + * copy_from_user: - Copy a block of data from user space.
10824 + * @to: Destination address, in kernel space.
10825 + * @from: Source address, in user space.
10826 + * @n: Number of bytes to copy.
10827 + *
10828 + * Context: User context only. This function may sleep.
10829 + *
10830 + * Copy data from user space to kernel space.
10831 + *
10832 + * Returns number of bytes that could not be copied.
10833 + * On success, this will be zero.
10834 + *
10835 + * If some data could not be copied, this function will pad the copied
10836 + * data to the requested size using zero bytes.
10837 + */
10838 +static __always_inline unsigned long __must_check
10839 +copy_from_user(void *to, const void __user *from, unsigned long n)
10840 +{
10841 + if (access_ok(VERIFY_READ, from, n))
10842 + n = __copy_from_user(to, from, n);
10843 + else if ((long)n > 0) {
10844 + if (!__builtin_constant_p(n))
10845 + check_object_size(to, n, false);
10846 + memset(to, 0, n);
10847 + }
10848 + return n;
10849 }
10850
10851 -unsigned long __must_check copy_to_user(void __user *to,
10852 - const void *from, unsigned long n);
10853 -unsigned long __must_check copy_from_user(void *to,
10854 - const void __user *from,
10855 - unsigned long n);
10856 long __must_check strncpy_from_user(char *dst, const char __user *src,
10857 long count);
10858 long __must_check __strncpy_from_user(char *dst,
10859 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h
10860 --- linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
10861 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess_64.h 2011-05-16 21:46:57.000000000 -0400
10862 @@ -9,6 +9,9 @@
10863 #include <linux/prefetch.h>
10864 #include <linux/lockdep.h>
10865 #include <asm/page.h>
10866 +#include <asm/pgtable.h>
10867 +
10868 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
10869
10870 /*
10871 * Copy To/From Userspace
10872 @@ -19,113 +22,203 @@ __must_check unsigned long
10873 copy_user_generic(void *to, const void *from, unsigned len);
10874
10875 __must_check unsigned long
10876 -copy_to_user(void __user *to, const void *from, unsigned len);
10877 -__must_check unsigned long
10878 -copy_from_user(void *to, const void __user *from, unsigned len);
10879 -__must_check unsigned long
10880 copy_in_user(void __user *to, const void __user *from, unsigned len);
10881
10882 static __always_inline __must_check
10883 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
10884 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
10885 {
10886 - int ret = 0;
10887 + unsigned ret = 0;
10888
10889 might_fault();
10890 - if (!__builtin_constant_p(size))
10891 - return copy_user_generic(dst, (__force void *)src, size);
10892 +
10893 + if ((int)size < 0)
10894 + return size;
10895 +
10896 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10897 + if (!__access_ok(VERIFY_READ, src, size))
10898 + return size;
10899 +#endif
10900 +
10901 + if (!__builtin_constant_p(size)) {
10902 + check_object_size(dst, size, false);
10903 +
10904 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10905 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10906 + src += PAX_USER_SHADOW_BASE;
10907 +#endif
10908 +
10909 + return copy_user_generic(dst, (__force const void *)src, size);
10910 + }
10911 switch (size) {
10912 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
10913 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
10914 ret, "b", "b", "=q", 1);
10915 return ret;
10916 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
10917 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
10918 ret, "w", "w", "=r", 2);
10919 return ret;
10920 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
10921 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
10922 ret, "l", "k", "=r", 4);
10923 return ret;
10924 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
10925 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10926 ret, "q", "", "=r", 8);
10927 return ret;
10928 case 10:
10929 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10930 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10931 ret, "q", "", "=r", 10);
10932 if (unlikely(ret))
10933 return ret;
10934 __get_user_asm(*(u16 *)(8 + (char *)dst),
10935 - (u16 __user *)(8 + (char __user *)src),
10936 + (const u16 __user *)(8 + (const char __user *)src),
10937 ret, "w", "w", "=r", 2);
10938 return ret;
10939 case 16:
10940 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10941 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10942 ret, "q", "", "=r", 16);
10943 if (unlikely(ret))
10944 return ret;
10945 __get_user_asm(*(u64 *)(8 + (char *)dst),
10946 - (u64 __user *)(8 + (char __user *)src),
10947 + (const u64 __user *)(8 + (const char __user *)src),
10948 ret, "q", "", "=r", 8);
10949 return ret;
10950 default:
10951 - return copy_user_generic(dst, (__force void *)src, size);
10952 +
10953 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10954 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10955 + src += PAX_USER_SHADOW_BASE;
10956 +#endif
10957 +
10958 + return copy_user_generic(dst, (__force const void *)src, size);
10959 }
10960 }
10961
10962 static __always_inline __must_check
10963 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
10964 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
10965 {
10966 - int ret = 0;
10967 + unsigned ret = 0;
10968
10969 might_fault();
10970 - if (!__builtin_constant_p(size))
10971 +
10972 + pax_track_stack();
10973 +
10974 + if ((int)size < 0)
10975 + return size;
10976 +
10977 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10978 + if (!__access_ok(VERIFY_WRITE, dst, size))
10979 + return size;
10980 +#endif
10981 +
10982 + if (!__builtin_constant_p(size)) {
10983 + check_object_size(src, size, true);
10984 +
10985 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10986 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10987 + dst += PAX_USER_SHADOW_BASE;
10988 +#endif
10989 +
10990 return copy_user_generic((__force void *)dst, src, size);
10991 + }
10992 switch (size) {
10993 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
10994 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
10995 ret, "b", "b", "iq", 1);
10996 return ret;
10997 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
10998 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
10999 ret, "w", "w", "ir", 2);
11000 return ret;
11001 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
11002 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
11003 ret, "l", "k", "ir", 4);
11004 return ret;
11005 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
11006 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11007 ret, "q", "", "er", 8);
11008 return ret;
11009 case 10:
11010 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11011 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11012 ret, "q", "", "er", 10);
11013 if (unlikely(ret))
11014 return ret;
11015 asm("":::"memory");
11016 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
11017 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
11018 ret, "w", "w", "ir", 2);
11019 return ret;
11020 case 16:
11021 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11022 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11023 ret, "q", "", "er", 16);
11024 if (unlikely(ret))
11025 return ret;
11026 asm("":::"memory");
11027 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
11028 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
11029 ret, "q", "", "er", 8);
11030 return ret;
11031 default:
11032 +
11033 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11034 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11035 + dst += PAX_USER_SHADOW_BASE;
11036 +#endif
11037 +
11038 return copy_user_generic((__force void *)dst, src, size);
11039 }
11040 }
11041
11042 static __always_inline __must_check
11043 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11044 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
11045 +{
11046 + if (access_ok(VERIFY_WRITE, to, len))
11047 + len = __copy_to_user(to, from, len);
11048 + return len;
11049 +}
11050 +
11051 +static __always_inline __must_check
11052 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
11053 +{
11054 + if ((int)len < 0)
11055 + return len;
11056 +
11057 + if (access_ok(VERIFY_READ, from, len))
11058 + len = __copy_from_user(to, from, len);
11059 + else if ((int)len > 0) {
11060 + if (!__builtin_constant_p(len))
11061 + check_object_size(to, len, false);
11062 + memset(to, 0, len);
11063 + }
11064 + return len;
11065 +}
11066 +
11067 +static __always_inline __must_check
11068 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11069 {
11070 - int ret = 0;
11071 + unsigned ret = 0;
11072
11073 might_fault();
11074 - if (!__builtin_constant_p(size))
11075 +
11076 + pax_track_stack();
11077 +
11078 + if ((int)size < 0)
11079 + return size;
11080 +
11081 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11082 + if (!__access_ok(VERIFY_READ, src, size))
11083 + return size;
11084 + if (!__access_ok(VERIFY_WRITE, dst, size))
11085 + return size;
11086 +#endif
11087 +
11088 + if (!__builtin_constant_p(size)) {
11089 +
11090 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11091 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11092 + src += PAX_USER_SHADOW_BASE;
11093 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11094 + dst += PAX_USER_SHADOW_BASE;
11095 +#endif
11096 +
11097 return copy_user_generic((__force void *)dst,
11098 - (__force void *)src, size);
11099 + (__force const void *)src, size);
11100 + }
11101 switch (size) {
11102 case 1: {
11103 u8 tmp;
11104 - __get_user_asm(tmp, (u8 __user *)src,
11105 + __get_user_asm(tmp, (const u8 __user *)src,
11106 ret, "b", "b", "=q", 1);
11107 if (likely(!ret))
11108 __put_user_asm(tmp, (u8 __user *)dst,
11109 @@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
11110 }
11111 case 2: {
11112 u16 tmp;
11113 - __get_user_asm(tmp, (u16 __user *)src,
11114 + __get_user_asm(tmp, (const u16 __user *)src,
11115 ret, "w", "w", "=r", 2);
11116 if (likely(!ret))
11117 __put_user_asm(tmp, (u16 __user *)dst,
11118 @@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
11119
11120 case 4: {
11121 u32 tmp;
11122 - __get_user_asm(tmp, (u32 __user *)src,
11123 + __get_user_asm(tmp, (const u32 __user *)src,
11124 ret, "l", "k", "=r", 4);
11125 if (likely(!ret))
11126 __put_user_asm(tmp, (u32 __user *)dst,
11127 @@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
11128 }
11129 case 8: {
11130 u64 tmp;
11131 - __get_user_asm(tmp, (u64 __user *)src,
11132 + __get_user_asm(tmp, (const u64 __user *)src,
11133 ret, "q", "", "=r", 8);
11134 if (likely(!ret))
11135 __put_user_asm(tmp, (u64 __user *)dst,
11136 @@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
11137 return ret;
11138 }
11139 default:
11140 +
11141 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11142 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11143 + src += PAX_USER_SHADOW_BASE;
11144 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11145 + dst += PAX_USER_SHADOW_BASE;
11146 +#endif
11147 +
11148 return copy_user_generic((__force void *)dst,
11149 - (__force void *)src, size);
11150 + (__force const void *)src, size);
11151 }
11152 }
11153
11154 @@ -176,33 +277,75 @@ __must_check long strlen_user(const char
11155 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
11156 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
11157
11158 -__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
11159 - unsigned size);
11160 +static __must_check __always_inline unsigned long
11161 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
11162 +{
11163 + pax_track_stack();
11164 +
11165 + if ((int)size < 0)
11166 + return size;
11167
11168 -static __must_check __always_inline int
11169 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11170 + if (!__access_ok(VERIFY_READ, src, size))
11171 + return size;
11172 +
11173 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11174 + src += PAX_USER_SHADOW_BASE;
11175 +#endif
11176 +
11177 + return copy_user_generic(dst, (__force const void *)src, size);
11178 +}
11179 +
11180 +static __must_check __always_inline unsigned long
11181 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
11182 {
11183 + if ((int)size < 0)
11184 + return size;
11185 +
11186 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11187 + if (!__access_ok(VERIFY_WRITE, dst, size))
11188 + return size;
11189 +
11190 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11191 + dst += PAX_USER_SHADOW_BASE;
11192 +#endif
11193 +
11194 return copy_user_generic((__force void *)dst, src, size);
11195 }
11196
11197 -extern long __copy_user_nocache(void *dst, const void __user *src,
11198 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
11199 unsigned size, int zerorest);
11200
11201 -static inline int
11202 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11203 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11204 {
11205 might_sleep();
11206 +
11207 + if ((int)size < 0)
11208 + return size;
11209 +
11210 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11211 + if (!__access_ok(VERIFY_READ, src, size))
11212 + return size;
11213 +#endif
11214 +
11215 return __copy_user_nocache(dst, src, size, 1);
11216 }
11217
11218 -static inline int
11219 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11220 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11221 unsigned size)
11222 {
11223 + if ((int)size < 0)
11224 + return size;
11225 +
11226 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11227 + if (!__access_ok(VERIFY_READ, src, size))
11228 + return size;
11229 +#endif
11230 +
11231 return __copy_user_nocache(dst, src, size, 0);
11232 }
11233
11234 -unsigned long
11235 +extern unsigned long
11236 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
11237
11238 #endif /* _ASM_X86_UACCESS_64_H */
11239 diff -urNp linux-2.6.32.46/arch/x86/include/asm/uaccess.h linux-2.6.32.46/arch/x86/include/asm/uaccess.h
11240 --- linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400
11241 +++ linux-2.6.32.46/arch/x86/include/asm/uaccess.h 2011-06-25 12:56:37.000000000 -0400
11242 @@ -8,12 +8,15 @@
11243 #include <linux/thread_info.h>
11244 #include <linux/prefetch.h>
11245 #include <linux/string.h>
11246 +#include <linux/sched.h>
11247 #include <asm/asm.h>
11248 #include <asm/page.h>
11249
11250 #define VERIFY_READ 0
11251 #define VERIFY_WRITE 1
11252
11253 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
11254 +
11255 /*
11256 * The fs value determines whether argument validity checking should be
11257 * performed or not. If get_fs() == USER_DS, checking is performed, with
11258 @@ -29,7 +32,12 @@
11259
11260 #define get_ds() (KERNEL_DS)
11261 #define get_fs() (current_thread_info()->addr_limit)
11262 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11263 +void __set_fs(mm_segment_t x);
11264 +void set_fs(mm_segment_t x);
11265 +#else
11266 #define set_fs(x) (current_thread_info()->addr_limit = (x))
11267 +#endif
11268
11269 #define segment_eq(a, b) ((a).seg == (b).seg)
11270
11271 @@ -77,7 +85,33 @@
11272 * checks that the pointer is in the user space range - after calling
11273 * this function, memory access functions may still return -EFAULT.
11274 */
11275 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11276 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11277 +#define access_ok(type, addr, size) \
11278 +({ \
11279 + long __size = size; \
11280 + unsigned long __addr = (unsigned long)addr; \
11281 + unsigned long __addr_ao = __addr & PAGE_MASK; \
11282 + unsigned long __end_ao = __addr + __size - 1; \
11283 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11284 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11285 + while(__addr_ao <= __end_ao) { \
11286 + char __c_ao; \
11287 + __addr_ao += PAGE_SIZE; \
11288 + if (__size > PAGE_SIZE) \
11289 + cond_resched(); \
11290 + if (__get_user(__c_ao, (char __user *)__addr)) \
11291 + break; \
11292 + if (type != VERIFY_WRITE) { \
11293 + __addr = __addr_ao; \
11294 + continue; \
11295 + } \
11296 + if (__put_user(__c_ao, (char __user *)__addr)) \
11297 + break; \
11298 + __addr = __addr_ao; \
11299 + } \
11300 + } \
11301 + __ret_ao; \
11302 +})
11303
11304 /*
11305 * The exception table consists of pairs of addresses: the first is the
11306 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11307 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11308 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11309
11310 -
11311 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11312 +#define __copyuser_seg "gs;"
11313 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11314 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11315 +#else
11316 +#define __copyuser_seg
11317 +#define __COPYUSER_SET_ES
11318 +#define __COPYUSER_RESTORE_ES
11319 +#endif
11320
11321 #ifdef CONFIG_X86_32
11322 #define __put_user_asm_u64(x, addr, err, errret) \
11323 - asm volatile("1: movl %%eax,0(%2)\n" \
11324 - "2: movl %%edx,4(%2)\n" \
11325 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11326 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11327 "3:\n" \
11328 ".section .fixup,\"ax\"\n" \
11329 "4: movl %3,%0\n" \
11330 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11331 : "A" (x), "r" (addr), "i" (errret), "0" (err))
11332
11333 #define __put_user_asm_ex_u64(x, addr) \
11334 - asm volatile("1: movl %%eax,0(%1)\n" \
11335 - "2: movl %%edx,4(%1)\n" \
11336 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11337 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11338 "3:\n" \
11339 _ASM_EXTABLE(1b, 2b - 1b) \
11340 _ASM_EXTABLE(2b, 3b - 2b) \
11341 @@ -374,7 +416,7 @@ do { \
11342 } while (0)
11343
11344 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11345 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11346 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11347 "2:\n" \
11348 ".section .fixup,\"ax\"\n" \
11349 "3: mov %3,%0\n" \
11350 @@ -382,7 +424,7 @@ do { \
11351 " jmp 2b\n" \
11352 ".previous\n" \
11353 _ASM_EXTABLE(1b, 3b) \
11354 - : "=r" (err), ltype(x) \
11355 + : "=r" (err), ltype (x) \
11356 : "m" (__m(addr)), "i" (errret), "0" (err))
11357
11358 #define __get_user_size_ex(x, ptr, size) \
11359 @@ -407,7 +449,7 @@ do { \
11360 } while (0)
11361
11362 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11363 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11364 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11365 "2:\n" \
11366 _ASM_EXTABLE(1b, 2b - 1b) \
11367 : ltype(x) : "m" (__m(addr)))
11368 @@ -424,13 +466,24 @@ do { \
11369 int __gu_err; \
11370 unsigned long __gu_val; \
11371 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11372 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
11373 + (x) = (__typeof__(*(ptr)))__gu_val; \
11374 __gu_err; \
11375 })
11376
11377 /* FIXME: this hack is definitely wrong -AK */
11378 struct __large_struct { unsigned long buf[100]; };
11379 -#define __m(x) (*(struct __large_struct __user *)(x))
11380 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11381 +#define ____m(x) \
11382 +({ \
11383 + unsigned long ____x = (unsigned long)(x); \
11384 + if (____x < PAX_USER_SHADOW_BASE) \
11385 + ____x += PAX_USER_SHADOW_BASE; \
11386 + (void __user *)____x; \
11387 +})
11388 +#else
11389 +#define ____m(x) (x)
11390 +#endif
11391 +#define __m(x) (*(struct __large_struct __user *)____m(x))
11392
11393 /*
11394 * Tell gcc we read from memory instead of writing: this is because
11395 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11396 * aliasing issues.
11397 */
11398 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11399 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11400 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11401 "2:\n" \
11402 ".section .fixup,\"ax\"\n" \
11403 "3: mov %3,%0\n" \
11404 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11405 ".previous\n" \
11406 _ASM_EXTABLE(1b, 3b) \
11407 : "=r"(err) \
11408 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11409 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11410
11411 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11412 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11413 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11414 "2:\n" \
11415 _ASM_EXTABLE(1b, 2b - 1b) \
11416 : : ltype(x), "m" (__m(addr)))
11417 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11418 * On error, the variable @x is set to zero.
11419 */
11420
11421 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11422 +#define __get_user(x, ptr) get_user((x), (ptr))
11423 +#else
11424 #define __get_user(x, ptr) \
11425 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11426 +#endif
11427
11428 /**
11429 * __put_user: - Write a simple value into user space, with less checking.
11430 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11431 * Returns zero on success, or -EFAULT on error.
11432 */
11433
11434 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11435 +#define __put_user(x, ptr) put_user((x), (ptr))
11436 +#else
11437 #define __put_user(x, ptr) \
11438 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
11439 +#endif
11440
11441 #define __get_user_unaligned __get_user
11442 #define __put_user_unaligned __put_user
11443 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
11444 #define get_user_ex(x, ptr) do { \
11445 unsigned long __gue_val; \
11446 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
11447 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
11448 + (x) = (__typeof__(*(ptr)))__gue_val; \
11449 } while (0)
11450
11451 #ifdef CONFIG_X86_WP_WORKS_OK
11452 @@ -567,6 +628,7 @@ extern struct movsl_mask {
11453
11454 #define ARCH_HAS_NOCACHE_UACCESS 1
11455
11456 +#define ARCH_HAS_SORT_EXTABLE
11457 #ifdef CONFIG_X86_32
11458 # include "uaccess_32.h"
11459 #else
11460 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vgtod.h linux-2.6.32.46/arch/x86/include/asm/vgtod.h
11461 --- linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400
11462 +++ linux-2.6.32.46/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400
11463 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
11464 int sysctl_enabled;
11465 struct timezone sys_tz;
11466 struct { /* extract of a clocksource struct */
11467 + char name[8];
11468 cycle_t (*vread)(void);
11469 cycle_t cycle_last;
11470 cycle_t mask;
11471 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi.h linux-2.6.32.46/arch/x86/include/asm/vmi.h
11472 --- linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-03-27 14:31:47.000000000 -0400
11473 +++ linux-2.6.32.46/arch/x86/include/asm/vmi.h 2011-04-17 15:56:46.000000000 -0400
11474 @@ -191,6 +191,7 @@ struct vrom_header {
11475 u8 reserved[96]; /* Reserved for headers */
11476 char vmi_init[8]; /* VMI_Init jump point */
11477 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11478 + char rom_data[8048]; /* rest of the option ROM */
11479 } __attribute__((packed));
11480
11481 struct pnp_header {
11482 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vmi_time.h linux-2.6.32.46/arch/x86/include/asm/vmi_time.h
11483 --- linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-03-27 14:31:47.000000000 -0400
11484 +++ linux-2.6.32.46/arch/x86/include/asm/vmi_time.h 2011-08-05 20:33:55.000000000 -0400
11485 @@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
11486 int (*wallclock_updated)(void);
11487 void (*set_alarm)(u32 flags, u64 expiry, u64 period);
11488 void (*cancel_alarm)(u32 flags);
11489 -} vmi_timer_ops;
11490 +} __no_const vmi_timer_ops;
11491
11492 /* Prototypes */
11493 extern void __init vmi_time_init(void);
11494 diff -urNp linux-2.6.32.46/arch/x86/include/asm/vsyscall.h linux-2.6.32.46/arch/x86/include/asm/vsyscall.h
11495 --- linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-03-27 14:31:47.000000000 -0400
11496 +++ linux-2.6.32.46/arch/x86/include/asm/vsyscall.h 2011-04-17 15:56:46.000000000 -0400
11497 @@ -15,9 +15,10 @@ enum vsyscall_num {
11498
11499 #ifdef __KERNEL__
11500 #include <linux/seqlock.h>
11501 +#include <linux/getcpu.h>
11502 +#include <linux/time.h>
11503
11504 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11505 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11506
11507 /* Definitions for CONFIG_GENERIC_TIME definitions */
11508 #define __section_vsyscall_gtod_data __attribute__ \
11509 @@ -31,7 +32,6 @@ enum vsyscall_num {
11510 #define VGETCPU_LSL 2
11511
11512 extern int __vgetcpu_mode;
11513 -extern volatile unsigned long __jiffies;
11514
11515 /* kernel space (writeable) */
11516 extern int vgetcpu_mode;
11517 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11518
11519 extern void map_vsyscall(void);
11520
11521 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11522 +extern time_t vtime(time_t *t);
11523 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11524 #endif /* __KERNEL__ */
11525
11526 #endif /* _ASM_X86_VSYSCALL_H */
11527 diff -urNp linux-2.6.32.46/arch/x86/include/asm/x86_init.h linux-2.6.32.46/arch/x86/include/asm/x86_init.h
11528 --- linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-03-27 14:31:47.000000000 -0400
11529 +++ linux-2.6.32.46/arch/x86/include/asm/x86_init.h 2011-08-05 20:33:55.000000000 -0400
11530 @@ -28,7 +28,7 @@ struct x86_init_mpparse {
11531 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
11532 void (*find_smp_config)(unsigned int reserve);
11533 void (*get_smp_config)(unsigned int early);
11534 -};
11535 +} __no_const;
11536
11537 /**
11538 * struct x86_init_resources - platform specific resource related ops
11539 @@ -42,7 +42,7 @@ struct x86_init_resources {
11540 void (*probe_roms)(void);
11541 void (*reserve_resources)(void);
11542 char *(*memory_setup)(void);
11543 -};
11544 +} __no_const;
11545
11546 /**
11547 * struct x86_init_irqs - platform specific interrupt setup
11548 @@ -55,7 +55,7 @@ struct x86_init_irqs {
11549 void (*pre_vector_init)(void);
11550 void (*intr_init)(void);
11551 void (*trap_init)(void);
11552 -};
11553 +} __no_const;
11554
11555 /**
11556 * struct x86_init_oem - oem platform specific customizing functions
11557 @@ -65,7 +65,7 @@ struct x86_init_irqs {
11558 struct x86_init_oem {
11559 void (*arch_setup)(void);
11560 void (*banner)(void);
11561 -};
11562 +} __no_const;
11563
11564 /**
11565 * struct x86_init_paging - platform specific paging functions
11566 @@ -75,7 +75,7 @@ struct x86_init_oem {
11567 struct x86_init_paging {
11568 void (*pagetable_setup_start)(pgd_t *base);
11569 void (*pagetable_setup_done)(pgd_t *base);
11570 -};
11571 +} __no_const;
11572
11573 /**
11574 * struct x86_init_timers - platform specific timer setup
11575 @@ -88,7 +88,7 @@ struct x86_init_timers {
11576 void (*setup_percpu_clockev)(void);
11577 void (*tsc_pre_init)(void);
11578 void (*timer_init)(void);
11579 -};
11580 +} __no_const;
11581
11582 /**
11583 * struct x86_init_ops - functions for platform specific setup
11584 @@ -101,7 +101,7 @@ struct x86_init_ops {
11585 struct x86_init_oem oem;
11586 struct x86_init_paging paging;
11587 struct x86_init_timers timers;
11588 -};
11589 +} __no_const;
11590
11591 /**
11592 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
11593 @@ -109,7 +109,7 @@ struct x86_init_ops {
11594 */
11595 struct x86_cpuinit_ops {
11596 void (*setup_percpu_clockev)(void);
11597 -};
11598 +} __no_const;
11599
11600 /**
11601 * struct x86_platform_ops - platform specific runtime functions
11602 @@ -121,7 +121,7 @@ struct x86_platform_ops {
11603 unsigned long (*calibrate_tsc)(void);
11604 unsigned long (*get_wallclock)(void);
11605 int (*set_wallclock)(unsigned long nowtime);
11606 -};
11607 +} __no_const;
11608
11609 extern struct x86_init_ops x86_init;
11610 extern struct x86_cpuinit_ops x86_cpuinit;
11611 diff -urNp linux-2.6.32.46/arch/x86/include/asm/xsave.h linux-2.6.32.46/arch/x86/include/asm/xsave.h
11612 --- linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400
11613 +++ linux-2.6.32.46/arch/x86/include/asm/xsave.h 2011-04-17 15:56:46.000000000 -0400
11614 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11615 static inline int xsave_user(struct xsave_struct __user *buf)
11616 {
11617 int err;
11618 +
11619 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11620 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11621 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11622 +#endif
11623 +
11624 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11625 "2:\n"
11626 ".section .fixup,\"ax\"\n"
11627 @@ -82,6 +88,11 @@ static inline int xrestore_user(struct x
11628 u32 lmask = mask;
11629 u32 hmask = mask >> 32;
11630
11631 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11632 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11633 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11634 +#endif
11635 +
11636 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11637 "2:\n"
11638 ".section .fixup,\"ax\"\n"
11639 diff -urNp linux-2.6.32.46/arch/x86/Kconfig linux-2.6.32.46/arch/x86/Kconfig
11640 --- linux-2.6.32.46/arch/x86/Kconfig 2011-03-27 14:31:47.000000000 -0400
11641 +++ linux-2.6.32.46/arch/x86/Kconfig 2011-04-17 15:56:46.000000000 -0400
11642 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11643
11644 config X86_32_LAZY_GS
11645 def_bool y
11646 - depends on X86_32 && !CC_STACKPROTECTOR
11647 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11648
11649 config KTIME_SCALAR
11650 def_bool X86_32
11651 @@ -1008,7 +1008,7 @@ choice
11652
11653 config NOHIGHMEM
11654 bool "off"
11655 - depends on !X86_NUMAQ
11656 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11657 ---help---
11658 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11659 However, the address space of 32-bit x86 processors is only 4
11660 @@ -1045,7 +1045,7 @@ config NOHIGHMEM
11661
11662 config HIGHMEM4G
11663 bool "4GB"
11664 - depends on !X86_NUMAQ
11665 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11666 ---help---
11667 Select this if you have a 32-bit processor and between 1 and 4
11668 gigabytes of physical RAM.
11669 @@ -1099,7 +1099,7 @@ config PAGE_OFFSET
11670 hex
11671 default 0xB0000000 if VMSPLIT_3G_OPT
11672 default 0x80000000 if VMSPLIT_2G
11673 - default 0x78000000 if VMSPLIT_2G_OPT
11674 + default 0x70000000 if VMSPLIT_2G_OPT
11675 default 0x40000000 if VMSPLIT_1G
11676 default 0xC0000000
11677 depends on X86_32
11678 @@ -1430,7 +1430,7 @@ config ARCH_USES_PG_UNCACHED
11679
11680 config EFI
11681 bool "EFI runtime service support"
11682 - depends on ACPI
11683 + depends on ACPI && !PAX_KERNEXEC
11684 ---help---
11685 This enables the kernel to use EFI runtime services that are
11686 available (such as the EFI variable services).
11687 @@ -1460,6 +1460,7 @@ config SECCOMP
11688
11689 config CC_STACKPROTECTOR
11690 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
11691 + depends on X86_64 || !PAX_MEMORY_UDEREF
11692 ---help---
11693 This option turns on the -fstack-protector GCC feature. This
11694 feature puts, at the beginning of functions, a canary value on
11695 @@ -1517,6 +1518,7 @@ config KEXEC_JUMP
11696 config PHYSICAL_START
11697 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
11698 default "0x1000000"
11699 + range 0x400000 0x40000000
11700 ---help---
11701 This gives the physical address where the kernel is loaded.
11702
11703 @@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
11704 hex
11705 prompt "Alignment value to which kernel should be aligned" if X86_32
11706 default "0x1000000"
11707 + range 0x400000 0x1000000 if PAX_KERNEXEC
11708 range 0x2000 0x1000000
11709 ---help---
11710 This value puts the alignment restrictions on physical address
11711 @@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
11712 Say N if you want to disable CPU hotplug.
11713
11714 config COMPAT_VDSO
11715 - def_bool y
11716 + def_bool n
11717 prompt "Compat VDSO support"
11718 depends on X86_32 || IA32_EMULATION
11719 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
11720 ---help---
11721 Map the 32-bit VDSO to the predictable old-style address too.
11722 ---help---
11723 diff -urNp linux-2.6.32.46/arch/x86/Kconfig.cpu linux-2.6.32.46/arch/x86/Kconfig.cpu
11724 --- linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-03-27 14:31:47.000000000 -0400
11725 +++ linux-2.6.32.46/arch/x86/Kconfig.cpu 2011-04-17 15:56:46.000000000 -0400
11726 @@ -340,7 +340,7 @@ config X86_PPRO_FENCE
11727
11728 config X86_F00F_BUG
11729 def_bool y
11730 - depends on M586MMX || M586TSC || M586 || M486 || M386
11731 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
11732
11733 config X86_WP_WORKS_OK
11734 def_bool y
11735 @@ -360,7 +360,7 @@ config X86_POPAD_OK
11736
11737 config X86_ALIGNMENT_16
11738 def_bool y
11739 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11740 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11741
11742 config X86_INTEL_USERCOPY
11743 def_bool y
11744 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
11745 # generates cmov.
11746 config X86_CMOV
11747 def_bool y
11748 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11749 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11750
11751 config X86_MINIMUM_CPU_FAMILY
11752 int
11753 diff -urNp linux-2.6.32.46/arch/x86/Kconfig.debug linux-2.6.32.46/arch/x86/Kconfig.debug
11754 --- linux-2.6.32.46/arch/x86/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
11755 +++ linux-2.6.32.46/arch/x86/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
11756 @@ -99,7 +99,7 @@ config X86_PTDUMP
11757 config DEBUG_RODATA
11758 bool "Write protect kernel read-only data structures"
11759 default y
11760 - depends on DEBUG_KERNEL
11761 + depends on DEBUG_KERNEL && BROKEN
11762 ---help---
11763 Mark the kernel read-only data as write-protected in the pagetables,
11764 in order to catch accidental (and incorrect) writes to such const
11765 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile
11766 --- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-03-27 14:31:47.000000000 -0400
11767 +++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/Makefile 2011-08-07 14:38:58.000000000 -0400
11768 @@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
11769 $(call cc-option, -fno-stack-protector) \
11770 $(call cc-option, -mpreferred-stack-boundary=2)
11771 KBUILD_CFLAGS += $(call cc-option, -m32)
11772 +ifdef CONSTIFY_PLUGIN
11773 +KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
11774 +endif
11775 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
11776 GCOV_PROFILE := n
11777
11778 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S
11779 --- linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-03-27 14:31:47.000000000 -0400
11780 +++ linux-2.6.32.46/arch/x86/kernel/acpi/realmode/wakeup.S 2011-07-01 18:53:40.000000000 -0400
11781 @@ -91,6 +91,9 @@ _start:
11782 /* Do any other stuff... */
11783
11784 #ifndef CONFIG_64BIT
11785 + /* Recheck NX bit overrides (64bit path does this in trampoline) */
11786 + call verify_cpu
11787 +
11788 /* This could also be done in C code... */
11789 movl pmode_cr3, %eax
11790 movl %eax, %cr3
11791 @@ -104,7 +107,7 @@ _start:
11792 movl %eax, %ecx
11793 orl %edx, %ecx
11794 jz 1f
11795 - movl $0xc0000080, %ecx
11796 + mov $MSR_EFER, %ecx
11797 wrmsr
11798 1:
11799
11800 @@ -114,6 +117,7 @@ _start:
11801 movl pmode_cr0, %eax
11802 movl %eax, %cr0
11803 jmp pmode_return
11804 +# include "../../verify_cpu.S"
11805 #else
11806 pushw $0
11807 pushw trampoline_segment
11808 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c
11809 --- linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
11810 +++ linux-2.6.32.46/arch/x86/kernel/acpi/sleep.c 2011-07-01 19:01:34.000000000 -0400
11811 @@ -11,11 +11,12 @@
11812 #include <linux/cpumask.h>
11813 #include <asm/segment.h>
11814 #include <asm/desc.h>
11815 +#include <asm/e820.h>
11816
11817 #include "realmode/wakeup.h"
11818 #include "sleep.h"
11819
11820 -unsigned long acpi_wakeup_address;
11821 +unsigned long acpi_wakeup_address = 0x2000;
11822 unsigned long acpi_realmode_flags;
11823
11824 /* address in low memory of the wakeup routine. */
11825 @@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
11826 #else /* CONFIG_64BIT */
11827 header->trampoline_segment = setup_trampoline() >> 4;
11828 #ifdef CONFIG_SMP
11829 - stack_start.sp = temp_stack + sizeof(temp_stack);
11830 + stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
11831 +
11832 + pax_open_kernel();
11833 early_gdt_descr.address =
11834 (unsigned long)get_cpu_gdt_table(smp_processor_id());
11835 + pax_close_kernel();
11836 +
11837 initial_gs = per_cpu_offset(smp_processor_id());
11838 #endif
11839 initial_code = (unsigned long)wakeup_long64;
11840 @@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
11841 return;
11842 }
11843
11844 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
11845 -
11846 - if (!acpi_realmode) {
11847 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
11848 - return;
11849 - }
11850 -
11851 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
11852 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
11853 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
11854 }
11855
11856
11857 diff -urNp linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S
11858 --- linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-03-27 14:31:47.000000000 -0400
11859 +++ linux-2.6.32.46/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:56:46.000000000 -0400
11860 @@ -30,13 +30,11 @@ wakeup_pmode_return:
11861 # and restore the stack ... but you need gdt for this to work
11862 movl saved_context_esp, %esp
11863
11864 - movl %cs:saved_magic, %eax
11865 - cmpl $0x12345678, %eax
11866 + cmpl $0x12345678, saved_magic
11867 jne bogus_magic
11868
11869 # jump to place where we left off
11870 - movl saved_eip, %eax
11871 - jmp *%eax
11872 + jmp *(saved_eip)
11873
11874 bogus_magic:
11875 jmp bogus_magic
11876 diff -urNp linux-2.6.32.46/arch/x86/kernel/alternative.c linux-2.6.32.46/arch/x86/kernel/alternative.c
11877 --- linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-03-27 14:31:47.000000000 -0400
11878 +++ linux-2.6.32.46/arch/x86/kernel/alternative.c 2011-04-17 15:56:46.000000000 -0400
11879 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
11880
11881 BUG_ON(p->len > MAX_PATCH_LEN);
11882 /* prep the buffer with the original instructions */
11883 - memcpy(insnbuf, p->instr, p->len);
11884 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
11885 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
11886 (unsigned long)p->instr, p->len);
11887
11888 @@ -475,7 +475,7 @@ void __init alternative_instructions(voi
11889 if (smp_alt_once)
11890 free_init_pages("SMP alternatives",
11891 (unsigned long)__smp_locks,
11892 - (unsigned long)__smp_locks_end);
11893 + PAGE_ALIGN((unsigned long)__smp_locks_end));
11894
11895 restart_nmi();
11896 }
11897 @@ -492,13 +492,17 @@ void __init alternative_instructions(voi
11898 * instructions. And on the local CPU you need to be protected again NMI or MCE
11899 * handlers seeing an inconsistent instruction while you patch.
11900 */
11901 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
11902 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
11903 size_t len)
11904 {
11905 unsigned long flags;
11906 local_irq_save(flags);
11907 - memcpy(addr, opcode, len);
11908 +
11909 + pax_open_kernel();
11910 + memcpy(ktla_ktva(addr), opcode, len);
11911 sync_core();
11912 + pax_close_kernel();
11913 +
11914 local_irq_restore(flags);
11915 /* Could also do a CLFLUSH here to speed up CPU recovery; but
11916 that causes hangs on some VIA CPUs. */
11917 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
11918 */
11919 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
11920 {
11921 - unsigned long flags;
11922 - char *vaddr;
11923 + unsigned char *vaddr = ktla_ktva(addr);
11924 struct page *pages[2];
11925 - int i;
11926 + size_t i;
11927
11928 if (!core_kernel_text((unsigned long)addr)) {
11929 - pages[0] = vmalloc_to_page(addr);
11930 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
11931 + pages[0] = vmalloc_to_page(vaddr);
11932 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
11933 } else {
11934 - pages[0] = virt_to_page(addr);
11935 + pages[0] = virt_to_page(vaddr);
11936 WARN_ON(!PageReserved(pages[0]));
11937 - pages[1] = virt_to_page(addr + PAGE_SIZE);
11938 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
11939 }
11940 BUG_ON(!pages[0]);
11941 - local_irq_save(flags);
11942 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
11943 - if (pages[1])
11944 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
11945 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
11946 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
11947 - clear_fixmap(FIX_TEXT_POKE0);
11948 - if (pages[1])
11949 - clear_fixmap(FIX_TEXT_POKE1);
11950 - local_flush_tlb();
11951 - sync_core();
11952 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
11953 - that causes hangs on some VIA CPUs. */
11954 + text_poke_early(addr, opcode, len);
11955 for (i = 0; i < len; i++)
11956 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
11957 - local_irq_restore(flags);
11958 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
11959 return addr;
11960 }
11961 diff -urNp linux-2.6.32.46/arch/x86/kernel/amd_iommu.c linux-2.6.32.46/arch/x86/kernel/amd_iommu.c
11962 --- linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-03-27 14:31:47.000000000 -0400
11963 +++ linux-2.6.32.46/arch/x86/kernel/amd_iommu.c 2011-04-17 15:56:46.000000000 -0400
11964 @@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
11965 }
11966 }
11967
11968 -static struct dma_map_ops amd_iommu_dma_ops = {
11969 +static const struct dma_map_ops amd_iommu_dma_ops = {
11970 .alloc_coherent = alloc_coherent,
11971 .free_coherent = free_coherent,
11972 .map_page = map_page,
11973 diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/apic.c linux-2.6.32.46/arch/x86/kernel/apic/apic.c
11974 --- linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-03-27 14:31:47.000000000 -0400
11975 +++ linux-2.6.32.46/arch/x86/kernel/apic/apic.c 2011-08-17 20:00:16.000000000 -0400
11976 @@ -170,7 +170,7 @@ int first_system_vector = 0xfe;
11977 /*
11978 * Debug level, exported for io_apic.c
11979 */
11980 -unsigned int apic_verbosity;
11981 +int apic_verbosity;
11982
11983 int pic_mode;
11984
11985 @@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
11986 apic_write(APIC_ESR, 0);
11987 v1 = apic_read(APIC_ESR);
11988 ack_APIC_irq();
11989 - atomic_inc(&irq_err_count);
11990 + atomic_inc_unchecked(&irq_err_count);
11991
11992 /*
11993 * Here is what the APIC error bits mean:
11994 @@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
11995 u16 *bios_cpu_apicid;
11996 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
11997
11998 + pax_track_stack();
11999 +
12000 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12001 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12002
12003 diff -urNp linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c
12004 --- linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-03-27 14:31:47.000000000 -0400
12005 +++ linux-2.6.32.46/arch/x86/kernel/apic/io_apic.c 2011-05-04 17:56:20.000000000 -0400
12006 @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12007 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12008 GFP_ATOMIC);
12009 if (!ioapic_entries)
12010 - return 0;
12011 + return NULL;
12012
12013 for (apic = 0; apic < nr_ioapics; apic++) {
12014 ioapic_entries[apic] =
12015 @@ -733,7 +733,7 @@ nomem:
12016 kfree(ioapic_entries[apic]);
12017 kfree(ioapic_entries);
12018
12019 - return 0;
12020 + return NULL;
12021 }
12022
12023 /*
12024 @@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
12025 }
12026 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
12027
12028 -void lock_vector_lock(void)
12029 +void lock_vector_lock(void) __acquires(vector_lock)
12030 {
12031 /* Used to the online set of cpus does not change
12032 * during assign_irq_vector.
12033 @@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
12034 spin_lock(&vector_lock);
12035 }
12036
12037 -void unlock_vector_lock(void)
12038 +void unlock_vector_lock(void) __releases(vector_lock)
12039 {
12040 spin_unlock(&vector_lock);
12041 }
12042 @@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
12043 ack_APIC_irq();
12044 }
12045
12046 -atomic_t irq_mis_count;
12047 +atomic_unchecked_t irq_mis_count;
12048
12049 static void ack_apic_level(unsigned int irq)
12050 {
12051 @@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
12052
12053 /* Tail end of version 0x11 I/O APIC bug workaround */
12054 if (!(v & (1 << (i & 0x1f)))) {
12055 - atomic_inc(&irq_mis_count);
12056 + atomic_inc_unchecked(&irq_mis_count);
12057 spin_lock(&ioapic_lock);
12058 __mask_and_edge_IO_APIC_irq(cfg);
12059 __unmask_and_level_IO_APIC_irq(cfg);
12060 diff -urNp linux-2.6.32.46/arch/x86/kernel/apm_32.c linux-2.6.32.46/arch/x86/kernel/apm_32.c
12061 --- linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-03-27 14:31:47.000000000 -0400
12062 +++ linux-2.6.32.46/arch/x86/kernel/apm_32.c 2011-04-23 12:56:10.000000000 -0400
12063 @@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
12064 * This is for buggy BIOS's that refer to (real mode) segment 0x40
12065 * even though they are called in protected mode.
12066 */
12067 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
12068 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
12069 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
12070
12071 static const char driver_version[] = "1.16ac"; /* no spaces */
12072 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
12073 BUG_ON(cpu != 0);
12074 gdt = get_cpu_gdt_table(cpu);
12075 save_desc_40 = gdt[0x40 / 8];
12076 +
12077 + pax_open_kernel();
12078 gdt[0x40 / 8] = bad_bios_desc;
12079 + pax_close_kernel();
12080
12081 apm_irq_save(flags);
12082 APM_DO_SAVE_SEGS;
12083 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
12084 &call->esi);
12085 APM_DO_RESTORE_SEGS;
12086 apm_irq_restore(flags);
12087 +
12088 + pax_open_kernel();
12089 gdt[0x40 / 8] = save_desc_40;
12090 + pax_close_kernel();
12091 +
12092 put_cpu();
12093
12094 return call->eax & 0xff;
12095 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
12096 BUG_ON(cpu != 0);
12097 gdt = get_cpu_gdt_table(cpu);
12098 save_desc_40 = gdt[0x40 / 8];
12099 +
12100 + pax_open_kernel();
12101 gdt[0x40 / 8] = bad_bios_desc;
12102 + pax_close_kernel();
12103
12104 apm_irq_save(flags);
12105 APM_DO_SAVE_SEGS;
12106 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
12107 &call->eax);
12108 APM_DO_RESTORE_SEGS;
12109 apm_irq_restore(flags);
12110 +
12111 + pax_open_kernel();
12112 gdt[0x40 / 8] = save_desc_40;
12113 + pax_close_kernel();
12114 +
12115 put_cpu();
12116 return error;
12117 }
12118 @@ -975,7 +989,7 @@ recalc:
12119
12120 static void apm_power_off(void)
12121 {
12122 - unsigned char po_bios_call[] = {
12123 + const unsigned char po_bios_call[] = {
12124 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
12125 0x8e, 0xd0, /* movw ax,ss */
12126 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
12127 @@ -2357,12 +2371,15 @@ static int __init apm_init(void)
12128 * code to that CPU.
12129 */
12130 gdt = get_cpu_gdt_table(0);
12131 +
12132 + pax_open_kernel();
12133 set_desc_base(&gdt[APM_CS >> 3],
12134 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
12135 set_desc_base(&gdt[APM_CS_16 >> 3],
12136 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
12137 set_desc_base(&gdt[APM_DS >> 3],
12138 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
12139 + pax_close_kernel();
12140
12141 proc_create("apm", 0, NULL, &apm_file_ops);
12142
12143 diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c
12144 --- linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-03-27 14:31:47.000000000 -0400
12145 +++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:46:57.000000000 -0400
12146 @@ -51,7 +51,6 @@ void foo(void)
12147 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
12148 BLANK();
12149
12150 - OFFSET(TI_task, thread_info, task);
12151 OFFSET(TI_exec_domain, thread_info, exec_domain);
12152 OFFSET(TI_flags, thread_info, flags);
12153 OFFSET(TI_status, thread_info, status);
12154 @@ -60,6 +59,8 @@ void foo(void)
12155 OFFSET(TI_restart_block, thread_info, restart_block);
12156 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
12157 OFFSET(TI_cpu, thread_info, cpu);
12158 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
12159 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12160 BLANK();
12161
12162 OFFSET(GDS_size, desc_ptr, size);
12163 @@ -99,6 +100,7 @@ void foo(void)
12164
12165 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12166 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
12167 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12168 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
12169 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
12170 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
12171 @@ -115,6 +117,11 @@ void foo(void)
12172 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
12173 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12174 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12175 +
12176 +#ifdef CONFIG_PAX_KERNEXEC
12177 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12178 +#endif
12179 +
12180 #endif
12181
12182 #ifdef CONFIG_XEN
12183 diff -urNp linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c
12184 --- linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-03-27 14:31:47.000000000 -0400
12185 +++ linux-2.6.32.46/arch/x86/kernel/asm-offsets_64.c 2011-08-23 20:24:19.000000000 -0400
12186 @@ -44,6 +44,8 @@ int main(void)
12187 ENTRY(addr_limit);
12188 ENTRY(preempt_count);
12189 ENTRY(status);
12190 + ENTRY(lowest_stack);
12191 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12192 #ifdef CONFIG_IA32_EMULATION
12193 ENTRY(sysenter_return);
12194 #endif
12195 @@ -63,6 +65,18 @@ int main(void)
12196 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12197 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
12198 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12199 +
12200 +#ifdef CONFIG_PAX_KERNEXEC
12201 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12202 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12203 +#endif
12204 +
12205 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12206 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12207 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12208 + OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
12209 +#endif
12210 +
12211 #endif
12212
12213
12214 @@ -115,6 +129,7 @@ int main(void)
12215 ENTRY(cr8);
12216 BLANK();
12217 #undef ENTRY
12218 + DEFINE(TSS_size, sizeof(struct tss_struct));
12219 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
12220 BLANK();
12221 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
12222 @@ -130,6 +145,7 @@ int main(void)
12223
12224 BLANK();
12225 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12226 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12227 #ifdef CONFIG_XEN
12228 BLANK();
12229 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12230 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/amd.c
12231 --- linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:55:34.000000000 -0400
12232 +++ linux-2.6.32.46/arch/x86/kernel/cpu/amd.c 2011-06-25 12:56:37.000000000 -0400
12233 @@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
12234 unsigned int size)
12235 {
12236 /* AMD errata T13 (order #21922) */
12237 - if ((c->x86 == 6)) {
12238 + if (c->x86 == 6) {
12239 /* Duron Rev A0 */
12240 if (c->x86_model == 3 && c->x86_mask == 0)
12241 size = 64;
12242 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/common.c linux-2.6.32.46/arch/x86/kernel/cpu/common.c
12243 --- linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-03-27 14:31:47.000000000 -0400
12244 +++ linux-2.6.32.46/arch/x86/kernel/cpu/common.c 2011-05-11 18:25:15.000000000 -0400
12245 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12246
12247 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12248
12249 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12250 -#ifdef CONFIG_X86_64
12251 - /*
12252 - * We need valid kernel segments for data and code in long mode too
12253 - * IRET will check the segment types kkeil 2000/10/28
12254 - * Also sysret mandates a special GDT layout
12255 - *
12256 - * TLS descriptors are currently at a different place compared to i386.
12257 - * Hopefully nobody expects them at a fixed place (Wine?)
12258 - */
12259 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12260 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12261 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12262 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12263 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12264 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12265 -#else
12266 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12267 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12268 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12269 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12270 - /*
12271 - * Segments used for calling PnP BIOS have byte granularity.
12272 - * They code segments and data segments have fixed 64k limits,
12273 - * the transfer segment sizes are set at run time.
12274 - */
12275 - /* 32-bit code */
12276 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12277 - /* 16-bit code */
12278 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12279 - /* 16-bit data */
12280 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12281 - /* 16-bit data */
12282 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12283 - /* 16-bit data */
12284 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12285 - /*
12286 - * The APM segments have byte granularity and their bases
12287 - * are set at run time. All have 64k limits.
12288 - */
12289 - /* 32-bit code */
12290 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12291 - /* 16-bit code */
12292 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12293 - /* data */
12294 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
12295 -
12296 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12297 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12298 - GDT_STACK_CANARY_INIT
12299 -#endif
12300 -} };
12301 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
12302 -
12303 static int __init x86_xsave_setup(char *s)
12304 {
12305 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
12306 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
12307 {
12308 struct desc_ptr gdt_descr;
12309
12310 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
12311 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12312 gdt_descr.size = GDT_SIZE - 1;
12313 load_gdt(&gdt_descr);
12314 /* Reload the per-cpu base */
12315 @@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
12316 /* Filter out anything that depends on CPUID levels we don't have */
12317 filter_cpuid_features(c, true);
12318
12319 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
12320 + setup_clear_cpu_cap(X86_FEATURE_SEP);
12321 +#endif
12322 +
12323 /* If the model name is still unset, do table lookup. */
12324 if (!c->x86_model_id[0]) {
12325 const char *p;
12326 @@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
12327 }
12328 __setup("clearcpuid=", setup_disablecpuid);
12329
12330 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
12331 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
12332 +
12333 #ifdef CONFIG_X86_64
12334 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
12335
12336 @@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
12337 EXPORT_PER_CPU_SYMBOL(current_task);
12338
12339 DEFINE_PER_CPU(unsigned long, kernel_stack) =
12340 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
12341 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
12342 EXPORT_PER_CPU_SYMBOL(kernel_stack);
12343
12344 DEFINE_PER_CPU(char *, irq_stack_ptr) =
12345 @@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
12346 {
12347 memset(regs, 0, sizeof(struct pt_regs));
12348 regs->fs = __KERNEL_PERCPU;
12349 - regs->gs = __KERNEL_STACK_CANARY;
12350 + savesegment(gs, regs->gs);
12351
12352 return regs;
12353 }
12354 @@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
12355 int i;
12356
12357 cpu = stack_smp_processor_id();
12358 - t = &per_cpu(init_tss, cpu);
12359 + t = init_tss + cpu;
12360 orig_ist = &per_cpu(orig_ist, cpu);
12361
12362 #ifdef CONFIG_NUMA
12363 @@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
12364 switch_to_new_gdt(cpu);
12365 loadsegment(fs, 0);
12366
12367 - load_idt((const struct desc_ptr *)&idt_descr);
12368 + load_idt(&idt_descr);
12369
12370 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
12371 syscall_init();
12372 @@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
12373 wrmsrl(MSR_KERNEL_GS_BASE, 0);
12374 barrier();
12375
12376 - check_efer();
12377 if (cpu != 0)
12378 enable_x2apic();
12379
12380 @@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
12381 {
12382 int cpu = smp_processor_id();
12383 struct task_struct *curr = current;
12384 - struct tss_struct *t = &per_cpu(init_tss, cpu);
12385 + struct tss_struct *t = init_tss + cpu;
12386 struct thread_struct *thread = &curr->thread;
12387
12388 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
12389 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel.c linux-2.6.32.46/arch/x86/kernel/cpu/intel.c
12390 --- linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-03-27 14:31:47.000000000 -0400
12391 +++ linux-2.6.32.46/arch/x86/kernel/cpu/intel.c 2011-04-17 15:56:46.000000000 -0400
12392 @@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
12393 * Update the IDT descriptor and reload the IDT so that
12394 * it uses the read-only mapped virtual address.
12395 */
12396 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
12397 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
12398 load_idt(&idt_descr);
12399 }
12400 #endif
12401 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c
12402 --- linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
12403 +++ linux-2.6.32.46/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-04-17 15:56:46.000000000 -0400
12404 @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
12405 return ret;
12406 }
12407
12408 -static struct sysfs_ops sysfs_ops = {
12409 +static const struct sysfs_ops sysfs_ops = {
12410 .show = show,
12411 .store = store,
12412 };
12413 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/Makefile linux-2.6.32.46/arch/x86/kernel/cpu/Makefile
12414 --- linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-03-27 14:31:47.000000000 -0400
12415 +++ linux-2.6.32.46/arch/x86/kernel/cpu/Makefile 2011-04-17 15:56:46.000000000 -0400
12416 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
12417 CFLAGS_REMOVE_common.o = -pg
12418 endif
12419
12420 -# Make sure load_percpu_segment has no stackprotector
12421 -nostackp := $(call cc-option, -fno-stack-protector)
12422 -CFLAGS_common.o := $(nostackp)
12423 -
12424 obj-y := intel_cacheinfo.o addon_cpuid_features.o
12425 obj-y += proc.o capflags.o powerflags.o common.o
12426 obj-y += vmware.o hypervisor.o sched.o
12427 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c
12428 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:56:59.000000000 -0400
12429 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:57:13.000000000 -0400
12430 @@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
12431 return ret;
12432 }
12433
12434 -static struct sysfs_ops threshold_ops = {
12435 +static const struct sysfs_ops threshold_ops = {
12436 .show = show,
12437 .store = store,
12438 };
12439 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c
12440 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-27 14:31:47.000000000 -0400
12441 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-04 17:56:20.000000000 -0400
12442 @@ -43,6 +43,7 @@
12443 #include <asm/ipi.h>
12444 #include <asm/mce.h>
12445 #include <asm/msr.h>
12446 +#include <asm/local.h>
12447
12448 #include "mce-internal.h"
12449
12450 @@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
12451 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
12452 m->cs, m->ip);
12453
12454 - if (m->cs == __KERNEL_CS)
12455 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
12456 print_symbol("{%s}", m->ip);
12457 pr_cont("\n");
12458 }
12459 @@ -221,10 +222,10 @@ static void print_mce_tail(void)
12460
12461 #define PANIC_TIMEOUT 5 /* 5 seconds */
12462
12463 -static atomic_t mce_paniced;
12464 +static atomic_unchecked_t mce_paniced;
12465
12466 static int fake_panic;
12467 -static atomic_t mce_fake_paniced;
12468 +static atomic_unchecked_t mce_fake_paniced;
12469
12470 /* Panic in progress. Enable interrupts and wait for final IPI */
12471 static void wait_for_panic(void)
12472 @@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
12473 /*
12474 * Make sure only one CPU runs in machine check panic
12475 */
12476 - if (atomic_inc_return(&mce_paniced) > 1)
12477 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
12478 wait_for_panic();
12479 barrier();
12480
12481 @@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
12482 console_verbose();
12483 } else {
12484 /* Don't log too much for fake panic */
12485 - if (atomic_inc_return(&mce_fake_paniced) > 1)
12486 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
12487 return;
12488 }
12489 print_mce_head();
12490 @@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
12491 * might have been modified by someone else.
12492 */
12493 rmb();
12494 - if (atomic_read(&mce_paniced))
12495 + if (atomic_read_unchecked(&mce_paniced))
12496 wait_for_panic();
12497 if (!monarch_timeout)
12498 goto out;
12499 @@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
12500 */
12501
12502 static DEFINE_SPINLOCK(mce_state_lock);
12503 -static int open_count; /* #times opened */
12504 +static local_t open_count; /* #times opened */
12505 static int open_exclu; /* already open exclusive? */
12506
12507 static int mce_open(struct inode *inode, struct file *file)
12508 {
12509 spin_lock(&mce_state_lock);
12510
12511 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
12512 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
12513 spin_unlock(&mce_state_lock);
12514
12515 return -EBUSY;
12516 @@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
12517
12518 if (file->f_flags & O_EXCL)
12519 open_exclu = 1;
12520 - open_count++;
12521 + local_inc(&open_count);
12522
12523 spin_unlock(&mce_state_lock);
12524
12525 @@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
12526 {
12527 spin_lock(&mce_state_lock);
12528
12529 - open_count--;
12530 + local_dec(&open_count);
12531 open_exclu = 0;
12532
12533 spin_unlock(&mce_state_lock);
12534 @@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
12535 static void mce_reset(void)
12536 {
12537 cpu_missing = 0;
12538 - atomic_set(&mce_fake_paniced, 0);
12539 + atomic_set_unchecked(&mce_fake_paniced, 0);
12540 atomic_set(&mce_executing, 0);
12541 atomic_set(&mce_callin, 0);
12542 atomic_set(&global_nwo, 0);
12543 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c
12544 --- linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-03-27 14:31:47.000000000 -0400
12545 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-08-05 20:33:55.000000000 -0400
12546 @@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
12547 static int inject_init(void)
12548 {
12549 printk(KERN_INFO "Machine check injector initialized\n");
12550 - mce_chrdev_ops.write = mce_write;
12551 + pax_open_kernel();
12552 + *(void **)&mce_chrdev_ops.write = mce_write;
12553 + pax_close_kernel();
12554 register_die_notifier(&mce_raise_nb);
12555 return 0;
12556 }
12557 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c
12558 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-03-27 14:31:47.000000000 -0400
12559 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/amd.c 2011-04-17 15:56:46.000000000 -0400
12560 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
12561 return 0;
12562 }
12563
12564 -static struct mtrr_ops amd_mtrr_ops = {
12565 +static const struct mtrr_ops amd_mtrr_ops = {
12566 .vendor = X86_VENDOR_AMD,
12567 .set = amd_set_mtrr,
12568 .get = amd_get_mtrr,
12569 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c
12570 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-03-27 14:31:47.000000000 -0400
12571 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/centaur.c 2011-04-17 15:56:46.000000000 -0400
12572 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
12573 return 0;
12574 }
12575
12576 -static struct mtrr_ops centaur_mtrr_ops = {
12577 +static const struct mtrr_ops centaur_mtrr_ops = {
12578 .vendor = X86_VENDOR_CENTAUR,
12579 .set = centaur_set_mcr,
12580 .get = centaur_get_mcr,
12581 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c
12582 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-03-27 14:31:47.000000000 -0400
12583 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-04-17 15:56:46.000000000 -0400
12584 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
12585 post_set();
12586 }
12587
12588 -static struct mtrr_ops cyrix_mtrr_ops = {
12589 +static const struct mtrr_ops cyrix_mtrr_ops = {
12590 .vendor = X86_VENDOR_CYRIX,
12591 .set_all = cyrix_set_all,
12592 .set = cyrix_set_arr,
12593 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c
12594 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-27 14:31:47.000000000 -0400
12595 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-23 12:56:10.000000000 -0400
12596 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
12597 /*
12598 * Generic structure...
12599 */
12600 -struct mtrr_ops generic_mtrr_ops = {
12601 +const struct mtrr_ops generic_mtrr_ops = {
12602 .use_intel_if = 1,
12603 .set_all = generic_set_all,
12604 .get = generic_get_mtrr,
12605 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c
12606 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:00:52.000000000 -0400
12607 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:03:05.000000000 -0400
12608 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
12609 u64 size_or_mask, size_and_mask;
12610 static bool mtrr_aps_delayed_init;
12611
12612 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
12613 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
12614
12615 -struct mtrr_ops *mtrr_if;
12616 +const struct mtrr_ops *mtrr_if;
12617
12618 static void set_mtrr(unsigned int reg, unsigned long base,
12619 unsigned long size, mtrr_type type);
12620
12621 -void set_mtrr_ops(struct mtrr_ops *ops)
12622 +void set_mtrr_ops(const struct mtrr_ops *ops)
12623 {
12624 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12625 mtrr_ops[ops->vendor] = ops;
12626 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h
12627 --- linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-27 14:31:47.000000000 -0400
12628 +++ linux-2.6.32.46/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-08-26 20:23:57.000000000 -0400
12629 @@ -25,14 +25,14 @@ struct mtrr_ops {
12630 int (*validate_add_page)(unsigned long base, unsigned long size,
12631 unsigned int type);
12632 int (*have_wrcomb)(void);
12633 -};
12634 +} __do_const;
12635
12636 extern int generic_get_free_region(unsigned long base, unsigned long size,
12637 int replace_reg);
12638 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12639 unsigned int type);
12640
12641 -extern struct mtrr_ops generic_mtrr_ops;
12642 +extern const struct mtrr_ops generic_mtrr_ops;
12643
12644 extern int positive_have_wrcomb(void);
12645
12646 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12647 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12648 void get_mtrr_state(void);
12649
12650 -extern void set_mtrr_ops(struct mtrr_ops *ops);
12651 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
12652
12653 extern u64 size_or_mask, size_and_mask;
12654 -extern struct mtrr_ops *mtrr_if;
12655 +extern const struct mtrr_ops *mtrr_if;
12656
12657 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12658 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12659 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c
12660 --- linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-03-27 14:31:47.000000000 -0400
12661 +++ linux-2.6.32.46/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-04-17 15:56:46.000000000 -0400
12662 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12663
12664 /* Interface defining a CPU specific perfctr watchdog */
12665 struct wd_ops {
12666 - int (*reserve)(void);
12667 - void (*unreserve)(void);
12668 - int (*setup)(unsigned nmi_hz);
12669 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12670 - void (*stop)(void);
12671 + int (* const reserve)(void);
12672 + void (* const unreserve)(void);
12673 + int (* const setup)(unsigned nmi_hz);
12674 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12675 + void (* const stop)(void);
12676 unsigned perfctr;
12677 unsigned evntsel;
12678 u64 checkbit;
12679 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
12680 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
12681 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
12682
12683 +/* cannot be const */
12684 static struct wd_ops intel_arch_wd_ops;
12685
12686 static int setup_intel_arch_watchdog(unsigned nmi_hz)
12687 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
12688 return 1;
12689 }
12690
12691 +/* cannot be const */
12692 static struct wd_ops intel_arch_wd_ops __read_mostly = {
12693 .reserve = single_msr_reserve,
12694 .unreserve = single_msr_unreserve,
12695 diff -urNp linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c
12696 --- linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-03-27 14:31:47.000000000 -0400
12697 +++ linux-2.6.32.46/arch/x86/kernel/cpu/perf_event.c 2011-05-04 17:56:20.000000000 -0400
12698 @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
12699 * count to the generic event atomically:
12700 */
12701 again:
12702 - prev_raw_count = atomic64_read(&hwc->prev_count);
12703 + prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
12704 rdmsrl(hwc->event_base + idx, new_raw_count);
12705
12706 - if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
12707 + if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
12708 new_raw_count) != prev_raw_count)
12709 goto again;
12710
12711 @@ -741,7 +741,7 @@ again:
12712 delta = (new_raw_count << shift) - (prev_raw_count << shift);
12713 delta >>= shift;
12714
12715 - atomic64_add(delta, &event->count);
12716 + atomic64_add_unchecked(delta, &event->count);
12717 atomic64_sub(delta, &hwc->period_left);
12718
12719 return new_raw_count;
12720 @@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
12721 * The hw event starts counting from this event offset,
12722 * mark it to be able to extra future deltas:
12723 */
12724 - atomic64_set(&hwc->prev_count, (u64)-left);
12725 + atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
12726
12727 err = checking_wrmsrl(hwc->event_base + idx,
12728 (u64)(-left) & x86_pmu.event_mask);
12729 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
12730 break;
12731
12732 callchain_store(entry, frame.return_address);
12733 - fp = frame.next_frame;
12734 + fp = (__force const void __user *)frame.next_frame;
12735 }
12736 }
12737
12738 diff -urNp linux-2.6.32.46/arch/x86/kernel/crash.c linux-2.6.32.46/arch/x86/kernel/crash.c
12739 --- linux-2.6.32.46/arch/x86/kernel/crash.c 2011-03-27 14:31:47.000000000 -0400
12740 +++ linux-2.6.32.46/arch/x86/kernel/crash.c 2011-04-17 15:56:46.000000000 -0400
12741 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
12742 regs = args->regs;
12743
12744 #ifdef CONFIG_X86_32
12745 - if (!user_mode_vm(regs)) {
12746 + if (!user_mode(regs)) {
12747 crash_fixup_ss_esp(&fixed_regs, regs);
12748 regs = &fixed_regs;
12749 }
12750 diff -urNp linux-2.6.32.46/arch/x86/kernel/doublefault_32.c linux-2.6.32.46/arch/x86/kernel/doublefault_32.c
12751 --- linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-03-27 14:31:47.000000000 -0400
12752 +++ linux-2.6.32.46/arch/x86/kernel/doublefault_32.c 2011-04-17 15:56:46.000000000 -0400
12753 @@ -11,7 +11,7 @@
12754
12755 #define DOUBLEFAULT_STACKSIZE (1024)
12756 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
12757 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
12758 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
12759
12760 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
12761
12762 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
12763 unsigned long gdt, tss;
12764
12765 store_gdt(&gdt_desc);
12766 - gdt = gdt_desc.address;
12767 + gdt = (unsigned long)gdt_desc.address;
12768
12769 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
12770
12771 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
12772 /* 0x2 bit is always set */
12773 .flags = X86_EFLAGS_SF | 0x2,
12774 .sp = STACK_START,
12775 - .es = __USER_DS,
12776 + .es = __KERNEL_DS,
12777 .cs = __KERNEL_CS,
12778 .ss = __KERNEL_DS,
12779 - .ds = __USER_DS,
12780 + .ds = __KERNEL_DS,
12781 .fs = __KERNEL_PERCPU,
12782
12783 .__cr3 = __pa_nodebug(swapper_pg_dir),
12784 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c
12785 --- linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-03-27 14:31:47.000000000 -0400
12786 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:56:46.000000000 -0400
12787 @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
12788 #endif
12789
12790 for (;;) {
12791 - struct thread_info *context;
12792 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12793 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12794
12795 - context = (struct thread_info *)
12796 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
12797 - bp = print_context_stack(context, stack, bp, ops,
12798 - data, NULL, &graph);
12799 -
12800 - stack = (unsigned long *)context->previous_esp;
12801 - if (!stack)
12802 + if (stack_start == task_stack_page(task))
12803 break;
12804 + stack = *(unsigned long **)stack_start;
12805 if (ops->stack(data, "IRQ") < 0)
12806 break;
12807 touch_nmi_watchdog();
12808 @@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
12809 * When in-kernel, we also print out the stack and code at the
12810 * time of the fault..
12811 */
12812 - if (!user_mode_vm(regs)) {
12813 + if (!user_mode(regs)) {
12814 unsigned int code_prologue = code_bytes * 43 / 64;
12815 unsigned int code_len = code_bytes;
12816 unsigned char c;
12817 u8 *ip;
12818 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
12819
12820 printk(KERN_EMERG "Stack:\n");
12821 show_stack_log_lvl(NULL, regs, &regs->sp,
12822 @@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
12823
12824 printk(KERN_EMERG "Code: ");
12825
12826 - ip = (u8 *)regs->ip - code_prologue;
12827 + ip = (u8 *)regs->ip - code_prologue + cs_base;
12828 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
12829 /* try starting at IP */
12830 - ip = (u8 *)regs->ip;
12831 + ip = (u8 *)regs->ip + cs_base;
12832 code_len = code_len - code_prologue + 1;
12833 }
12834 for (i = 0; i < code_len; i++, ip++) {
12835 @@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
12836 printk(" Bad EIP value.");
12837 break;
12838 }
12839 - if (ip == (u8 *)regs->ip)
12840 + if (ip == (u8 *)regs->ip + cs_base)
12841 printk("<%02x> ", c);
12842 else
12843 printk("%02x ", c);
12844 @@ -149,6 +146,7 @@ int is_valid_bugaddr(unsigned long ip)
12845 {
12846 unsigned short ud2;
12847
12848 + ip = ktla_ktva(ip);
12849 if (ip < PAGE_OFFSET)
12850 return 0;
12851 if (probe_kernel_address((unsigned short *)ip, ud2))
12852 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c
12853 --- linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-03-27 14:31:47.000000000 -0400
12854 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:56:46.000000000 -0400
12855 @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
12856 unsigned long *irq_stack_end =
12857 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
12858 unsigned used = 0;
12859 - struct thread_info *tinfo;
12860 int graph = 0;
12861 + void *stack_start;
12862
12863 if (!task)
12864 task = current;
12865 @@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
12866 * current stack address. If the stacks consist of nested
12867 * exceptions
12868 */
12869 - tinfo = task_thread_info(task);
12870 for (;;) {
12871 char *id;
12872 unsigned long *estack_end;
12873 +
12874 estack_end = in_exception_stack(cpu, (unsigned long)stack,
12875 &used, &id);
12876
12877 @@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
12878 if (ops->stack(data, id) < 0)
12879 break;
12880
12881 - bp = print_context_stack(tinfo, stack, bp, ops,
12882 + bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
12883 data, estack_end, &graph);
12884 ops->stack(data, "<EOE>");
12885 /*
12886 @@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
12887 if (stack >= irq_stack && stack < irq_stack_end) {
12888 if (ops->stack(data, "IRQ") < 0)
12889 break;
12890 - bp = print_context_stack(tinfo, stack, bp,
12891 + bp = print_context_stack(task, irq_stack, stack, bp,
12892 ops, data, irq_stack_end, &graph);
12893 /*
12894 * We link to the next stack (which would be
12895 @@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
12896 /*
12897 * This handles the process stack:
12898 */
12899 - bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
12900 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12901 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12902 put_cpu();
12903 }
12904 EXPORT_SYMBOL(dump_trace);
12905 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.c linux-2.6.32.46/arch/x86/kernel/dumpstack.c
12906 --- linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-03-27 14:31:47.000000000 -0400
12907 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack.c 2011-04-17 15:56:46.000000000 -0400
12908 @@ -2,6 +2,9 @@
12909 * Copyright (C) 1991, 1992 Linus Torvalds
12910 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
12911 */
12912 +#ifdef CONFIG_GRKERNSEC_HIDESYM
12913 +#define __INCLUDED_BY_HIDESYM 1
12914 +#endif
12915 #include <linux/kallsyms.h>
12916 #include <linux/kprobes.h>
12917 #include <linux/uaccess.h>
12918 @@ -28,7 +31,7 @@ static int die_counter;
12919
12920 void printk_address(unsigned long address, int reliable)
12921 {
12922 - printk(" [<%p>] %s%pS\n", (void *) address,
12923 + printk(" [<%p>] %s%pA\n", (void *) address,
12924 reliable ? "" : "? ", (void *) address);
12925 }
12926
12927 @@ -36,9 +39,8 @@ void printk_address(unsigned long addres
12928 static void
12929 print_ftrace_graph_addr(unsigned long addr, void *data,
12930 const struct stacktrace_ops *ops,
12931 - struct thread_info *tinfo, int *graph)
12932 + struct task_struct *task, int *graph)
12933 {
12934 - struct task_struct *task = tinfo->task;
12935 unsigned long ret_addr;
12936 int index = task->curr_ret_stack;
12937
12938 @@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
12939 static inline void
12940 print_ftrace_graph_addr(unsigned long addr, void *data,
12941 const struct stacktrace_ops *ops,
12942 - struct thread_info *tinfo, int *graph)
12943 + struct task_struct *task, int *graph)
12944 { }
12945 #endif
12946
12947 @@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
12948 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
12949 */
12950
12951 -static inline int valid_stack_ptr(struct thread_info *tinfo,
12952 - void *p, unsigned int size, void *end)
12953 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
12954 {
12955 - void *t = tinfo;
12956 if (end) {
12957 if (p < end && p >= (end-THREAD_SIZE))
12958 return 1;
12959 @@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
12960 }
12961
12962 unsigned long
12963 -print_context_stack(struct thread_info *tinfo,
12964 +print_context_stack(struct task_struct *task, void *stack_start,
12965 unsigned long *stack, unsigned long bp,
12966 const struct stacktrace_ops *ops, void *data,
12967 unsigned long *end, int *graph)
12968 {
12969 struct stack_frame *frame = (struct stack_frame *)bp;
12970
12971 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
12972 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
12973 unsigned long addr;
12974
12975 addr = *stack;
12976 @@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
12977 } else {
12978 ops->address(data, addr, 0);
12979 }
12980 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
12981 + print_ftrace_graph_addr(addr, data, ops, task, graph);
12982 }
12983 stack++;
12984 }
12985 @@ -180,7 +180,7 @@ void dump_stack(void)
12986 #endif
12987
12988 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
12989 - current->pid, current->comm, print_tainted(),
12990 + task_pid_nr(current), current->comm, print_tainted(),
12991 init_utsname()->release,
12992 (int)strcspn(init_utsname()->version, " "),
12993 init_utsname()->version);
12994 @@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
12995 return flags;
12996 }
12997
12998 +extern void gr_handle_kernel_exploit(void);
12999 +
13000 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13001 {
13002 if (regs && kexec_should_crash(current))
13003 @@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
13004 panic("Fatal exception in interrupt");
13005 if (panic_on_oops)
13006 panic("Fatal exception");
13007 - do_exit(signr);
13008 +
13009 + gr_handle_kernel_exploit();
13010 +
13011 + do_group_exit(signr);
13012 }
13013
13014 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13015 @@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
13016 unsigned long flags = oops_begin();
13017 int sig = SIGSEGV;
13018
13019 - if (!user_mode_vm(regs))
13020 + if (!user_mode(regs))
13021 report_bug(regs->ip, regs);
13022
13023 if (__die(str, regs, err))
13024 diff -urNp linux-2.6.32.46/arch/x86/kernel/dumpstack.h linux-2.6.32.46/arch/x86/kernel/dumpstack.h
13025 --- linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-03-27 14:31:47.000000000 -0400
13026 +++ linux-2.6.32.46/arch/x86/kernel/dumpstack.h 2011-04-23 13:25:26.000000000 -0400
13027 @@ -15,7 +15,7 @@
13028 #endif
13029
13030 extern unsigned long
13031 -print_context_stack(struct thread_info *tinfo,
13032 +print_context_stack(struct task_struct *task, void *stack_start,
13033 unsigned long *stack, unsigned long bp,
13034 const struct stacktrace_ops *ops, void *data,
13035 unsigned long *end, int *graph);
13036 diff -urNp linux-2.6.32.46/arch/x86/kernel/e820.c linux-2.6.32.46/arch/x86/kernel/e820.c
13037 --- linux-2.6.32.46/arch/x86/kernel/e820.c 2011-03-27 14:31:47.000000000 -0400
13038 +++ linux-2.6.32.46/arch/x86/kernel/e820.c 2011-04-17 15:56:46.000000000 -0400
13039 @@ -733,7 +733,7 @@ struct early_res {
13040 };
13041 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
13042 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
13043 - {}
13044 + { 0, 0, {0}, 0 }
13045 };
13046
13047 static int __init find_overlapped_early(u64 start, u64 end)
13048 diff -urNp linux-2.6.32.46/arch/x86/kernel/early_printk.c linux-2.6.32.46/arch/x86/kernel/early_printk.c
13049 --- linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-03-27 14:31:47.000000000 -0400
13050 +++ linux-2.6.32.46/arch/x86/kernel/early_printk.c 2011-05-16 21:46:57.000000000 -0400
13051 @@ -7,6 +7,7 @@
13052 #include <linux/pci_regs.h>
13053 #include <linux/pci_ids.h>
13054 #include <linux/errno.h>
13055 +#include <linux/sched.h>
13056 #include <asm/io.h>
13057 #include <asm/processor.h>
13058 #include <asm/fcntl.h>
13059 @@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
13060 int n;
13061 va_list ap;
13062
13063 + pax_track_stack();
13064 +
13065 va_start(ap, fmt);
13066 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13067 early_console->write(early_console, buf, n);
13068 diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_32.c linux-2.6.32.46/arch/x86/kernel/efi_32.c
13069 --- linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400
13070 +++ linux-2.6.32.46/arch/x86/kernel/efi_32.c 2011-04-17 15:56:46.000000000 -0400
13071 @@ -38,70 +38,38 @@
13072 */
13073
13074 static unsigned long efi_rt_eflags;
13075 -static pgd_t efi_bak_pg_dir_pointer[2];
13076 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
13077
13078 -void efi_call_phys_prelog(void)
13079 +void __init efi_call_phys_prelog(void)
13080 {
13081 - unsigned long cr4;
13082 - unsigned long temp;
13083 struct desc_ptr gdt_descr;
13084
13085 local_irq_save(efi_rt_eflags);
13086
13087 - /*
13088 - * If I don't have PAE, I should just duplicate two entries in page
13089 - * directory. If I have PAE, I just need to duplicate one entry in
13090 - * page directory.
13091 - */
13092 - cr4 = read_cr4_safe();
13093
13094 - if (cr4 & X86_CR4_PAE) {
13095 - efi_bak_pg_dir_pointer[0].pgd =
13096 - swapper_pg_dir[pgd_index(0)].pgd;
13097 - swapper_pg_dir[0].pgd =
13098 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13099 - } else {
13100 - efi_bak_pg_dir_pointer[0].pgd =
13101 - swapper_pg_dir[pgd_index(0)].pgd;
13102 - efi_bak_pg_dir_pointer[1].pgd =
13103 - swapper_pg_dir[pgd_index(0x400000)].pgd;
13104 - swapper_pg_dir[pgd_index(0)].pgd =
13105 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13106 - temp = PAGE_OFFSET + 0x400000;
13107 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13108 - swapper_pg_dir[pgd_index(temp)].pgd;
13109 - }
13110 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
13111 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13112 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13113
13114 /*
13115 * After the lock is released, the original page table is restored.
13116 */
13117 __flush_tlb_all();
13118
13119 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
13120 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
13121 gdt_descr.size = GDT_SIZE - 1;
13122 load_gdt(&gdt_descr);
13123 }
13124
13125 -void efi_call_phys_epilog(void)
13126 +void __init efi_call_phys_epilog(void)
13127 {
13128 - unsigned long cr4;
13129 struct desc_ptr gdt_descr;
13130
13131 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
13132 + gdt_descr.address = get_cpu_gdt_table(0);
13133 gdt_descr.size = GDT_SIZE - 1;
13134 load_gdt(&gdt_descr);
13135
13136 - cr4 = read_cr4_safe();
13137 -
13138 - if (cr4 & X86_CR4_PAE) {
13139 - swapper_pg_dir[pgd_index(0)].pgd =
13140 - efi_bak_pg_dir_pointer[0].pgd;
13141 - } else {
13142 - swapper_pg_dir[pgd_index(0)].pgd =
13143 - efi_bak_pg_dir_pointer[0].pgd;
13144 - swapper_pg_dir[pgd_index(0x400000)].pgd =
13145 - efi_bak_pg_dir_pointer[1].pgd;
13146 - }
13147 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
13148
13149 /*
13150 * After the lock is released, the original page table is restored.
13151 diff -urNp linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S
13152 --- linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400
13153 +++ linux-2.6.32.46/arch/x86/kernel/efi_stub_32.S 2011-04-17 15:56:46.000000000 -0400
13154 @@ -6,6 +6,7 @@
13155 */
13156
13157 #include <linux/linkage.h>
13158 +#include <linux/init.h>
13159 #include <asm/page_types.h>
13160
13161 /*
13162 @@ -20,7 +21,7 @@
13163 * service functions will comply with gcc calling convention, too.
13164 */
13165
13166 -.text
13167 +__INIT
13168 ENTRY(efi_call_phys)
13169 /*
13170 * 0. The function can only be called in Linux kernel. So CS has been
13171 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
13172 * The mapping of lower virtual memory has been created in prelog and
13173 * epilog.
13174 */
13175 - movl $1f, %edx
13176 - subl $__PAGE_OFFSET, %edx
13177 - jmp *%edx
13178 + jmp 1f-__PAGE_OFFSET
13179 1:
13180
13181 /*
13182 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
13183 * parameter 2, ..., param n. To make things easy, we save the return
13184 * address of efi_call_phys in a global variable.
13185 */
13186 - popl %edx
13187 - movl %edx, saved_return_addr
13188 - /* get the function pointer into ECX*/
13189 - popl %ecx
13190 - movl %ecx, efi_rt_function_ptr
13191 - movl $2f, %edx
13192 - subl $__PAGE_OFFSET, %edx
13193 - pushl %edx
13194 + popl (saved_return_addr)
13195 + popl (efi_rt_function_ptr)
13196
13197 /*
13198 * 3. Clear PG bit in %CR0.
13199 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
13200 /*
13201 * 5. Call the physical function.
13202 */
13203 - jmp *%ecx
13204 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
13205
13206 -2:
13207 /*
13208 * 6. After EFI runtime service returns, control will return to
13209 * following instruction. We'd better readjust stack pointer first.
13210 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
13211 movl %cr0, %edx
13212 orl $0x80000000, %edx
13213 movl %edx, %cr0
13214 - jmp 1f
13215 -1:
13216 +
13217 /*
13218 * 8. Now restore the virtual mode from flat mode by
13219 * adding EIP with PAGE_OFFSET.
13220 */
13221 - movl $1f, %edx
13222 - jmp *%edx
13223 + jmp 1f+__PAGE_OFFSET
13224 1:
13225
13226 /*
13227 * 9. Balance the stack. And because EAX contain the return value,
13228 * we'd better not clobber it.
13229 */
13230 - leal efi_rt_function_ptr, %edx
13231 - movl (%edx), %ecx
13232 - pushl %ecx
13233 + pushl (efi_rt_function_ptr)
13234
13235 /*
13236 - * 10. Push the saved return address onto the stack and return.
13237 + * 10. Return to the saved return address.
13238 */
13239 - leal saved_return_addr, %edx
13240 - movl (%edx), %ecx
13241 - pushl %ecx
13242 - ret
13243 + jmpl *(saved_return_addr)
13244 ENDPROC(efi_call_phys)
13245 .previous
13246
13247 -.data
13248 +__INITDATA
13249 saved_return_addr:
13250 .long 0
13251 efi_rt_function_ptr:
13252 diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_32.S linux-2.6.32.46/arch/x86/kernel/entry_32.S
13253 --- linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400
13254 +++ linux-2.6.32.46/arch/x86/kernel/entry_32.S 2011-08-23 20:24:19.000000000 -0400
13255 @@ -185,13 +185,146 @@
13256 /*CFI_REL_OFFSET gs, PT_GS*/
13257 .endm
13258 .macro SET_KERNEL_GS reg
13259 +
13260 +#ifdef CONFIG_CC_STACKPROTECTOR
13261 movl $(__KERNEL_STACK_CANARY), \reg
13262 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13263 + movl $(__USER_DS), \reg
13264 +#else
13265 + xorl \reg, \reg
13266 +#endif
13267 +
13268 movl \reg, %gs
13269 .endm
13270
13271 #endif /* CONFIG_X86_32_LAZY_GS */
13272
13273 -.macro SAVE_ALL
13274 +.macro pax_enter_kernel
13275 +#ifdef CONFIG_PAX_KERNEXEC
13276 + call pax_enter_kernel
13277 +#endif
13278 +.endm
13279 +
13280 +.macro pax_exit_kernel
13281 +#ifdef CONFIG_PAX_KERNEXEC
13282 + call pax_exit_kernel
13283 +#endif
13284 +.endm
13285 +
13286 +#ifdef CONFIG_PAX_KERNEXEC
13287 +ENTRY(pax_enter_kernel)
13288 +#ifdef CONFIG_PARAVIRT
13289 + pushl %eax
13290 + pushl %ecx
13291 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13292 + mov %eax, %esi
13293 +#else
13294 + mov %cr0, %esi
13295 +#endif
13296 + bts $16, %esi
13297 + jnc 1f
13298 + mov %cs, %esi
13299 + cmp $__KERNEL_CS, %esi
13300 + jz 3f
13301 + ljmp $__KERNEL_CS, $3f
13302 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13303 +2:
13304 +#ifdef CONFIG_PARAVIRT
13305 + mov %esi, %eax
13306 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13307 +#else
13308 + mov %esi, %cr0
13309 +#endif
13310 +3:
13311 +#ifdef CONFIG_PARAVIRT
13312 + popl %ecx
13313 + popl %eax
13314 +#endif
13315 + ret
13316 +ENDPROC(pax_enter_kernel)
13317 +
13318 +ENTRY(pax_exit_kernel)
13319 +#ifdef CONFIG_PARAVIRT
13320 + pushl %eax
13321 + pushl %ecx
13322 +#endif
13323 + mov %cs, %esi
13324 + cmp $__KERNEXEC_KERNEL_CS, %esi
13325 + jnz 2f
13326 +#ifdef CONFIG_PARAVIRT
13327 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13328 + mov %eax, %esi
13329 +#else
13330 + mov %cr0, %esi
13331 +#endif
13332 + btr $16, %esi
13333 + ljmp $__KERNEL_CS, $1f
13334 +1:
13335 +#ifdef CONFIG_PARAVIRT
13336 + mov %esi, %eax
13337 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13338 +#else
13339 + mov %esi, %cr0
13340 +#endif
13341 +2:
13342 +#ifdef CONFIG_PARAVIRT
13343 + popl %ecx
13344 + popl %eax
13345 +#endif
13346 + ret
13347 +ENDPROC(pax_exit_kernel)
13348 +#endif
13349 +
13350 +.macro pax_erase_kstack
13351 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13352 + call pax_erase_kstack
13353 +#endif
13354 +.endm
13355 +
13356 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13357 +/*
13358 + * ebp: thread_info
13359 + * ecx, edx: can be clobbered
13360 + */
13361 +ENTRY(pax_erase_kstack)
13362 + pushl %edi
13363 + pushl %eax
13364 +
13365 + mov TI_lowest_stack(%ebp), %edi
13366 + mov $-0xBEEF, %eax
13367 + std
13368 +
13369 +1: mov %edi, %ecx
13370 + and $THREAD_SIZE_asm - 1, %ecx
13371 + shr $2, %ecx
13372 + repne scasl
13373 + jecxz 2f
13374 +
13375 + cmp $2*16, %ecx
13376 + jc 2f
13377 +
13378 + mov $2*16, %ecx
13379 + repe scasl
13380 + jecxz 2f
13381 + jne 1b
13382 +
13383 +2: cld
13384 + mov %esp, %ecx
13385 + sub %edi, %ecx
13386 + shr $2, %ecx
13387 + rep stosl
13388 +
13389 + mov TI_task_thread_sp0(%ebp), %edi
13390 + sub $128, %edi
13391 + mov %edi, TI_lowest_stack(%ebp)
13392 +
13393 + popl %eax
13394 + popl %edi
13395 + ret
13396 +ENDPROC(pax_erase_kstack)
13397 +#endif
13398 +
13399 +.macro __SAVE_ALL _DS
13400 cld
13401 PUSH_GS
13402 pushl %fs
13403 @@ -224,7 +357,7 @@
13404 pushl %ebx
13405 CFI_ADJUST_CFA_OFFSET 4
13406 CFI_REL_OFFSET ebx, 0
13407 - movl $(__USER_DS), %edx
13408 + movl $\_DS, %edx
13409 movl %edx, %ds
13410 movl %edx, %es
13411 movl $(__KERNEL_PERCPU), %edx
13412 @@ -232,6 +365,15 @@
13413 SET_KERNEL_GS %edx
13414 .endm
13415
13416 +.macro SAVE_ALL
13417 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13418 + __SAVE_ALL __KERNEL_DS
13419 + pax_enter_kernel
13420 +#else
13421 + __SAVE_ALL __USER_DS
13422 +#endif
13423 +.endm
13424 +
13425 .macro RESTORE_INT_REGS
13426 popl %ebx
13427 CFI_ADJUST_CFA_OFFSET -4
13428 @@ -352,7 +494,15 @@ check_userspace:
13429 movb PT_CS(%esp), %al
13430 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13431 cmpl $USER_RPL, %eax
13432 +
13433 +#ifdef CONFIG_PAX_KERNEXEC
13434 + jae resume_userspace
13435 +
13436 + PAX_EXIT_KERNEL
13437 + jmp resume_kernel
13438 +#else
13439 jb resume_kernel # not returning to v8086 or userspace
13440 +#endif
13441
13442 ENTRY(resume_userspace)
13443 LOCKDEP_SYS_EXIT
13444 @@ -364,7 +514,7 @@ ENTRY(resume_userspace)
13445 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13446 # int/exception return?
13447 jne work_pending
13448 - jmp restore_all
13449 + jmp restore_all_pax
13450 END(ret_from_exception)
13451
13452 #ifdef CONFIG_PREEMPT
13453 @@ -414,25 +564,36 @@ sysenter_past_esp:
13454 /*CFI_REL_OFFSET cs, 0*/
13455 /*
13456 * Push current_thread_info()->sysenter_return to the stack.
13457 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13458 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
13459 */
13460 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
13461 + pushl $0
13462 CFI_ADJUST_CFA_OFFSET 4
13463 CFI_REL_OFFSET eip, 0
13464
13465 pushl %eax
13466 CFI_ADJUST_CFA_OFFSET 4
13467 SAVE_ALL
13468 + GET_THREAD_INFO(%ebp)
13469 + movl TI_sysenter_return(%ebp),%ebp
13470 + movl %ebp,PT_EIP(%esp)
13471 ENABLE_INTERRUPTS(CLBR_NONE)
13472
13473 /*
13474 * Load the potential sixth argument from user stack.
13475 * Careful about security.
13476 */
13477 + movl PT_OLDESP(%esp),%ebp
13478 +
13479 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13480 + mov PT_OLDSS(%esp),%ds
13481 +1: movl %ds:(%ebp),%ebp
13482 + push %ss
13483 + pop %ds
13484 +#else
13485 cmpl $__PAGE_OFFSET-3,%ebp
13486 jae syscall_fault
13487 1: movl (%ebp),%ebp
13488 +#endif
13489 +
13490 movl %ebp,PT_EBP(%esp)
13491 .section __ex_table,"a"
13492 .align 4
13493 @@ -455,12 +616,23 @@ sysenter_do_call:
13494 testl $_TIF_ALLWORK_MASK, %ecx
13495 jne sysexit_audit
13496 sysenter_exit:
13497 +
13498 +#ifdef CONFIG_PAX_RANDKSTACK
13499 + pushl_cfi %eax
13500 + call pax_randomize_kstack
13501 + popl_cfi %eax
13502 +#endif
13503 +
13504 + pax_erase_kstack
13505 +
13506 /* if something modifies registers it must also disable sysexit */
13507 movl PT_EIP(%esp), %edx
13508 movl PT_OLDESP(%esp), %ecx
13509 xorl %ebp,%ebp
13510 TRACE_IRQS_ON
13511 1: mov PT_FS(%esp), %fs
13512 +2: mov PT_DS(%esp), %ds
13513 +3: mov PT_ES(%esp), %es
13514 PTGS_TO_GS
13515 ENABLE_INTERRUPTS_SYSEXIT
13516
13517 @@ -477,6 +649,9 @@ sysenter_audit:
13518 movl %eax,%edx /* 2nd arg: syscall number */
13519 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
13520 call audit_syscall_entry
13521 +
13522 + pax_erase_kstack
13523 +
13524 pushl %ebx
13525 CFI_ADJUST_CFA_OFFSET 4
13526 movl PT_EAX(%esp),%eax /* reload syscall number */
13527 @@ -504,11 +679,17 @@ sysexit_audit:
13528
13529 CFI_ENDPROC
13530 .pushsection .fixup,"ax"
13531 -2: movl $0,PT_FS(%esp)
13532 +4: movl $0,PT_FS(%esp)
13533 + jmp 1b
13534 +5: movl $0,PT_DS(%esp)
13535 + jmp 1b
13536 +6: movl $0,PT_ES(%esp)
13537 jmp 1b
13538 .section __ex_table,"a"
13539 .align 4
13540 - .long 1b,2b
13541 + .long 1b,4b
13542 + .long 2b,5b
13543 + .long 3b,6b
13544 .popsection
13545 PTGS_TO_GS_EX
13546 ENDPROC(ia32_sysenter_target)
13547 @@ -538,6 +719,14 @@ syscall_exit:
13548 testl $_TIF_ALLWORK_MASK, %ecx # current->work
13549 jne syscall_exit_work
13550
13551 +restore_all_pax:
13552 +
13553 +#ifdef CONFIG_PAX_RANDKSTACK
13554 + call pax_randomize_kstack
13555 +#endif
13556 +
13557 + pax_erase_kstack
13558 +
13559 restore_all:
13560 TRACE_IRQS_IRET
13561 restore_all_notrace:
13562 @@ -602,10 +791,29 @@ ldt_ss:
13563 mov PT_OLDESP(%esp), %eax /* load userspace esp */
13564 mov %dx, %ax /* eax: new kernel esp */
13565 sub %eax, %edx /* offset (low word is 0) */
13566 - PER_CPU(gdt_page, %ebx)
13567 +#ifdef CONFIG_SMP
13568 + movl PER_CPU_VAR(cpu_number), %ebx
13569 + shll $PAGE_SHIFT_asm, %ebx
13570 + addl $cpu_gdt_table, %ebx
13571 +#else
13572 + movl $cpu_gdt_table, %ebx
13573 +#endif
13574 shr $16, %edx
13575 +
13576 +#ifdef CONFIG_PAX_KERNEXEC
13577 + mov %cr0, %esi
13578 + btr $16, %esi
13579 + mov %esi, %cr0
13580 +#endif
13581 +
13582 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
13583 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
13584 +
13585 +#ifdef CONFIG_PAX_KERNEXEC
13586 + bts $16, %esi
13587 + mov %esi, %cr0
13588 +#endif
13589 +
13590 pushl $__ESPFIX_SS
13591 CFI_ADJUST_CFA_OFFSET 4
13592 push %eax /* new kernel esp */
13593 @@ -636,31 +844,25 @@ work_resched:
13594 movl TI_flags(%ebp), %ecx
13595 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
13596 # than syscall tracing?
13597 - jz restore_all
13598 + jz restore_all_pax
13599 testb $_TIF_NEED_RESCHED, %cl
13600 jnz work_resched
13601
13602 work_notifysig: # deal with pending signals and
13603 # notify-resume requests
13604 + movl %esp, %eax
13605 #ifdef CONFIG_VM86
13606 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
13607 - movl %esp, %eax
13608 - jne work_notifysig_v86 # returning to kernel-space or
13609 + jz 1f # returning to kernel-space or
13610 # vm86-space
13611 - xorl %edx, %edx
13612 - call do_notify_resume
13613 - jmp resume_userspace_sig
13614
13615 - ALIGN
13616 -work_notifysig_v86:
13617 pushl %ecx # save ti_flags for do_notify_resume
13618 CFI_ADJUST_CFA_OFFSET 4
13619 call save_v86_state # %eax contains pt_regs pointer
13620 popl %ecx
13621 CFI_ADJUST_CFA_OFFSET -4
13622 movl %eax, %esp
13623 -#else
13624 - movl %esp, %eax
13625 +1:
13626 #endif
13627 xorl %edx, %edx
13628 call do_notify_resume
13629 @@ -673,6 +875,9 @@ syscall_trace_entry:
13630 movl $-ENOSYS,PT_EAX(%esp)
13631 movl %esp, %eax
13632 call syscall_trace_enter
13633 +
13634 + pax_erase_kstack
13635 +
13636 /* What it returned is what we'll actually use. */
13637 cmpl $(nr_syscalls), %eax
13638 jnae syscall_call
13639 @@ -695,6 +900,10 @@ END(syscall_exit_work)
13640
13641 RING0_INT_FRAME # can't unwind into user space anyway
13642 syscall_fault:
13643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13644 + push %ss
13645 + pop %ds
13646 +#endif
13647 GET_THREAD_INFO(%ebp)
13648 movl $-EFAULT,PT_EAX(%esp)
13649 jmp resume_userspace
13650 @@ -726,6 +935,33 @@ PTREGSCALL(rt_sigreturn)
13651 PTREGSCALL(vm86)
13652 PTREGSCALL(vm86old)
13653
13654 + ALIGN;
13655 +ENTRY(kernel_execve)
13656 + push %ebp
13657 + sub $PT_OLDSS+4,%esp
13658 + push %edi
13659 + push %ecx
13660 + push %eax
13661 + lea 3*4(%esp),%edi
13662 + mov $PT_OLDSS/4+1,%ecx
13663 + xorl %eax,%eax
13664 + rep stosl
13665 + pop %eax
13666 + pop %ecx
13667 + pop %edi
13668 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
13669 + mov %eax,PT_EBX(%esp)
13670 + mov %edx,PT_ECX(%esp)
13671 + mov %ecx,PT_EDX(%esp)
13672 + mov %esp,%eax
13673 + call sys_execve
13674 + GET_THREAD_INFO(%ebp)
13675 + test %eax,%eax
13676 + jz syscall_exit
13677 + add $PT_OLDSS+4,%esp
13678 + pop %ebp
13679 + ret
13680 +
13681 .macro FIXUP_ESPFIX_STACK
13682 /*
13683 * Switch back for ESPFIX stack to the normal zerobased stack
13684 @@ -735,7 +971,13 @@ PTREGSCALL(vm86old)
13685 * normal stack and adjusts ESP with the matching offset.
13686 */
13687 /* fixup the stack */
13688 - PER_CPU(gdt_page, %ebx)
13689 +#ifdef CONFIG_SMP
13690 + movl PER_CPU_VAR(cpu_number), %ebx
13691 + shll $PAGE_SHIFT_asm, %ebx
13692 + addl $cpu_gdt_table, %ebx
13693 +#else
13694 + movl $cpu_gdt_table, %ebx
13695 +#endif
13696 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
13697 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
13698 shl $16, %eax
13699 @@ -1198,7 +1440,6 @@ return_to_handler:
13700 ret
13701 #endif
13702
13703 -.section .rodata,"a"
13704 #include "syscall_table_32.S"
13705
13706 syscall_table_size=(.-sys_call_table)
13707 @@ -1255,9 +1496,12 @@ error_code:
13708 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
13709 REG_TO_PTGS %ecx
13710 SET_KERNEL_GS %ecx
13711 - movl $(__USER_DS), %ecx
13712 + movl $(__KERNEL_DS), %ecx
13713 movl %ecx, %ds
13714 movl %ecx, %es
13715 +
13716 + pax_enter_kernel
13717 +
13718 TRACE_IRQS_OFF
13719 movl %esp,%eax # pt_regs pointer
13720 call *%edi
13721 @@ -1351,6 +1595,9 @@ nmi_stack_correct:
13722 xorl %edx,%edx # zero error code
13723 movl %esp,%eax # pt_regs pointer
13724 call do_nmi
13725 +
13726 + pax_exit_kernel
13727 +
13728 jmp restore_all_notrace
13729 CFI_ENDPROC
13730
13731 @@ -1391,6 +1638,9 @@ nmi_espfix_stack:
13732 FIXUP_ESPFIX_STACK # %eax == %esp
13733 xorl %edx,%edx # zero error code
13734 call do_nmi
13735 +
13736 + pax_exit_kernel
13737 +
13738 RESTORE_REGS
13739 lss 12+4(%esp), %esp # back to espfix stack
13740 CFI_ADJUST_CFA_OFFSET -24
13741 diff -urNp linux-2.6.32.46/arch/x86/kernel/entry_64.S linux-2.6.32.46/arch/x86/kernel/entry_64.S
13742 --- linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400
13743 +++ linux-2.6.32.46/arch/x86/kernel/entry_64.S 2011-08-26 20:19:09.000000000 -0400
13744 @@ -53,6 +53,7 @@
13745 #include <asm/paravirt.h>
13746 #include <asm/ftrace.h>
13747 #include <asm/percpu.h>
13748 +#include <asm/pgtable.h>
13749
13750 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
13751 #include <linux/elf-em.h>
13752 @@ -174,6 +175,264 @@ ENTRY(native_usergs_sysret64)
13753 ENDPROC(native_usergs_sysret64)
13754 #endif /* CONFIG_PARAVIRT */
13755
13756 + .macro ljmpq sel, off
13757 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
13758 + .byte 0x48; ljmp *1234f(%rip)
13759 + .pushsection .rodata
13760 + .align 16
13761 + 1234: .quad \off; .word \sel
13762 + .popsection
13763 +#else
13764 + pushq $\sel
13765 + pushq $\off
13766 + lretq
13767 +#endif
13768 + .endm
13769 +
13770 + .macro pax_enter_kernel
13771 +#ifdef CONFIG_PAX_KERNEXEC
13772 + call pax_enter_kernel
13773 +#endif
13774 + .endm
13775 +
13776 + .macro pax_exit_kernel
13777 +#ifdef CONFIG_PAX_KERNEXEC
13778 + call pax_exit_kernel
13779 +#endif
13780 + .endm
13781 +
13782 +#ifdef CONFIG_PAX_KERNEXEC
13783 +ENTRY(pax_enter_kernel)
13784 + pushq %rdi
13785 +
13786 +#ifdef CONFIG_PARAVIRT
13787 + PV_SAVE_REGS(CLBR_RDI)
13788 +#endif
13789 +
13790 + GET_CR0_INTO_RDI
13791 + bts $16,%rdi
13792 + jnc 1f
13793 + mov %cs,%edi
13794 + cmp $__KERNEL_CS,%edi
13795 + jz 3f
13796 + ljmpq __KERNEL_CS,3f
13797 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
13798 +2: SET_RDI_INTO_CR0
13799 +3:
13800 +
13801 +#ifdef CONFIG_PARAVIRT
13802 + PV_RESTORE_REGS(CLBR_RDI)
13803 +#endif
13804 +
13805 + popq %rdi
13806 + retq
13807 +ENDPROC(pax_enter_kernel)
13808 +
13809 +ENTRY(pax_exit_kernel)
13810 + pushq %rdi
13811 +
13812 +#ifdef CONFIG_PARAVIRT
13813 + PV_SAVE_REGS(CLBR_RDI)
13814 +#endif
13815 +
13816 + mov %cs,%rdi
13817 + cmp $__KERNEXEC_KERNEL_CS,%edi
13818 + jnz 2f
13819 + GET_CR0_INTO_RDI
13820 + btr $16,%rdi
13821 + ljmpq __KERNEL_CS,1f
13822 +1: SET_RDI_INTO_CR0
13823 +2:
13824 +
13825 +#ifdef CONFIG_PARAVIRT
13826 + PV_RESTORE_REGS(CLBR_RDI);
13827 +#endif
13828 +
13829 + popq %rdi
13830 + retq
13831 +ENDPROC(pax_exit_kernel)
13832 +#endif
13833 +
13834 + .macro pax_enter_kernel_user
13835 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13836 + call pax_enter_kernel_user
13837 +#endif
13838 + .endm
13839 +
13840 + .macro pax_exit_kernel_user
13841 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13842 + call pax_exit_kernel_user
13843 +#endif
13844 +#ifdef CONFIG_PAX_RANDKSTACK
13845 + push %rax
13846 + call pax_randomize_kstack
13847 + pop %rax
13848 +#endif
13849 + .endm
13850 +
13851 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13852 +ENTRY(pax_enter_kernel_user)
13853 + pushq %rdi
13854 + pushq %rbx
13855 +
13856 +#ifdef CONFIG_PARAVIRT
13857 + PV_SAVE_REGS(CLBR_RDI)
13858 +#endif
13859 +
13860 + GET_CR3_INTO_RDI
13861 + mov %rdi,%rbx
13862 + add $__START_KERNEL_map,%rbx
13863 + sub phys_base(%rip),%rbx
13864 +
13865 +#ifdef CONFIG_PARAVIRT
13866 + pushq %rdi
13867 + cmpl $0, pv_info+PARAVIRT_enabled
13868 + jz 1f
13869 + i = 0
13870 + .rept USER_PGD_PTRS
13871 + mov i*8(%rbx),%rsi
13872 + mov $0,%sil
13873 + lea i*8(%rbx),%rdi
13874 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
13875 + i = i + 1
13876 + .endr
13877 + jmp 2f
13878 +1:
13879 +#endif
13880 +
13881 + i = 0
13882 + .rept USER_PGD_PTRS
13883 + movb $0,i*8(%rbx)
13884 + i = i + 1
13885 + .endr
13886 +
13887 +#ifdef CONFIG_PARAVIRT
13888 +2: popq %rdi
13889 +#endif
13890 + SET_RDI_INTO_CR3
13891 +
13892 +#ifdef CONFIG_PAX_KERNEXEC
13893 + GET_CR0_INTO_RDI
13894 + bts $16,%rdi
13895 + SET_RDI_INTO_CR0
13896 +#endif
13897 +
13898 +#ifdef CONFIG_PARAVIRT
13899 + PV_RESTORE_REGS(CLBR_RDI)
13900 +#endif
13901 +
13902 + popq %rbx
13903 + popq %rdi
13904 + retq
13905 +ENDPROC(pax_enter_kernel_user)
13906 +
13907 +ENTRY(pax_exit_kernel_user)
13908 + push %rdi
13909 +
13910 +#ifdef CONFIG_PARAVIRT
13911 + pushq %rbx
13912 + PV_SAVE_REGS(CLBR_RDI)
13913 +#endif
13914 +
13915 +#ifdef CONFIG_PAX_KERNEXEC
13916 + GET_CR0_INTO_RDI
13917 + btr $16,%rdi
13918 + SET_RDI_INTO_CR0
13919 +#endif
13920 +
13921 + GET_CR3_INTO_RDI
13922 + add $__START_KERNEL_map,%rdi
13923 + sub phys_base(%rip),%rdi
13924 +
13925 +#ifdef CONFIG_PARAVIRT
13926 + cmpl $0, pv_info+PARAVIRT_enabled
13927 + jz 1f
13928 + mov %rdi,%rbx
13929 + i = 0
13930 + .rept USER_PGD_PTRS
13931 + mov i*8(%rbx),%rsi
13932 + mov $0x67,%sil
13933 + lea i*8(%rbx),%rdi
13934 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
13935 + i = i + 1
13936 + .endr
13937 + jmp 2f
13938 +1:
13939 +#endif
13940 +
13941 + i = 0
13942 + .rept USER_PGD_PTRS
13943 + movb $0x67,i*8(%rdi)
13944 + i = i + 1
13945 + .endr
13946 +
13947 +#ifdef CONFIG_PARAVIRT
13948 +2: PV_RESTORE_REGS(CLBR_RDI)
13949 + popq %rbx
13950 +#endif
13951 +
13952 + popq %rdi
13953 + retq
13954 +ENDPROC(pax_exit_kernel_user)
13955 +#endif
13956 +
13957 +.macro pax_erase_kstack
13958 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13959 + call pax_erase_kstack
13960 +#endif
13961 +.endm
13962 +
13963 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13964 +/*
13965 + * r10: thread_info
13966 + * rcx, rdx: can be clobbered
13967 + */
13968 +ENTRY(pax_erase_kstack)
13969 + pushq %rdi
13970 + pushq %rax
13971 + pushq %r10
13972 +
13973 + GET_THREAD_INFO(%r10)
13974 + mov TI_lowest_stack(%r10), %rdi
13975 + mov $-0xBEEF, %rax
13976 + std
13977 +
13978 +1: mov %edi, %ecx
13979 + and $THREAD_SIZE_asm - 1, %ecx
13980 + shr $3, %ecx
13981 + repne scasq
13982 + jecxz 2f
13983 +
13984 + cmp $2*8, %ecx
13985 + jc 2f
13986 +
13987 + mov $2*8, %ecx
13988 + repe scasq
13989 + jecxz 2f
13990 + jne 1b
13991 +
13992 +2: cld
13993 + mov %esp, %ecx
13994 + sub %edi, %ecx
13995 +
13996 + cmp $THREAD_SIZE_asm, %rcx
13997 + jb 3f
13998 + ud2
13999 +3:
14000 +
14001 + shr $3, %ecx
14002 + rep stosq
14003 +
14004 + mov TI_task_thread_sp0(%r10), %rdi
14005 + sub $256, %rdi
14006 + mov %rdi, TI_lowest_stack(%r10)
14007 +
14008 + popq %r10
14009 + popq %rax
14010 + popq %rdi
14011 + ret
14012 +ENDPROC(pax_erase_kstack)
14013 +#endif
14014
14015 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14016 #ifdef CONFIG_TRACE_IRQFLAGS
14017 @@ -317,7 +576,7 @@ ENTRY(save_args)
14018 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
14019 movq_cfi rbp, 8 /* push %rbp */
14020 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14021 - testl $3, CS(%rdi)
14022 + testb $3, CS(%rdi)
14023 je 1f
14024 SWAPGS
14025 /*
14026 @@ -409,7 +668,7 @@ ENTRY(ret_from_fork)
14027
14028 RESTORE_REST
14029
14030 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14031 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14032 je int_ret_from_sys_call
14033
14034 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14035 @@ -455,7 +714,7 @@ END(ret_from_fork)
14036 ENTRY(system_call)
14037 CFI_STARTPROC simple
14038 CFI_SIGNAL_FRAME
14039 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14040 + CFI_DEF_CFA rsp,0
14041 CFI_REGISTER rip,rcx
14042 /*CFI_REGISTER rflags,r11*/
14043 SWAPGS_UNSAFE_STACK
14044 @@ -468,12 +727,13 @@ ENTRY(system_call_after_swapgs)
14045
14046 movq %rsp,PER_CPU_VAR(old_rsp)
14047 movq PER_CPU_VAR(kernel_stack),%rsp
14048 + pax_enter_kernel_user
14049 /*
14050 * No need to follow this irqs off/on section - it's straight
14051 * and short:
14052 */
14053 ENABLE_INTERRUPTS(CLBR_NONE)
14054 - SAVE_ARGS 8,1
14055 + SAVE_ARGS 8*6,1
14056 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14057 movq %rcx,RIP-ARGOFFSET(%rsp)
14058 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14059 @@ -502,6 +762,8 @@ sysret_check:
14060 andl %edi,%edx
14061 jnz sysret_careful
14062 CFI_REMEMBER_STATE
14063 + pax_exit_kernel_user
14064 + pax_erase_kstack
14065 /*
14066 * sysretq will re-enable interrupts:
14067 */
14068 @@ -562,6 +824,9 @@ auditsys:
14069 movq %rax,%rsi /* 2nd arg: syscall number */
14070 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14071 call audit_syscall_entry
14072 +
14073 + pax_erase_kstack
14074 +
14075 LOAD_ARGS 0 /* reload call-clobbered registers */
14076 jmp system_call_fastpath
14077
14078 @@ -592,6 +857,9 @@ tracesys:
14079 FIXUP_TOP_OF_STACK %rdi
14080 movq %rsp,%rdi
14081 call syscall_trace_enter
14082 +
14083 + pax_erase_kstack
14084 +
14085 /*
14086 * Reload arg registers from stack in case ptrace changed them.
14087 * We don't reload %rax because syscall_trace_enter() returned
14088 @@ -613,7 +881,7 @@ tracesys:
14089 GLOBAL(int_ret_from_sys_call)
14090 DISABLE_INTERRUPTS(CLBR_NONE)
14091 TRACE_IRQS_OFF
14092 - testl $3,CS-ARGOFFSET(%rsp)
14093 + testb $3,CS-ARGOFFSET(%rsp)
14094 je retint_restore_args
14095 movl $_TIF_ALLWORK_MASK,%edi
14096 /* edi: mask to check */
14097 @@ -800,6 +1068,16 @@ END(interrupt)
14098 CFI_ADJUST_CFA_OFFSET 10*8
14099 call save_args
14100 PARTIAL_FRAME 0
14101 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14102 + testb $3, CS(%rdi)
14103 + jnz 1f
14104 + pax_enter_kernel
14105 + jmp 2f
14106 +1: pax_enter_kernel_user
14107 +2:
14108 +#else
14109 + pax_enter_kernel
14110 +#endif
14111 call \func
14112 .endm
14113
14114 @@ -822,7 +1100,7 @@ ret_from_intr:
14115 CFI_ADJUST_CFA_OFFSET -8
14116 exit_intr:
14117 GET_THREAD_INFO(%rcx)
14118 - testl $3,CS-ARGOFFSET(%rsp)
14119 + testb $3,CS-ARGOFFSET(%rsp)
14120 je retint_kernel
14121
14122 /* Interrupt came from user space */
14123 @@ -844,12 +1122,15 @@ retint_swapgs: /* return to user-space
14124 * The iretq could re-enable interrupts:
14125 */
14126 DISABLE_INTERRUPTS(CLBR_ANY)
14127 + pax_exit_kernel_user
14128 + pax_erase_kstack
14129 TRACE_IRQS_IRETQ
14130 SWAPGS
14131 jmp restore_args
14132
14133 retint_restore_args: /* return to kernel space */
14134 DISABLE_INTERRUPTS(CLBR_ANY)
14135 + pax_exit_kernel
14136 /*
14137 * The iretq could re-enable interrupts:
14138 */
14139 @@ -1032,6 +1313,16 @@ ENTRY(\sym)
14140 CFI_ADJUST_CFA_OFFSET 15*8
14141 call error_entry
14142 DEFAULT_FRAME 0
14143 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14144 + testb $3, CS(%rsp)
14145 + jnz 1f
14146 + pax_enter_kernel
14147 + jmp 2f
14148 +1: pax_enter_kernel_user
14149 +2:
14150 +#else
14151 + pax_enter_kernel
14152 +#endif
14153 movq %rsp,%rdi /* pt_regs pointer */
14154 xorl %esi,%esi /* no error code */
14155 call \do_sym
14156 @@ -1049,6 +1340,16 @@ ENTRY(\sym)
14157 subq $15*8, %rsp
14158 call save_paranoid
14159 TRACE_IRQS_OFF
14160 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14161 + testb $3, CS(%rsp)
14162 + jnz 1f
14163 + pax_enter_kernel
14164 + jmp 2f
14165 +1: pax_enter_kernel_user
14166 +2:
14167 +#else
14168 + pax_enter_kernel
14169 +#endif
14170 movq %rsp,%rdi /* pt_regs pointer */
14171 xorl %esi,%esi /* no error code */
14172 call \do_sym
14173 @@ -1066,9 +1367,24 @@ ENTRY(\sym)
14174 subq $15*8, %rsp
14175 call save_paranoid
14176 TRACE_IRQS_OFF
14177 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14178 + testb $3, CS(%rsp)
14179 + jnz 1f
14180 + pax_enter_kernel
14181 + jmp 2f
14182 +1: pax_enter_kernel_user
14183 +2:
14184 +#else
14185 + pax_enter_kernel
14186 +#endif
14187 movq %rsp,%rdi /* pt_regs pointer */
14188 xorl %esi,%esi /* no error code */
14189 - PER_CPU(init_tss, %rbp)
14190 +#ifdef CONFIG_SMP
14191 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
14192 + lea init_tss(%rbp), %rbp
14193 +#else
14194 + lea init_tss(%rip), %rbp
14195 +#endif
14196 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14197 call \do_sym
14198 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
14199 @@ -1085,6 +1401,16 @@ ENTRY(\sym)
14200 CFI_ADJUST_CFA_OFFSET 15*8
14201 call error_entry
14202 DEFAULT_FRAME 0
14203 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14204 + testb $3, CS(%rsp)
14205 + jnz 1f
14206 + pax_enter_kernel
14207 + jmp 2f
14208 +1: pax_enter_kernel_user
14209 +2:
14210 +#else
14211 + pax_enter_kernel
14212 +#endif
14213 movq %rsp,%rdi /* pt_regs pointer */
14214 movq ORIG_RAX(%rsp),%rsi /* get error code */
14215 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14216 @@ -1104,6 +1430,16 @@ ENTRY(\sym)
14217 call save_paranoid
14218 DEFAULT_FRAME 0
14219 TRACE_IRQS_OFF
14220 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14221 + testb $3, CS(%rsp)
14222 + jnz 1f
14223 + pax_enter_kernel
14224 + jmp 2f
14225 +1: pax_enter_kernel_user
14226 +2:
14227 +#else
14228 + pax_enter_kernel
14229 +#endif
14230 movq %rsp,%rdi /* pt_regs pointer */
14231 movq ORIG_RAX(%rsp),%rsi /* get error code */
14232 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
14233 @@ -1405,14 +1741,27 @@ ENTRY(paranoid_exit)
14234 TRACE_IRQS_OFF
14235 testl %ebx,%ebx /* swapgs needed? */
14236 jnz paranoid_restore
14237 - testl $3,CS(%rsp)
14238 + testb $3,CS(%rsp)
14239 jnz paranoid_userspace
14240 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14241 + pax_exit_kernel
14242 + TRACE_IRQS_IRETQ 0
14243 + SWAPGS_UNSAFE_STACK
14244 + RESTORE_ALL 8
14245 + jmp irq_return
14246 +#endif
14247 paranoid_swapgs:
14248 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14249 + pax_exit_kernel_user
14250 +#else
14251 + pax_exit_kernel
14252 +#endif
14253 TRACE_IRQS_IRETQ 0
14254 SWAPGS_UNSAFE_STACK
14255 RESTORE_ALL 8
14256 jmp irq_return
14257 paranoid_restore:
14258 + pax_exit_kernel
14259 TRACE_IRQS_IRETQ 0
14260 RESTORE_ALL 8
14261 jmp irq_return
14262 @@ -1470,7 +1819,7 @@ ENTRY(error_entry)
14263 movq_cfi r14, R14+8
14264 movq_cfi r15, R15+8
14265 xorl %ebx,%ebx
14266 - testl $3,CS+8(%rsp)
14267 + testb $3,CS+8(%rsp)
14268 je error_kernelspace
14269 error_swapgs:
14270 SWAPGS
14271 @@ -1529,6 +1878,16 @@ ENTRY(nmi)
14272 CFI_ADJUST_CFA_OFFSET 15*8
14273 call save_paranoid
14274 DEFAULT_FRAME 0
14275 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14276 + testb $3, CS(%rsp)
14277 + jnz 1f
14278 + pax_enter_kernel
14279 + jmp 2f
14280 +1: pax_enter_kernel_user
14281 +2:
14282 +#else
14283 + pax_enter_kernel
14284 +#endif
14285 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
14286 movq %rsp,%rdi
14287 movq $-1,%rsi
14288 @@ -1539,11 +1898,25 @@ ENTRY(nmi)
14289 DISABLE_INTERRUPTS(CLBR_NONE)
14290 testl %ebx,%ebx /* swapgs needed? */
14291 jnz nmi_restore
14292 - testl $3,CS(%rsp)
14293 + testb $3,CS(%rsp)
14294 jnz nmi_userspace
14295 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14296 + pax_exit_kernel
14297 + SWAPGS_UNSAFE_STACK
14298 + RESTORE_ALL 8
14299 + jmp irq_return
14300 +#endif
14301 nmi_swapgs:
14302 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14303 + pax_exit_kernel_user
14304 +#else
14305 + pax_exit_kernel
14306 +#endif
14307 SWAPGS_UNSAFE_STACK
14308 + RESTORE_ALL 8
14309 + jmp irq_return
14310 nmi_restore:
14311 + pax_exit_kernel
14312 RESTORE_ALL 8
14313 jmp irq_return
14314 nmi_userspace:
14315 diff -urNp linux-2.6.32.46/arch/x86/kernel/ftrace.c linux-2.6.32.46/arch/x86/kernel/ftrace.c
14316 --- linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400
14317 +++ linux-2.6.32.46/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400
14318 @@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
14319 static void *mod_code_newcode; /* holds the text to write to the IP */
14320
14321 static unsigned nmi_wait_count;
14322 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
14323 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
14324
14325 int ftrace_arch_read_dyn_info(char *buf, int size)
14326 {
14327 @@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
14328
14329 r = snprintf(buf, size, "%u %u",
14330 nmi_wait_count,
14331 - atomic_read(&nmi_update_count));
14332 + atomic_read_unchecked(&nmi_update_count));
14333 return r;
14334 }
14335
14336 @@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
14337 {
14338 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
14339 smp_rmb();
14340 + pax_open_kernel();
14341 ftrace_mod_code();
14342 - atomic_inc(&nmi_update_count);
14343 + pax_close_kernel();
14344 + atomic_inc_unchecked(&nmi_update_count);
14345 }
14346 /* Must have previous changes seen before executions */
14347 smp_mb();
14348 @@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
14349
14350
14351
14352 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
14353 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
14354
14355 static unsigned char *ftrace_nop_replace(void)
14356 {
14357 @@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
14358 {
14359 unsigned char replaced[MCOUNT_INSN_SIZE];
14360
14361 + ip = ktla_ktva(ip);
14362 +
14363 /*
14364 * Note: Due to modules and __init, code can
14365 * disappear and change, we need to protect against faulting
14366 @@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
14367 unsigned char old[MCOUNT_INSN_SIZE], *new;
14368 int ret;
14369
14370 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
14371 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
14372 new = ftrace_call_replace(ip, (unsigned long)func);
14373 ret = ftrace_modify_code(ip, old, new);
14374
14375 @@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
14376 switch (faulted) {
14377 case 0:
14378 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
14379 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
14380 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
14381 break;
14382 case 1:
14383 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
14384 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
14385 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
14386 break;
14387 case 2:
14388 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
14389 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
14390 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
14391 break;
14392 }
14393
14394 @@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
14395 {
14396 unsigned char code[MCOUNT_INSN_SIZE];
14397
14398 + ip = ktla_ktva(ip);
14399 +
14400 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
14401 return -EFAULT;
14402
14403 diff -urNp linux-2.6.32.46/arch/x86/kernel/head32.c linux-2.6.32.46/arch/x86/kernel/head32.c
14404 --- linux-2.6.32.46/arch/x86/kernel/head32.c 2011-03-27 14:31:47.000000000 -0400
14405 +++ linux-2.6.32.46/arch/x86/kernel/head32.c 2011-04-17 15:56:46.000000000 -0400
14406 @@ -16,6 +16,7 @@
14407 #include <asm/apic.h>
14408 #include <asm/io_apic.h>
14409 #include <asm/bios_ebda.h>
14410 +#include <asm/boot.h>
14411
14412 static void __init i386_default_early_setup(void)
14413 {
14414 @@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
14415 {
14416 reserve_trampoline_memory();
14417
14418 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14419 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
14420
14421 #ifdef CONFIG_BLK_DEV_INITRD
14422 /* Reserve INITRD */
14423 diff -urNp linux-2.6.32.46/arch/x86/kernel/head_32.S linux-2.6.32.46/arch/x86/kernel/head_32.S
14424 --- linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-03-27 14:31:47.000000000 -0400
14425 +++ linux-2.6.32.46/arch/x86/kernel/head_32.S 2011-07-06 19:53:33.000000000 -0400
14426 @@ -19,10 +19,17 @@
14427 #include <asm/setup.h>
14428 #include <asm/processor-flags.h>
14429 #include <asm/percpu.h>
14430 +#include <asm/msr-index.h>
14431
14432 /* Physical address */
14433 #define pa(X) ((X) - __PAGE_OFFSET)
14434
14435 +#ifdef CONFIG_PAX_KERNEXEC
14436 +#define ta(X) (X)
14437 +#else
14438 +#define ta(X) ((X) - __PAGE_OFFSET)
14439 +#endif
14440 +
14441 /*
14442 * References to members of the new_cpu_data structure.
14443 */
14444 @@ -52,11 +59,7 @@
14445 * and small than max_low_pfn, otherwise will waste some page table entries
14446 */
14447
14448 -#if PTRS_PER_PMD > 1
14449 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
14450 -#else
14451 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
14452 -#endif
14453 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
14454
14455 /* Enough space to fit pagetables for the low memory linear map */
14456 MAPPING_BEYOND_END = \
14457 @@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
14458 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14459
14460 /*
14461 + * Real beginning of normal "text" segment
14462 + */
14463 +ENTRY(stext)
14464 +ENTRY(_stext)
14465 +
14466 +/*
14467 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
14468 * %esi points to the real-mode code as a 32-bit pointer.
14469 * CS and DS must be 4 GB flat segments, but we don't depend on
14470 @@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
14471 * can.
14472 */
14473 __HEAD
14474 +
14475 +#ifdef CONFIG_PAX_KERNEXEC
14476 + jmp startup_32
14477 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
14478 +.fill PAGE_SIZE-5,1,0xcc
14479 +#endif
14480 +
14481 ENTRY(startup_32)
14482 + movl pa(stack_start),%ecx
14483 +
14484 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
14485 us to not reload segments */
14486 testb $(1<<6), BP_loadflags(%esi)
14487 @@ -95,7 +113,60 @@ ENTRY(startup_32)
14488 movl %eax,%es
14489 movl %eax,%fs
14490 movl %eax,%gs
14491 + movl %eax,%ss
14492 2:
14493 + leal -__PAGE_OFFSET(%ecx),%esp
14494 +
14495 +#ifdef CONFIG_SMP
14496 + movl $pa(cpu_gdt_table),%edi
14497 + movl $__per_cpu_load,%eax
14498 + movw %ax,__KERNEL_PERCPU + 2(%edi)
14499 + rorl $16,%eax
14500 + movb %al,__KERNEL_PERCPU + 4(%edi)
14501 + movb %ah,__KERNEL_PERCPU + 7(%edi)
14502 + movl $__per_cpu_end - 1,%eax
14503 + subl $__per_cpu_start,%eax
14504 + movw %ax,__KERNEL_PERCPU + 0(%edi)
14505 +#endif
14506 +
14507 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14508 + movl $NR_CPUS,%ecx
14509 + movl $pa(cpu_gdt_table),%edi
14510 +1:
14511 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
14512 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
14513 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
14514 + addl $PAGE_SIZE_asm,%edi
14515 + loop 1b
14516 +#endif
14517 +
14518 +#ifdef CONFIG_PAX_KERNEXEC
14519 + movl $pa(boot_gdt),%edi
14520 + movl $__LOAD_PHYSICAL_ADDR,%eax
14521 + movw %ax,__BOOT_CS + 2(%edi)
14522 + rorl $16,%eax
14523 + movb %al,__BOOT_CS + 4(%edi)
14524 + movb %ah,__BOOT_CS + 7(%edi)
14525 + rorl $16,%eax
14526 +
14527 + ljmp $(__BOOT_CS),$1f
14528 +1:
14529 +
14530 + movl $NR_CPUS,%ecx
14531 + movl $pa(cpu_gdt_table),%edi
14532 + addl $__PAGE_OFFSET,%eax
14533 +1:
14534 + movw %ax,__KERNEL_CS + 2(%edi)
14535 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
14536 + rorl $16,%eax
14537 + movb %al,__KERNEL_CS + 4(%edi)
14538 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
14539 + movb %ah,__KERNEL_CS + 7(%edi)
14540 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
14541 + rorl $16,%eax
14542 + addl $PAGE_SIZE_asm,%edi
14543 + loop 1b
14544 +#endif
14545
14546 /*
14547 * Clear BSS first so that there are no surprises...
14548 @@ -140,9 +211,7 @@ ENTRY(startup_32)
14549 cmpl $num_subarch_entries, %eax
14550 jae bad_subarch
14551
14552 - movl pa(subarch_entries)(,%eax,4), %eax
14553 - subl $__PAGE_OFFSET, %eax
14554 - jmp *%eax
14555 + jmp *pa(subarch_entries)(,%eax,4)
14556
14557 bad_subarch:
14558 WEAK(lguest_entry)
14559 @@ -154,10 +223,10 @@ WEAK(xen_entry)
14560 __INITDATA
14561
14562 subarch_entries:
14563 - .long default_entry /* normal x86/PC */
14564 - .long lguest_entry /* lguest hypervisor */
14565 - .long xen_entry /* Xen hypervisor */
14566 - .long default_entry /* Moorestown MID */
14567 + .long ta(default_entry) /* normal x86/PC */
14568 + .long ta(lguest_entry) /* lguest hypervisor */
14569 + .long ta(xen_entry) /* Xen hypervisor */
14570 + .long ta(default_entry) /* Moorestown MID */
14571 num_subarch_entries = (. - subarch_entries) / 4
14572 .previous
14573 #endif /* CONFIG_PARAVIRT */
14574 @@ -218,8 +287,11 @@ default_entry:
14575 movl %eax, pa(max_pfn_mapped)
14576
14577 /* Do early initialization of the fixmap area */
14578 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14579 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14580 +#ifdef CONFIG_COMPAT_VDSO
14581 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14582 +#else
14583 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
14584 +#endif
14585 #else /* Not PAE */
14586
14587 page_pde_offset = (__PAGE_OFFSET >> 20);
14588 @@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
14589 movl %eax, pa(max_pfn_mapped)
14590
14591 /* Do early initialization of the fixmap area */
14592 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
14593 - movl %eax,pa(swapper_pg_dir+0xffc)
14594 +#ifdef CONFIG_COMPAT_VDSO
14595 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
14596 +#else
14597 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
14598 +#endif
14599 #endif
14600 jmp 3f
14601 /*
14602 @@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
14603 movl %eax,%es
14604 movl %eax,%fs
14605 movl %eax,%gs
14606 + movl pa(stack_start),%ecx
14607 + movl %eax,%ss
14608 + leal -__PAGE_OFFSET(%ecx),%esp
14609 #endif /* CONFIG_SMP */
14610 3:
14611
14612 @@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
14613 orl %edx,%eax
14614 movl %eax,%cr4
14615
14616 +#ifdef CONFIG_X86_PAE
14617 btl $5, %eax # check if PAE is enabled
14618 jnc 6f
14619
14620 @@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
14621 cpuid
14622 cmpl $0x80000000, %eax
14623 jbe 6f
14624 +
14625 + /* Clear bogus XD_DISABLE bits */
14626 + call verify_cpu
14627 +
14628 mov $0x80000001, %eax
14629 cpuid
14630 /* Execute Disable bit supported? */
14631 @@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
14632 jnc 6f
14633
14634 /* Setup EFER (Extended Feature Enable Register) */
14635 - movl $0xc0000080, %ecx
14636 + movl $MSR_EFER, %ecx
14637 rdmsr
14638
14639 btsl $11, %eax
14640 /* Make changes effective */
14641 wrmsr
14642
14643 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
14644 + movl $1,pa(nx_enabled)
14645 +#endif
14646 +
14647 6:
14648
14649 /*
14650 @@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
14651 movl %eax,%cr0 /* ..and set paging (PG) bit */
14652 ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
14653 1:
14654 - /* Set up the stack pointer */
14655 - lss stack_start,%esp
14656 + /* Shift the stack pointer to a virtual address */
14657 + addl $__PAGE_OFFSET, %esp
14658
14659 /*
14660 * Initialize eflags. Some BIOS's leave bits like NT set. This would
14661 @@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
14662
14663 #ifdef CONFIG_SMP
14664 cmpb $0, ready
14665 - jz 1f /* Initial CPU cleans BSS */
14666 - jmp checkCPUtype
14667 -1:
14668 + jnz checkCPUtype
14669 #endif /* CONFIG_SMP */
14670
14671 /*
14672 @@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
14673 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
14674 movl %eax,%ss # after changing gdt.
14675
14676 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
14677 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
14678 movl %eax,%ds
14679 movl %eax,%es
14680
14681 @@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
14682 */
14683 cmpb $0,ready
14684 jne 1f
14685 - movl $per_cpu__gdt_page,%eax
14686 + movl $cpu_gdt_table,%eax
14687 movl $per_cpu__stack_canary,%ecx
14688 +#ifdef CONFIG_SMP
14689 + addl $__per_cpu_load,%ecx
14690 +#endif
14691 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
14692 shrl $16, %ecx
14693 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
14694 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
14695 1:
14696 -#endif
14697 movl $(__KERNEL_STACK_CANARY),%eax
14698 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14699 + movl $(__USER_DS),%eax
14700 +#else
14701 + xorl %eax,%eax
14702 +#endif
14703 movl %eax,%gs
14704
14705 xorl %eax,%eax # Clear LDT
14706 @@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
14707
14708 cld # gcc2 wants the direction flag cleared at all times
14709 pushl $0 # fake return address for unwinder
14710 -#ifdef CONFIG_SMP
14711 - movb ready, %cl
14712 movb $1, ready
14713 - cmpb $0,%cl # the first CPU calls start_kernel
14714 - je 1f
14715 - movl (stack_start), %esp
14716 -1:
14717 -#endif /* CONFIG_SMP */
14718 jmp *(initial_code)
14719
14720 /*
14721 @@ -546,22 +631,22 @@ early_page_fault:
14722 jmp early_fault
14723
14724 early_fault:
14725 - cld
14726 #ifdef CONFIG_PRINTK
14727 + cmpl $1,%ss:early_recursion_flag
14728 + je hlt_loop
14729 + incl %ss:early_recursion_flag
14730 + cld
14731 pusha
14732 movl $(__KERNEL_DS),%eax
14733 movl %eax,%ds
14734 movl %eax,%es
14735 - cmpl $2,early_recursion_flag
14736 - je hlt_loop
14737 - incl early_recursion_flag
14738 movl %cr2,%eax
14739 pushl %eax
14740 pushl %edx /* trapno */
14741 pushl $fault_msg
14742 call printk
14743 +; call dump_stack
14744 #endif
14745 - call dump_stack
14746 hlt_loop:
14747 hlt
14748 jmp hlt_loop
14749 @@ -569,8 +654,11 @@ hlt_loop:
14750 /* This is the default interrupt "handler" :-) */
14751 ALIGN
14752 ignore_int:
14753 - cld
14754 #ifdef CONFIG_PRINTK
14755 + cmpl $2,%ss:early_recursion_flag
14756 + je hlt_loop
14757 + incl %ss:early_recursion_flag
14758 + cld
14759 pushl %eax
14760 pushl %ecx
14761 pushl %edx
14762 @@ -579,9 +667,6 @@ ignore_int:
14763 movl $(__KERNEL_DS),%eax
14764 movl %eax,%ds
14765 movl %eax,%es
14766 - cmpl $2,early_recursion_flag
14767 - je hlt_loop
14768 - incl early_recursion_flag
14769 pushl 16(%esp)
14770 pushl 24(%esp)
14771 pushl 32(%esp)
14772 @@ -600,6 +685,8 @@ ignore_int:
14773 #endif
14774 iret
14775
14776 +#include "verify_cpu.S"
14777 +
14778 __REFDATA
14779 .align 4
14780 ENTRY(initial_code)
14781 @@ -610,31 +697,47 @@ ENTRY(initial_page_table)
14782 /*
14783 * BSS section
14784 */
14785 -__PAGE_ALIGNED_BSS
14786 - .align PAGE_SIZE_asm
14787 #ifdef CONFIG_X86_PAE
14788 +.section .swapper_pg_pmd,"a",@progbits
14789 swapper_pg_pmd:
14790 .fill 1024*KPMDS,4,0
14791 #else
14792 +.section .swapper_pg_dir,"a",@progbits
14793 ENTRY(swapper_pg_dir)
14794 .fill 1024,4,0
14795 #endif
14796 +.section .swapper_pg_fixmap,"a",@progbits
14797 swapper_pg_fixmap:
14798 .fill 1024,4,0
14799 #ifdef CONFIG_X86_TRAMPOLINE
14800 +.section .trampoline_pg_dir,"a",@progbits
14801 ENTRY(trampoline_pg_dir)
14802 +#ifdef CONFIG_X86_PAE
14803 + .fill 4,8,0
14804 +#else
14805 .fill 1024,4,0
14806 #endif
14807 +#endif
14808 +
14809 +.section .empty_zero_page,"a",@progbits
14810 ENTRY(empty_zero_page)
14811 .fill 4096,1,0
14812
14813 /*
14814 + * The IDT has to be page-aligned to simplify the Pentium
14815 + * F0 0F bug workaround.. We have a special link segment
14816 + * for this.
14817 + */
14818 +.section .idt,"a",@progbits
14819 +ENTRY(idt_table)
14820 + .fill 256,8,0
14821 +
14822 +/*
14823 * This starts the data section.
14824 */
14825 #ifdef CONFIG_X86_PAE
14826 -__PAGE_ALIGNED_DATA
14827 - /* Page-aligned for the benefit of paravirt? */
14828 - .align PAGE_SIZE_asm
14829 +.section .swapper_pg_dir,"a",@progbits
14830 +
14831 ENTRY(swapper_pg_dir)
14832 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
14833 # if KPMDS == 3
14834 @@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
14835 # error "Kernel PMDs should be 1, 2 or 3"
14836 # endif
14837 .align PAGE_SIZE_asm /* needs to be page-sized too */
14838 +
14839 +#ifdef CONFIG_PAX_PER_CPU_PGD
14840 +ENTRY(cpu_pgd)
14841 + .rept NR_CPUS
14842 + .fill 4,8,0
14843 + .endr
14844 +#endif
14845 +
14846 #endif
14847
14848 .data
14849 +.balign 4
14850 ENTRY(stack_start)
14851 - .long init_thread_union+THREAD_SIZE
14852 - .long __BOOT_DS
14853 + .long init_thread_union+THREAD_SIZE-8
14854
14855 ready: .byte 0
14856
14857 +.section .rodata,"a",@progbits
14858 early_recursion_flag:
14859 .long 0
14860
14861 @@ -697,7 +809,7 @@ fault_msg:
14862 .word 0 # 32 bit align gdt_desc.address
14863 boot_gdt_descr:
14864 .word __BOOT_DS+7
14865 - .long boot_gdt - __PAGE_OFFSET
14866 + .long pa(boot_gdt)
14867
14868 .word 0 # 32-bit align idt_desc.address
14869 idt_descr:
14870 @@ -708,7 +820,7 @@ idt_descr:
14871 .word 0 # 32 bit align gdt_desc.address
14872 ENTRY(early_gdt_descr)
14873 .word GDT_ENTRIES*8-1
14874 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
14875 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
14876
14877 /*
14878 * The boot_gdt must mirror the equivalent in setup.S and is
14879 @@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
14880 .align L1_CACHE_BYTES
14881 ENTRY(boot_gdt)
14882 .fill GDT_ENTRY_BOOT_CS,8,0
14883 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
14884 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
14885 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
14886 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
14887 +
14888 + .align PAGE_SIZE_asm
14889 +ENTRY(cpu_gdt_table)
14890 + .rept NR_CPUS
14891 + .quad 0x0000000000000000 /* NULL descriptor */
14892 + .quad 0x0000000000000000 /* 0x0b reserved */
14893 + .quad 0x0000000000000000 /* 0x13 reserved */
14894 + .quad 0x0000000000000000 /* 0x1b reserved */
14895 +
14896 +#ifdef CONFIG_PAX_KERNEXEC
14897 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
14898 +#else
14899 + .quad 0x0000000000000000 /* 0x20 unused */
14900 +#endif
14901 +
14902 + .quad 0x0000000000000000 /* 0x28 unused */
14903 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
14904 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
14905 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
14906 + .quad 0x0000000000000000 /* 0x4b reserved */
14907 + .quad 0x0000000000000000 /* 0x53 reserved */
14908 + .quad 0x0000000000000000 /* 0x5b reserved */
14909 +
14910 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
14911 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
14912 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
14913 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
14914 +
14915 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
14916 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
14917 +
14918 + /*
14919 + * Segments used for calling PnP BIOS have byte granularity.
14920 + * The code segments and data segments have fixed 64k limits,
14921 + * the transfer segment sizes are set at run time.
14922 + */
14923 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
14924 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
14925 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
14926 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
14927 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
14928 +
14929 + /*
14930 + * The APM segments have byte granularity and their bases
14931 + * are set at run time. All have 64k limits.
14932 + */
14933 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
14934 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
14935 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
14936 +
14937 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
14938 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
14939 + .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
14940 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
14941 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
14942 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
14943 +
14944 + /* Be sure this is zeroed to avoid false validations in Xen */
14945 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
14946 + .endr
14947 diff -urNp linux-2.6.32.46/arch/x86/kernel/head_64.S linux-2.6.32.46/arch/x86/kernel/head_64.S
14948 --- linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-03-27 14:31:47.000000000 -0400
14949 +++ linux-2.6.32.46/arch/x86/kernel/head_64.S 2011-04-17 15:56:46.000000000 -0400
14950 @@ -19,6 +19,7 @@
14951 #include <asm/cache.h>
14952 #include <asm/processor-flags.h>
14953 #include <asm/percpu.h>
14954 +#include <asm/cpufeature.h>
14955
14956 #ifdef CONFIG_PARAVIRT
14957 #include <asm/asm-offsets.h>
14958 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
14959 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
14960 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
14961 L3_START_KERNEL = pud_index(__START_KERNEL_map)
14962 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
14963 +L3_VMALLOC_START = pud_index(VMALLOC_START)
14964 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
14965 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
14966
14967 .text
14968 __HEAD
14969 @@ -85,35 +90,22 @@ startup_64:
14970 */
14971 addq %rbp, init_level4_pgt + 0(%rip)
14972 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
14973 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
14974 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
14975 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
14976
14977 addq %rbp, level3_ident_pgt + 0(%rip)
14978 +#ifndef CONFIG_XEN
14979 + addq %rbp, level3_ident_pgt + 8(%rip)
14980 +#endif
14981
14982 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
14983 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
14984 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
14985
14986 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
14987 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
14988 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
14989
14990 - /* Add an Identity mapping if I am above 1G */
14991 - leaq _text(%rip), %rdi
14992 - andq $PMD_PAGE_MASK, %rdi
14993 -
14994 - movq %rdi, %rax
14995 - shrq $PUD_SHIFT, %rax
14996 - andq $(PTRS_PER_PUD - 1), %rax
14997 - jz ident_complete
14998 -
14999 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
15000 - leaq level3_ident_pgt(%rip), %rbx
15001 - movq %rdx, 0(%rbx, %rax, 8)
15002 -
15003 - movq %rdi, %rax
15004 - shrq $PMD_SHIFT, %rax
15005 - andq $(PTRS_PER_PMD - 1), %rax
15006 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
15007 - leaq level2_spare_pgt(%rip), %rbx
15008 - movq %rdx, 0(%rbx, %rax, 8)
15009 -ident_complete:
15010 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
15011 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
15012
15013 /*
15014 * Fixup the kernel text+data virtual addresses. Note that
15015 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
15016 * after the boot processor executes this code.
15017 */
15018
15019 - /* Enable PAE mode and PGE */
15020 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
15021 + /* Enable PAE mode and PSE/PGE */
15022 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
15023 movq %rax, %cr4
15024
15025 /* Setup early boot stage 4 level pagetables. */
15026 @@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
15027 movl $MSR_EFER, %ecx
15028 rdmsr
15029 btsl $_EFER_SCE, %eax /* Enable System Call */
15030 - btl $20,%edi /* No Execute supported? */
15031 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
15032 jnc 1f
15033 btsl $_EFER_NX, %eax
15034 + leaq init_level4_pgt(%rip), %rdi
15035 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
15036 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
15037 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
15038 1: wrmsr /* Make changes effective */
15039
15040 /* Setup cr0 */
15041 @@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
15042 .quad x86_64_start_kernel
15043 ENTRY(initial_gs)
15044 .quad INIT_PER_CPU_VAR(irq_stack_union)
15045 - __FINITDATA
15046
15047 ENTRY(stack_start)
15048 .quad init_thread_union+THREAD_SIZE-8
15049 .word 0
15050 + __FINITDATA
15051
15052 bad_address:
15053 jmp bad_address
15054
15055 - .section ".init.text","ax"
15056 + __INIT
15057 #ifdef CONFIG_EARLY_PRINTK
15058 .globl early_idt_handlers
15059 early_idt_handlers:
15060 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
15061 #endif /* EARLY_PRINTK */
15062 1: hlt
15063 jmp 1b
15064 + .previous
15065
15066 #ifdef CONFIG_EARLY_PRINTK
15067 + __INITDATA
15068 early_recursion_flag:
15069 .long 0
15070 + .previous
15071
15072 + .section .rodata,"a",@progbits
15073 early_idt_msg:
15074 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
15075 early_idt_ripmsg:
15076 .asciz "RIP %s\n"
15077 -#endif /* CONFIG_EARLY_PRINTK */
15078 .previous
15079 +#endif /* CONFIG_EARLY_PRINTK */
15080
15081 + .section .rodata,"a",@progbits
15082 #define NEXT_PAGE(name) \
15083 .balign PAGE_SIZE; \
15084 ENTRY(name)
15085 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
15086 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15087 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
15088 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15089 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
15090 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
15091 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
15092 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15093 .org init_level4_pgt + L4_START_KERNEL*8, 0
15094 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
15095 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
15096
15097 +#ifdef CONFIG_PAX_PER_CPU_PGD
15098 +NEXT_PAGE(cpu_pgd)
15099 + .rept NR_CPUS
15100 + .fill 512,8,0
15101 + .endr
15102 +#endif
15103 +
15104 NEXT_PAGE(level3_ident_pgt)
15105 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
15106 +#ifdef CONFIG_XEN
15107 .fill 511,8,0
15108 +#else
15109 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
15110 + .fill 510,8,0
15111 +#endif
15112 +
15113 +NEXT_PAGE(level3_vmalloc_pgt)
15114 + .fill 512,8,0
15115 +
15116 +NEXT_PAGE(level3_vmemmap_pgt)
15117 + .fill L3_VMEMMAP_START,8,0
15118 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
15119
15120 NEXT_PAGE(level3_kernel_pgt)
15121 .fill L3_START_KERNEL,8,0
15122 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
15123 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
15124 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15125
15126 +NEXT_PAGE(level2_vmemmap_pgt)
15127 + .fill 512,8,0
15128 +
15129 NEXT_PAGE(level2_fixmap_pgt)
15130 - .fill 506,8,0
15131 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
15132 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
15133 - .fill 5,8,0
15134 + .fill 507,8,0
15135 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
15136 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
15137 + .fill 4,8,0
15138
15139 -NEXT_PAGE(level1_fixmap_pgt)
15140 +NEXT_PAGE(level1_vsyscall_pgt)
15141 .fill 512,8,0
15142
15143 -NEXT_PAGE(level2_ident_pgt)
15144 - /* Since I easily can, map the first 1G.
15145 + /* Since I easily can, map the first 2G.
15146 * Don't set NX because code runs from these pages.
15147 */
15148 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
15149 +NEXT_PAGE(level2_ident_pgt)
15150 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
15151
15152 NEXT_PAGE(level2_kernel_pgt)
15153 /*
15154 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
15155 * If you want to increase this then increase MODULES_VADDR
15156 * too.)
15157 */
15158 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
15159 - KERNEL_IMAGE_SIZE/PMD_SIZE)
15160 -
15161 -NEXT_PAGE(level2_spare_pgt)
15162 - .fill 512, 8, 0
15163 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
15164
15165 #undef PMDS
15166 #undef NEXT_PAGE
15167
15168 - .data
15169 + .align PAGE_SIZE
15170 +ENTRY(cpu_gdt_table)
15171 + .rept NR_CPUS
15172 + .quad 0x0000000000000000 /* NULL descriptor */
15173 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
15174 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
15175 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
15176 + .quad 0x00cffb000000ffff /* __USER32_CS */
15177 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
15178 + .quad 0x00affb000000ffff /* __USER_CS */
15179 +
15180 +#ifdef CONFIG_PAX_KERNEXEC
15181 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
15182 +#else
15183 + .quad 0x0 /* unused */
15184 +#endif
15185 +
15186 + .quad 0,0 /* TSS */
15187 + .quad 0,0 /* LDT */
15188 + .quad 0,0,0 /* three TLS descriptors */
15189 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
15190 + /* asm/segment.h:GDT_ENTRIES must match this */
15191 +
15192 + /* zero the remaining page */
15193 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
15194 + .endr
15195 +
15196 .align 16
15197 .globl early_gdt_descr
15198 early_gdt_descr:
15199 .word GDT_ENTRIES*8-1
15200 early_gdt_descr_base:
15201 - .quad INIT_PER_CPU_VAR(gdt_page)
15202 + .quad cpu_gdt_table
15203
15204 ENTRY(phys_base)
15205 /* This must match the first entry in level2_kernel_pgt */
15206 .quad 0x0000000000000000
15207
15208 #include "../../x86/xen/xen-head.S"
15209 -
15210 - .section .bss, "aw", @nobits
15211 +
15212 + .section .rodata,"a",@progbits
15213 .align L1_CACHE_BYTES
15214 ENTRY(idt_table)
15215 - .skip IDT_ENTRIES * 16
15216 + .fill 512,8,0
15217
15218 __PAGE_ALIGNED_BSS
15219 .align PAGE_SIZE
15220 diff -urNp linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c
15221 --- linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-03-27 14:31:47.000000000 -0400
15222 +++ linux-2.6.32.46/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:56:46.000000000 -0400
15223 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
15224 EXPORT_SYMBOL(cmpxchg8b_emu);
15225 #endif
15226
15227 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
15228 +
15229 /* Networking helper routines. */
15230 EXPORT_SYMBOL(csum_partial_copy_generic);
15231 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
15232 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
15233
15234 EXPORT_SYMBOL(__get_user_1);
15235 EXPORT_SYMBOL(__get_user_2);
15236 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
15237
15238 EXPORT_SYMBOL(csum_partial);
15239 EXPORT_SYMBOL(empty_zero_page);
15240 +
15241 +#ifdef CONFIG_PAX_KERNEXEC
15242 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
15243 +#endif
15244 diff -urNp linux-2.6.32.46/arch/x86/kernel/i8259.c linux-2.6.32.46/arch/x86/kernel/i8259.c
15245 --- linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-03-27 14:31:47.000000000 -0400
15246 +++ linux-2.6.32.46/arch/x86/kernel/i8259.c 2011-05-04 17:56:28.000000000 -0400
15247 @@ -208,7 +208,7 @@ spurious_8259A_irq:
15248 "spurious 8259A interrupt: IRQ%d.\n", irq);
15249 spurious_irq_mask |= irqmask;
15250 }
15251 - atomic_inc(&irq_err_count);
15252 + atomic_inc_unchecked(&irq_err_count);
15253 /*
15254 * Theoretically we do not have to handle this IRQ,
15255 * but in Linux this does not cause problems and is
15256 diff -urNp linux-2.6.32.46/arch/x86/kernel/init_task.c linux-2.6.32.46/arch/x86/kernel/init_task.c
15257 --- linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-03-27 14:31:47.000000000 -0400
15258 +++ linux-2.6.32.46/arch/x86/kernel/init_task.c 2011-04-17 15:56:46.000000000 -0400
15259 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
15260 * way process stacks are handled. This is done by having a special
15261 * "init_task" linker map entry..
15262 */
15263 -union thread_union init_thread_union __init_task_data =
15264 - { INIT_THREAD_INFO(init_task) };
15265 +union thread_union init_thread_union __init_task_data;
15266
15267 /*
15268 * Initial task structure.
15269 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
15270 * section. Since TSS's are completely CPU-local, we want them
15271 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
15272 */
15273 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
15274 -
15275 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
15276 +EXPORT_SYMBOL(init_tss);
15277 diff -urNp linux-2.6.32.46/arch/x86/kernel/ioport.c linux-2.6.32.46/arch/x86/kernel/ioport.c
15278 --- linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
15279 +++ linux-2.6.32.46/arch/x86/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
15280 @@ -6,6 +6,7 @@
15281 #include <linux/sched.h>
15282 #include <linux/kernel.h>
15283 #include <linux/capability.h>
15284 +#include <linux/security.h>
15285 #include <linux/errno.h>
15286 #include <linux/types.h>
15287 #include <linux/ioport.h>
15288 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
15289
15290 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
15291 return -EINVAL;
15292 +#ifdef CONFIG_GRKERNSEC_IO
15293 + if (turn_on && grsec_disable_privio) {
15294 + gr_handle_ioperm();
15295 + return -EPERM;
15296 + }
15297 +#endif
15298 if (turn_on && !capable(CAP_SYS_RAWIO))
15299 return -EPERM;
15300
15301 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
15302 * because the ->io_bitmap_max value must match the bitmap
15303 * contents:
15304 */
15305 - tss = &per_cpu(init_tss, get_cpu());
15306 + tss = init_tss + get_cpu();
15307
15308 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
15309
15310 @@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
15311 return -EINVAL;
15312 /* Trying to gain more privileges? */
15313 if (level > old) {
15314 +#ifdef CONFIG_GRKERNSEC_IO
15315 + if (grsec_disable_privio) {
15316 + gr_handle_iopl();
15317 + return -EPERM;
15318 + }
15319 +#endif
15320 if (!capable(CAP_SYS_RAWIO))
15321 return -EPERM;
15322 }
15323 diff -urNp linux-2.6.32.46/arch/x86/kernel/irq_32.c linux-2.6.32.46/arch/x86/kernel/irq_32.c
15324 --- linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-03-27 14:31:47.000000000 -0400
15325 +++ linux-2.6.32.46/arch/x86/kernel/irq_32.c 2011-07-06 19:53:33.000000000 -0400
15326 @@ -35,7 +35,7 @@ static int check_stack_overflow(void)
15327 __asm__ __volatile__("andl %%esp,%0" :
15328 "=r" (sp) : "0" (THREAD_SIZE - 1));
15329
15330 - return sp < (sizeof(struct thread_info) + STACK_WARN);
15331 + return sp < STACK_WARN;
15332 }
15333
15334 static void print_stack_overflow(void)
15335 @@ -54,9 +54,9 @@ static inline void print_stack_overflow(
15336 * per-CPU IRQ handling contexts (thread information and stack)
15337 */
15338 union irq_ctx {
15339 - struct thread_info tinfo;
15340 - u32 stack[THREAD_SIZE/sizeof(u32)];
15341 -} __attribute__((aligned(PAGE_SIZE)));
15342 + unsigned long previous_esp;
15343 + u32 stack[THREAD_SIZE/sizeof(u32)];
15344 +} __attribute__((aligned(THREAD_SIZE)));
15345
15346 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
15347 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
15348 @@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
15349 static inline int
15350 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
15351 {
15352 - union irq_ctx *curctx, *irqctx;
15353 + union irq_ctx *irqctx;
15354 u32 *isp, arg1, arg2;
15355
15356 - curctx = (union irq_ctx *) current_thread_info();
15357 irqctx = __get_cpu_var(hardirq_ctx);
15358
15359 /*
15360 @@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
15361 * handler) we can't do that and just have to keep using the
15362 * current stack (which is the irq stack already after all)
15363 */
15364 - if (unlikely(curctx == irqctx))
15365 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
15366 return 0;
15367
15368 /* build the stack frame on the IRQ stack */
15369 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15370 - irqctx->tinfo.task = curctx->tinfo.task;
15371 - irqctx->tinfo.previous_esp = current_stack_pointer;
15372 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15373 + irqctx->previous_esp = current_stack_pointer;
15374
15375 - /*
15376 - * Copy the softirq bits in preempt_count so that the
15377 - * softirq checks work in the hardirq context.
15378 - */
15379 - irqctx->tinfo.preempt_count =
15380 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
15381 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
15382 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15383 + __set_fs(MAKE_MM_SEG(0));
15384 +#endif
15385
15386 if (unlikely(overflow))
15387 call_on_stack(print_stack_overflow, isp);
15388 @@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
15389 : "0" (irq), "1" (desc), "2" (isp),
15390 "D" (desc->handle_irq)
15391 : "memory", "cc", "ecx");
15392 +
15393 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15394 + __set_fs(current_thread_info()->addr_limit);
15395 +#endif
15396 +
15397 return 1;
15398 }
15399
15400 @@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
15401 */
15402 void __cpuinit irq_ctx_init(int cpu)
15403 {
15404 - union irq_ctx *irqctx;
15405 -
15406 if (per_cpu(hardirq_ctx, cpu))
15407 return;
15408
15409 - irqctx = &per_cpu(hardirq_stack, cpu);
15410 - irqctx->tinfo.task = NULL;
15411 - irqctx->tinfo.exec_domain = NULL;
15412 - irqctx->tinfo.cpu = cpu;
15413 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
15414 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15415 -
15416 - per_cpu(hardirq_ctx, cpu) = irqctx;
15417 -
15418 - irqctx = &per_cpu(softirq_stack, cpu);
15419 - irqctx->tinfo.task = NULL;
15420 - irqctx->tinfo.exec_domain = NULL;
15421 - irqctx->tinfo.cpu = cpu;
15422 - irqctx->tinfo.preempt_count = 0;
15423 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
15424 -
15425 - per_cpu(softirq_ctx, cpu) = irqctx;
15426 + per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
15427 + per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
15428
15429 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
15430 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
15431 @@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
15432 asmlinkage void do_softirq(void)
15433 {
15434 unsigned long flags;
15435 - struct thread_info *curctx;
15436 union irq_ctx *irqctx;
15437 u32 *isp;
15438
15439 @@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
15440 local_irq_save(flags);
15441
15442 if (local_softirq_pending()) {
15443 - curctx = current_thread_info();
15444 irqctx = __get_cpu_var(softirq_ctx);
15445 - irqctx->tinfo.task = curctx->task;
15446 - irqctx->tinfo.previous_esp = current_stack_pointer;
15447 + irqctx->previous_esp = current_stack_pointer;
15448
15449 /* build the stack frame on the softirq stack */
15450 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
15451 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
15452 +
15453 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15454 + __set_fs(MAKE_MM_SEG(0));
15455 +#endif
15456
15457 call_on_stack(__do_softirq, isp);
15458 +
15459 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15460 + __set_fs(current_thread_info()->addr_limit);
15461 +#endif
15462 +
15463 /*
15464 * Shouldnt happen, we returned above if in_interrupt():
15465 */
15466 diff -urNp linux-2.6.32.46/arch/x86/kernel/irq.c linux-2.6.32.46/arch/x86/kernel/irq.c
15467 --- linux-2.6.32.46/arch/x86/kernel/irq.c 2011-03-27 14:31:47.000000000 -0400
15468 +++ linux-2.6.32.46/arch/x86/kernel/irq.c 2011-05-04 17:56:28.000000000 -0400
15469 @@ -15,7 +15,7 @@
15470 #include <asm/mce.h>
15471 #include <asm/hw_irq.h>
15472
15473 -atomic_t irq_err_count;
15474 +atomic_unchecked_t irq_err_count;
15475
15476 /* Function pointer for generic interrupt vector handling */
15477 void (*generic_interrupt_extension)(void) = NULL;
15478 @@ -114,9 +114,9 @@ static int show_other_interrupts(struct
15479 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
15480 seq_printf(p, " Machine check polls\n");
15481 #endif
15482 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
15483 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
15484 #if defined(CONFIG_X86_IO_APIC)
15485 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
15486 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
15487 #endif
15488 return 0;
15489 }
15490 @@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
15491
15492 u64 arch_irq_stat(void)
15493 {
15494 - u64 sum = atomic_read(&irq_err_count);
15495 + u64 sum = atomic_read_unchecked(&irq_err_count);
15496
15497 #ifdef CONFIG_X86_IO_APIC
15498 - sum += atomic_read(&irq_mis_count);
15499 + sum += atomic_read_unchecked(&irq_mis_count);
15500 #endif
15501 return sum;
15502 }
15503 diff -urNp linux-2.6.32.46/arch/x86/kernel/kgdb.c linux-2.6.32.46/arch/x86/kernel/kgdb.c
15504 --- linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
15505 +++ linux-2.6.32.46/arch/x86/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
15506 @@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
15507
15508 /* clear the trace bit */
15509 linux_regs->flags &= ~X86_EFLAGS_TF;
15510 - atomic_set(&kgdb_cpu_doing_single_step, -1);
15511 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
15512
15513 /* set the trace bit if we're stepping */
15514 if (remcomInBuffer[0] == 's') {
15515 linux_regs->flags |= X86_EFLAGS_TF;
15516 kgdb_single_step = 1;
15517 - atomic_set(&kgdb_cpu_doing_single_step,
15518 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
15519 raw_smp_processor_id());
15520 }
15521
15522 @@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
15523 break;
15524
15525 case DIE_DEBUG:
15526 - if (atomic_read(&kgdb_cpu_doing_single_step) ==
15527 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
15528 raw_smp_processor_id()) {
15529 if (user_mode(regs))
15530 return single_step_cont(regs, args);
15531 @@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
15532 return instruction_pointer(regs);
15533 }
15534
15535 -struct kgdb_arch arch_kgdb_ops = {
15536 +const struct kgdb_arch arch_kgdb_ops = {
15537 /* Breakpoint instruction: */
15538 .gdb_bpt_instr = { 0xcc },
15539 .flags = KGDB_HW_BREAKPOINT,
15540 diff -urNp linux-2.6.32.46/arch/x86/kernel/kprobes.c linux-2.6.32.46/arch/x86/kernel/kprobes.c
15541 --- linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
15542 +++ linux-2.6.32.46/arch/x86/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
15543 @@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
15544 char op;
15545 s32 raddr;
15546 } __attribute__((packed)) * jop;
15547 - jop = (struct __arch_jmp_op *)from;
15548 +
15549 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
15550 +
15551 + pax_open_kernel();
15552 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
15553 jop->op = RELATIVEJUMP_INSTRUCTION;
15554 + pax_close_kernel();
15555 }
15556
15557 /*
15558 @@ -193,7 +197,7 @@ static int __kprobes can_boost(kprobe_op
15559 kprobe_opcode_t opcode;
15560 kprobe_opcode_t *orig_opcodes = opcodes;
15561
15562 - if (search_exception_tables((unsigned long)opcodes))
15563 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
15564 return 0; /* Page fault may occur on this address. */
15565
15566 retry:
15567 @@ -337,7 +341,9 @@ static void __kprobes fix_riprel(struct
15568 disp = (u8 *) p->addr + *((s32 *) insn) -
15569 (u8 *) p->ainsn.insn;
15570 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
15571 + pax_open_kernel();
15572 *(s32 *)insn = (s32) disp;
15573 + pax_close_kernel();
15574 }
15575 }
15576 #endif
15577 @@ -345,16 +351,18 @@ static void __kprobes fix_riprel(struct
15578
15579 static void __kprobes arch_copy_kprobe(struct kprobe *p)
15580 {
15581 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15582 + pax_open_kernel();
15583 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
15584 + pax_close_kernel();
15585
15586 fix_riprel(p);
15587
15588 - if (can_boost(p->addr))
15589 + if (can_boost(ktla_ktva(p->addr)))
15590 p->ainsn.boostable = 0;
15591 else
15592 p->ainsn.boostable = -1;
15593
15594 - p->opcode = *p->addr;
15595 + p->opcode = *(ktla_ktva(p->addr));
15596 }
15597
15598 int __kprobes arch_prepare_kprobe(struct kprobe *p)
15599 @@ -432,7 +440,7 @@ static void __kprobes prepare_singlestep
15600 if (p->opcode == BREAKPOINT_INSTRUCTION)
15601 regs->ip = (unsigned long)p->addr;
15602 else
15603 - regs->ip = (unsigned long)p->ainsn.insn;
15604 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15605 }
15606
15607 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
15608 @@ -453,7 +461,7 @@ static void __kprobes setup_singlestep(s
15609 if (p->ainsn.boostable == 1 && !p->post_handler) {
15610 /* Boost up -- we can execute copied instructions directly */
15611 reset_current_kprobe();
15612 - regs->ip = (unsigned long)p->ainsn.insn;
15613 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
15614 preempt_enable_no_resched();
15615 return;
15616 }
15617 @@ -523,7 +531,7 @@ static int __kprobes kprobe_handler(stru
15618 struct kprobe_ctlblk *kcb;
15619
15620 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
15621 - if (*addr != BREAKPOINT_INSTRUCTION) {
15622 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
15623 /*
15624 * The breakpoint instruction was removed right
15625 * after we hit it. Another cpu has removed
15626 @@ -775,7 +783,7 @@ static void __kprobes resume_execution(s
15627 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
15628 {
15629 unsigned long *tos = stack_addr(regs);
15630 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
15631 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
15632 unsigned long orig_ip = (unsigned long)p->addr;
15633 kprobe_opcode_t *insn = p->ainsn.insn;
15634
15635 @@ -958,7 +966,7 @@ int __kprobes kprobe_exceptions_notify(s
15636 struct die_args *args = data;
15637 int ret = NOTIFY_DONE;
15638
15639 - if (args->regs && user_mode_vm(args->regs))
15640 + if (args->regs && user_mode(args->regs))
15641 return ret;
15642
15643 switch (val) {
15644 diff -urNp linux-2.6.32.46/arch/x86/kernel/kvm.c linux-2.6.32.46/arch/x86/kernel/kvm.c
15645 --- linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-03-27 14:31:47.000000000 -0400
15646 +++ linux-2.6.32.46/arch/x86/kernel/kvm.c 2011-08-24 18:35:52.000000000 -0400
15647 @@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(vo
15648 pv_mmu_ops.set_pud = kvm_set_pud;
15649 #if PAGETABLE_LEVELS == 4
15650 pv_mmu_ops.set_pgd = kvm_set_pgd;
15651 + pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
15652 #endif
15653 #endif
15654 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
15655 diff -urNp linux-2.6.32.46/arch/x86/kernel/ldt.c linux-2.6.32.46/arch/x86/kernel/ldt.c
15656 --- linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-03-27 14:31:47.000000000 -0400
15657 +++ linux-2.6.32.46/arch/x86/kernel/ldt.c 2011-04-17 15:56:46.000000000 -0400
15658 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
15659 if (reload) {
15660 #ifdef CONFIG_SMP
15661 preempt_disable();
15662 - load_LDT(pc);
15663 + load_LDT_nolock(pc);
15664 if (!cpumask_equal(mm_cpumask(current->mm),
15665 cpumask_of(smp_processor_id())))
15666 smp_call_function(flush_ldt, current->mm, 1);
15667 preempt_enable();
15668 #else
15669 - load_LDT(pc);
15670 + load_LDT_nolock(pc);
15671 #endif
15672 }
15673 if (oldsize) {
15674 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
15675 return err;
15676
15677 for (i = 0; i < old->size; i++)
15678 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
15679 + write_ldt_entry(new->ldt, i, old->ldt + i);
15680 return 0;
15681 }
15682
15683 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
15684 retval = copy_ldt(&mm->context, &old_mm->context);
15685 mutex_unlock(&old_mm->context.lock);
15686 }
15687 +
15688 + if (tsk == current) {
15689 + mm->context.vdso = 0;
15690 +
15691 +#ifdef CONFIG_X86_32
15692 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15693 + mm->context.user_cs_base = 0UL;
15694 + mm->context.user_cs_limit = ~0UL;
15695 +
15696 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
15697 + cpus_clear(mm->context.cpu_user_cs_mask);
15698 +#endif
15699 +
15700 +#endif
15701 +#endif
15702 +
15703 + }
15704 +
15705 return retval;
15706 }
15707
15708 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
15709 }
15710 }
15711
15712 +#ifdef CONFIG_PAX_SEGMEXEC
15713 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
15714 + error = -EINVAL;
15715 + goto out_unlock;
15716 + }
15717 +#endif
15718 +
15719 fill_ldt(&ldt, &ldt_info);
15720 if (oldmode)
15721 ldt.avl = 0;
15722 diff -urNp linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c
15723 --- linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-03-27 14:31:47.000000000 -0400
15724 +++ linux-2.6.32.46/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:56:46.000000000 -0400
15725 @@ -26,7 +26,7 @@
15726 #include <asm/system.h>
15727 #include <asm/cacheflush.h>
15728
15729 -static void set_idt(void *newidt, __u16 limit)
15730 +static void set_idt(struct desc_struct *newidt, __u16 limit)
15731 {
15732 struct desc_ptr curidt;
15733
15734 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
15735 }
15736
15737
15738 -static void set_gdt(void *newgdt, __u16 limit)
15739 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
15740 {
15741 struct desc_ptr curgdt;
15742
15743 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
15744 }
15745
15746 control_page = page_address(image->control_code_page);
15747 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
15748 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
15749
15750 relocate_kernel_ptr = control_page;
15751 page_list[PA_CONTROL_PAGE] = __pa(control_page);
15752 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_amd.c linux-2.6.32.46/arch/x86/kernel/microcode_amd.c
15753 --- linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:00:52.000000000 -0400
15754 +++ linux-2.6.32.46/arch/x86/kernel/microcode_amd.c 2011-04-17 17:03:05.000000000 -0400
15755 @@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
15756 uci->mc = NULL;
15757 }
15758
15759 -static struct microcode_ops microcode_amd_ops = {
15760 +static const struct microcode_ops microcode_amd_ops = {
15761 .request_microcode_user = request_microcode_user,
15762 .request_microcode_fw = request_microcode_fw,
15763 .collect_cpu_info = collect_cpu_info_amd,
15764 @@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
15765 .microcode_fini_cpu = microcode_fini_cpu_amd,
15766 };
15767
15768 -struct microcode_ops * __init init_amd_microcode(void)
15769 +const struct microcode_ops * __init init_amd_microcode(void)
15770 {
15771 return &microcode_amd_ops;
15772 }
15773 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_core.c linux-2.6.32.46/arch/x86/kernel/microcode_core.c
15774 --- linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-03-27 14:31:47.000000000 -0400
15775 +++ linux-2.6.32.46/arch/x86/kernel/microcode_core.c 2011-04-17 15:56:46.000000000 -0400
15776 @@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
15777
15778 #define MICROCODE_VERSION "2.00"
15779
15780 -static struct microcode_ops *microcode_ops;
15781 +static const struct microcode_ops *microcode_ops;
15782
15783 /*
15784 * Synchronization.
15785 diff -urNp linux-2.6.32.46/arch/x86/kernel/microcode_intel.c linux-2.6.32.46/arch/x86/kernel/microcode_intel.c
15786 --- linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400
15787 +++ linux-2.6.32.46/arch/x86/kernel/microcode_intel.c 2011-04-17 15:56:46.000000000 -0400
15788 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod
15789
15790 static int get_ucode_user(void *to, const void *from, size_t n)
15791 {
15792 - return copy_from_user(to, from, n);
15793 + return copy_from_user(to, (__force const void __user *)from, n);
15794 }
15795
15796 static enum ucode_state
15797 request_microcode_user(int cpu, const void __user *buf, size_t size)
15798 {
15799 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
15800 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
15801 }
15802
15803 static void microcode_fini_cpu(int cpu)
15804 @@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
15805 uci->mc = NULL;
15806 }
15807
15808 -static struct microcode_ops microcode_intel_ops = {
15809 +static const struct microcode_ops microcode_intel_ops = {
15810 .request_microcode_user = request_microcode_user,
15811 .request_microcode_fw = request_microcode_fw,
15812 .collect_cpu_info = collect_cpu_info,
15813 @@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
15814 .microcode_fini_cpu = microcode_fini_cpu,
15815 };
15816
15817 -struct microcode_ops * __init init_intel_microcode(void)
15818 +const struct microcode_ops * __init init_intel_microcode(void)
15819 {
15820 return &microcode_intel_ops;
15821 }
15822 diff -urNp linux-2.6.32.46/arch/x86/kernel/module.c linux-2.6.32.46/arch/x86/kernel/module.c
15823 --- linux-2.6.32.46/arch/x86/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
15824 +++ linux-2.6.32.46/arch/x86/kernel/module.c 2011-04-17 15:56:46.000000000 -0400
15825 @@ -34,7 +34,7 @@
15826 #define DEBUGP(fmt...)
15827 #endif
15828
15829 -void *module_alloc(unsigned long size)
15830 +static void *__module_alloc(unsigned long size, pgprot_t prot)
15831 {
15832 struct vm_struct *area;
15833
15834 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
15835 if (!area)
15836 return NULL;
15837
15838 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
15839 - PAGE_KERNEL_EXEC);
15840 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
15841 +}
15842 +
15843 +void *module_alloc(unsigned long size)
15844 +{
15845 +
15846 +#ifdef CONFIG_PAX_KERNEXEC
15847 + return __module_alloc(size, PAGE_KERNEL);
15848 +#else
15849 + return __module_alloc(size, PAGE_KERNEL_EXEC);
15850 +#endif
15851 +
15852 }
15853
15854 /* Free memory returned from module_alloc */
15855 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
15856 vfree(module_region);
15857 }
15858
15859 +#ifdef CONFIG_PAX_KERNEXEC
15860 +#ifdef CONFIG_X86_32
15861 +void *module_alloc_exec(unsigned long size)
15862 +{
15863 + struct vm_struct *area;
15864 +
15865 + if (size == 0)
15866 + return NULL;
15867 +
15868 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
15869 + return area ? area->addr : NULL;
15870 +}
15871 +EXPORT_SYMBOL(module_alloc_exec);
15872 +
15873 +void module_free_exec(struct module *mod, void *module_region)
15874 +{
15875 + vunmap(module_region);
15876 +}
15877 +EXPORT_SYMBOL(module_free_exec);
15878 +#else
15879 +void module_free_exec(struct module *mod, void *module_region)
15880 +{
15881 + module_free(mod, module_region);
15882 +}
15883 +EXPORT_SYMBOL(module_free_exec);
15884 +
15885 +void *module_alloc_exec(unsigned long size)
15886 +{
15887 + return __module_alloc(size, PAGE_KERNEL_RX);
15888 +}
15889 +EXPORT_SYMBOL(module_alloc_exec);
15890 +#endif
15891 +#endif
15892 +
15893 /* We don't need anything special. */
15894 int module_frob_arch_sections(Elf_Ehdr *hdr,
15895 Elf_Shdr *sechdrs,
15896 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15897 unsigned int i;
15898 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
15899 Elf32_Sym *sym;
15900 - uint32_t *location;
15901 + uint32_t *plocation, location;
15902
15903 DEBUGP("Applying relocate section %u to %u\n", relsec,
15904 sechdrs[relsec].sh_info);
15905 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
15906 /* This is where to make the change */
15907 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
15908 - + rel[i].r_offset;
15909 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
15910 + location = (uint32_t)plocation;
15911 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
15912 + plocation = ktla_ktva((void *)plocation);
15913 /* This is the symbol it is referring to. Note that all
15914 undefined symbols have been resolved. */
15915 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
15916 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15917 switch (ELF32_R_TYPE(rel[i].r_info)) {
15918 case R_386_32:
15919 /* We add the value into the location given */
15920 - *location += sym->st_value;
15921 + pax_open_kernel();
15922 + *plocation += sym->st_value;
15923 + pax_close_kernel();
15924 break;
15925 case R_386_PC32:
15926 /* Add the value, subtract its postition */
15927 - *location += sym->st_value - (uint32_t)location;
15928 + pax_open_kernel();
15929 + *plocation += sym->st_value - location;
15930 + pax_close_kernel();
15931 break;
15932 default:
15933 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
15934 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
15935 case R_X86_64_NONE:
15936 break;
15937 case R_X86_64_64:
15938 + pax_open_kernel();
15939 *(u64 *)loc = val;
15940 + pax_close_kernel();
15941 break;
15942 case R_X86_64_32:
15943 + pax_open_kernel();
15944 *(u32 *)loc = val;
15945 + pax_close_kernel();
15946 if (val != *(u32 *)loc)
15947 goto overflow;
15948 break;
15949 case R_X86_64_32S:
15950 + pax_open_kernel();
15951 *(s32 *)loc = val;
15952 + pax_close_kernel();
15953 if ((s64)val != *(s32 *)loc)
15954 goto overflow;
15955 break;
15956 case R_X86_64_PC32:
15957 val -= (u64)loc;
15958 + pax_open_kernel();
15959 *(u32 *)loc = val;
15960 + pax_close_kernel();
15961 +
15962 #if 0
15963 if ((s64)val != *(s32 *)loc)
15964 goto overflow;
15965 diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt.c linux-2.6.32.46/arch/x86/kernel/paravirt.c
15966 --- linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.000000000 -0400
15967 +++ linux-2.6.32.46/arch/x86/kernel/paravirt.c 2011-08-23 20:24:19.000000000 -0400
15968 @@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
15969 {
15970 return x;
15971 }
15972 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
15973 +PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
15974 +#endif
15975
15976 void __init default_banner(void)
15977 {
15978 @@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
15979 * corresponding structure. */
15980 static void *get_call_destination(u8 type)
15981 {
15982 - struct paravirt_patch_template tmpl = {
15983 + const struct paravirt_patch_template tmpl = {
15984 .pv_init_ops = pv_init_ops,
15985 .pv_time_ops = pv_time_ops,
15986 .pv_cpu_ops = pv_cpu_ops,
15987 @@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
15988 .pv_lock_ops = pv_lock_ops,
15989 #endif
15990 };
15991 +
15992 + pax_track_stack();
15993 return *((void **)&tmpl + type);
15994 }
15995
15996 @@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
15997 if (opfunc == NULL)
15998 /* If there's no function, patch it with a ud2a (BUG) */
15999 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
16000 - else if (opfunc == _paravirt_nop)
16001 + else if (opfunc == (void *)_paravirt_nop)
16002 /* If the operation is a nop, then nop the callsite */
16003 ret = paravirt_patch_nop();
16004
16005 /* identity functions just return their single argument */
16006 - else if (opfunc == _paravirt_ident_32)
16007 + else if (opfunc == (void *)_paravirt_ident_32)
16008 ret = paravirt_patch_ident_32(insnbuf, len);
16009 - else if (opfunc == _paravirt_ident_64)
16010 + else if (opfunc == (void *)_paravirt_ident_64)
16011 + ret = paravirt_patch_ident_64(insnbuf, len);
16012 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
16013 + else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
16014 ret = paravirt_patch_ident_64(insnbuf, len);
16015 +#endif
16016
16017 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
16018 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
16019 @@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
16020 if (insn_len > len || start == NULL)
16021 insn_len = len;
16022 else
16023 - memcpy(insnbuf, start, insn_len);
16024 + memcpy(insnbuf, ktla_ktva(start), insn_len);
16025
16026 return insn_len;
16027 }
16028 @@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
16029 preempt_enable();
16030 }
16031
16032 -struct pv_info pv_info = {
16033 +struct pv_info pv_info __read_only = {
16034 .name = "bare hardware",
16035 .paravirt_enabled = 0,
16036 .kernel_rpl = 0,
16037 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
16038 };
16039
16040 -struct pv_init_ops pv_init_ops = {
16041 +struct pv_init_ops pv_init_ops __read_only = {
16042 .patch = native_patch,
16043 };
16044
16045 -struct pv_time_ops pv_time_ops = {
16046 +struct pv_time_ops pv_time_ops __read_only = {
16047 .sched_clock = native_sched_clock,
16048 };
16049
16050 -struct pv_irq_ops pv_irq_ops = {
16051 +struct pv_irq_ops pv_irq_ops __read_only = {
16052 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
16053 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
16054 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
16055 @@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
16056 #endif
16057 };
16058
16059 -struct pv_cpu_ops pv_cpu_ops = {
16060 +struct pv_cpu_ops pv_cpu_ops __read_only = {
16061 .cpuid = native_cpuid,
16062 .get_debugreg = native_get_debugreg,
16063 .set_debugreg = native_set_debugreg,
16064 @@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
16065 .end_context_switch = paravirt_nop,
16066 };
16067
16068 -struct pv_apic_ops pv_apic_ops = {
16069 +struct pv_apic_ops pv_apic_ops __read_only = {
16070 #ifdef CONFIG_X86_LOCAL_APIC
16071 .startup_ipi_hook = paravirt_nop,
16072 #endif
16073 };
16074
16075 -#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
16076 +#ifdef CONFIG_X86_32
16077 +#ifdef CONFIG_X86_PAE
16078 +/* 64-bit pagetable entries */
16079 +#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
16080 +#else
16081 /* 32-bit pagetable entries */
16082 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
16083 +#endif
16084 #else
16085 /* 64-bit pagetable entries */
16086 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
16087 #endif
16088
16089 -struct pv_mmu_ops pv_mmu_ops = {
16090 +struct pv_mmu_ops pv_mmu_ops __read_only = {
16091
16092 .read_cr2 = native_read_cr2,
16093 .write_cr2 = native_write_cr2,
16094 @@ -448,6 +462,7 @@ struct pv_mmu_ops pv_mmu_ops = {
16095 .make_pud = PTE_IDENT,
16096
16097 .set_pgd = native_set_pgd,
16098 + .set_pgd_batched = native_set_pgd_batched,
16099 #endif
16100 #endif /* PAGETABLE_LEVELS >= 3 */
16101
16102 @@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops = {
16103 },
16104
16105 .set_fixmap = native_set_fixmap,
16106 +
16107 +#ifdef CONFIG_PAX_KERNEXEC
16108 + .pax_open_kernel = native_pax_open_kernel,
16109 + .pax_close_kernel = native_pax_close_kernel,
16110 +#endif
16111 +
16112 };
16113
16114 EXPORT_SYMBOL_GPL(pv_time_ops);
16115 diff -urNp linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c
16116 --- linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-03-27 14:31:47.000000000 -0400
16117 +++ linux-2.6.32.46/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:56:46.000000000 -0400
16118 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
16119 __raw_spin_lock(lock);
16120 }
16121
16122 -struct pv_lock_ops pv_lock_ops = {
16123 +struct pv_lock_ops pv_lock_ops __read_only = {
16124 #ifdef CONFIG_SMP
16125 .spin_is_locked = __ticket_spin_is_locked,
16126 .spin_is_contended = __ticket_spin_is_contended,
16127 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c
16128 --- linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-03-27 14:31:47.000000000 -0400
16129 +++ linux-2.6.32.46/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:56:46.000000000 -0400
16130 @@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
16131 free_pages((unsigned long)vaddr, get_order(size));
16132 }
16133
16134 -static struct dma_map_ops calgary_dma_ops = {
16135 +static const struct dma_map_ops calgary_dma_ops = {
16136 .alloc_coherent = calgary_alloc_coherent,
16137 .free_coherent = calgary_free_coherent,
16138 .map_sg = calgary_map_sg,
16139 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-dma.c linux-2.6.32.46/arch/x86/kernel/pci-dma.c
16140 --- linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
16141 +++ linux-2.6.32.46/arch/x86/kernel/pci-dma.c 2011-04-17 15:56:46.000000000 -0400
16142 @@ -14,7 +14,7 @@
16143
16144 static int forbid_dac __read_mostly;
16145
16146 -struct dma_map_ops *dma_ops;
16147 +const struct dma_map_ops *dma_ops;
16148 EXPORT_SYMBOL(dma_ops);
16149
16150 static int iommu_sac_force __read_mostly;
16151 @@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
16152
16153 int dma_supported(struct device *dev, u64 mask)
16154 {
16155 - struct dma_map_ops *ops = get_dma_ops(dev);
16156 + const struct dma_map_ops *ops = get_dma_ops(dev);
16157
16158 #ifdef CONFIG_PCI
16159 if (mask > 0xffffffff && forbid_dac > 0) {
16160 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c
16161 --- linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-03-27 14:31:47.000000000 -0400
16162 +++ linux-2.6.32.46/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:56:46.000000000 -0400
16163 @@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
16164 return -1;
16165 }
16166
16167 -static struct dma_map_ops gart_dma_ops = {
16168 +static const struct dma_map_ops gart_dma_ops = {
16169 .map_sg = gart_map_sg,
16170 .unmap_sg = gart_unmap_sg,
16171 .map_page = gart_map_page,
16172 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-nommu.c linux-2.6.32.46/arch/x86/kernel/pci-nommu.c
16173 --- linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-03-27 14:31:47.000000000 -0400
16174 +++ linux-2.6.32.46/arch/x86/kernel/pci-nommu.c 2011-04-17 15:56:46.000000000 -0400
16175 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
16176 flush_write_buffers();
16177 }
16178
16179 -struct dma_map_ops nommu_dma_ops = {
16180 +const struct dma_map_ops nommu_dma_ops = {
16181 .alloc_coherent = dma_generic_alloc_coherent,
16182 .free_coherent = nommu_free_coherent,
16183 .map_sg = nommu_map_sg,
16184 diff -urNp linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c
16185 --- linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
16186 +++ linux-2.6.32.46/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:56:46.000000000 -0400
16187 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
16188 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
16189 }
16190
16191 -static struct dma_map_ops swiotlb_dma_ops = {
16192 +static const struct dma_map_ops swiotlb_dma_ops = {
16193 .mapping_error = swiotlb_dma_mapping_error,
16194 .alloc_coherent = x86_swiotlb_alloc_coherent,
16195 .free_coherent = swiotlb_free_coherent,
16196 diff -urNp linux-2.6.32.46/arch/x86/kernel/process_32.c linux-2.6.32.46/arch/x86/kernel/process_32.c
16197 --- linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:55:34.000000000 -0400
16198 +++ linux-2.6.32.46/arch/x86/kernel/process_32.c 2011-06-25 12:56:37.000000000 -0400
16199 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
16200 unsigned long thread_saved_pc(struct task_struct *tsk)
16201 {
16202 return ((unsigned long *)tsk->thread.sp)[3];
16203 +//XXX return tsk->thread.eip;
16204 }
16205
16206 #ifndef CONFIG_SMP
16207 @@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
16208 unsigned short ss, gs;
16209 const char *board;
16210
16211 - if (user_mode_vm(regs)) {
16212 + if (user_mode(regs)) {
16213 sp = regs->sp;
16214 ss = regs->ss & 0xffff;
16215 - gs = get_user_gs(regs);
16216 } else {
16217 sp = (unsigned long) (&regs->sp);
16218 savesegment(ss, ss);
16219 - savesegment(gs, gs);
16220 }
16221 + gs = get_user_gs(regs);
16222
16223 printk("\n");
16224
16225 @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
16226 regs.bx = (unsigned long) fn;
16227 regs.dx = (unsigned long) arg;
16228
16229 - regs.ds = __USER_DS;
16230 - regs.es = __USER_DS;
16231 + regs.ds = __KERNEL_DS;
16232 + regs.es = __KERNEL_DS;
16233 regs.fs = __KERNEL_PERCPU;
16234 - regs.gs = __KERNEL_STACK_CANARY;
16235 + savesegment(gs, regs.gs);
16236 regs.orig_ax = -1;
16237 regs.ip = (unsigned long) kernel_thread_helper;
16238 regs.cs = __KERNEL_CS | get_kernel_rpl();
16239 @@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
16240 struct task_struct *tsk;
16241 int err;
16242
16243 - childregs = task_pt_regs(p);
16244 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
16245 *childregs = *regs;
16246 childregs->ax = 0;
16247 childregs->sp = sp;
16248
16249 p->thread.sp = (unsigned long) childregs;
16250 p->thread.sp0 = (unsigned long) (childregs+1);
16251 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16252
16253 p->thread.ip = (unsigned long) ret_from_fork;
16254
16255 @@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
16256 struct thread_struct *prev = &prev_p->thread,
16257 *next = &next_p->thread;
16258 int cpu = smp_processor_id();
16259 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16260 + struct tss_struct *tss = init_tss + cpu;
16261 bool preload_fpu;
16262
16263 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
16264 @@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
16265 */
16266 lazy_save_gs(prev->gs);
16267
16268 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16269 + __set_fs(task_thread_info(next_p)->addr_limit);
16270 +#endif
16271 +
16272 /*
16273 * Load the per-thread Thread-Local Storage descriptor.
16274 */
16275 @@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
16276 */
16277 arch_end_context_switch(next_p);
16278
16279 + percpu_write(current_task, next_p);
16280 + percpu_write(current_tinfo, &next_p->tinfo);
16281 +
16282 if (preload_fpu)
16283 __math_state_restore();
16284
16285 @@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
16286 if (prev->gs | next->gs)
16287 lazy_load_gs(next->gs);
16288
16289 - percpu_write(current_task, next_p);
16290 -
16291 return prev_p;
16292 }
16293
16294 @@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
16295 } while (count++ < 16);
16296 return 0;
16297 }
16298 -
16299 diff -urNp linux-2.6.32.46/arch/x86/kernel/process_64.c linux-2.6.32.46/arch/x86/kernel/process_64.c
16300 --- linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:55:34.000000000 -0400
16301 +++ linux-2.6.32.46/arch/x86/kernel/process_64.c 2011-06-25 12:56:37.000000000 -0400
16302 @@ -91,7 +91,7 @@ static void __exit_idle(void)
16303 void exit_idle(void)
16304 {
16305 /* idle loop has pid 0 */
16306 - if (current->pid)
16307 + if (task_pid_nr(current))
16308 return;
16309 __exit_idle();
16310 }
16311 @@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
16312 if (!board)
16313 board = "";
16314 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
16315 - current->pid, current->comm, print_tainted(),
16316 + task_pid_nr(current), current->comm, print_tainted(),
16317 init_utsname()->release,
16318 (int)strcspn(init_utsname()->version, " "),
16319 init_utsname()->version, board);
16320 @@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
16321 struct pt_regs *childregs;
16322 struct task_struct *me = current;
16323
16324 - childregs = ((struct pt_regs *)
16325 - (THREAD_SIZE + task_stack_page(p))) - 1;
16326 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
16327 *childregs = *regs;
16328
16329 childregs->ax = 0;
16330 @@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
16331 p->thread.sp = (unsigned long) childregs;
16332 p->thread.sp0 = (unsigned long) (childregs+1);
16333 p->thread.usersp = me->thread.usersp;
16334 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
16335
16336 set_tsk_thread_flag(p, TIF_FORK);
16337
16338 @@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
16339 struct thread_struct *prev = &prev_p->thread;
16340 struct thread_struct *next = &next_p->thread;
16341 int cpu = smp_processor_id();
16342 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
16343 + struct tss_struct *tss = init_tss + cpu;
16344 unsigned fsindex, gsindex;
16345 bool preload_fpu;
16346
16347 @@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
16348 prev->usersp = percpu_read(old_rsp);
16349 percpu_write(old_rsp, next->usersp);
16350 percpu_write(current_task, next_p);
16351 + percpu_write(current_tinfo, &next_p->tinfo);
16352
16353 - percpu_write(kernel_stack,
16354 - (unsigned long)task_stack_page(next_p) +
16355 - THREAD_SIZE - KERNEL_STACK_OFFSET);
16356 + percpu_write(kernel_stack, next->sp0);
16357
16358 /*
16359 * Now maybe reload the debug registers and handle I/O bitmaps
16360 @@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
16361 if (!p || p == current || p->state == TASK_RUNNING)
16362 return 0;
16363 stack = (unsigned long)task_stack_page(p);
16364 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
16365 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
16366 return 0;
16367 fp = *(u64 *)(p->thread.sp);
16368 do {
16369 - if (fp < (unsigned long)stack ||
16370 - fp >= (unsigned long)stack+THREAD_SIZE)
16371 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
16372 return 0;
16373 ip = *(u64 *)(fp+8);
16374 if (!in_sched_functions(ip))
16375 diff -urNp linux-2.6.32.46/arch/x86/kernel/process.c linux-2.6.32.46/arch/x86/kernel/process.c
16376 --- linux-2.6.32.46/arch/x86/kernel/process.c 2011-04-22 19:16:29.000000000 -0400
16377 +++ linux-2.6.32.46/arch/x86/kernel/process.c 2011-05-22 23:02:03.000000000 -0400
16378 @@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
16379
16380 void free_thread_info(struct thread_info *ti)
16381 {
16382 - free_thread_xstate(ti->task);
16383 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
16384 }
16385
16386 +static struct kmem_cache *task_struct_cachep;
16387 +
16388 void arch_task_cache_init(void)
16389 {
16390 - task_xstate_cachep =
16391 - kmem_cache_create("task_xstate", xstate_size,
16392 + /* create a slab on which task_structs can be allocated */
16393 + task_struct_cachep =
16394 + kmem_cache_create("task_struct", sizeof(struct task_struct),
16395 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
16396 +
16397 + task_xstate_cachep =
16398 + kmem_cache_create("task_xstate", xstate_size,
16399 __alignof__(union thread_xstate),
16400 - SLAB_PANIC | SLAB_NOTRACK, NULL);
16401 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
16402 +}
16403 +
16404 +struct task_struct *alloc_task_struct(void)
16405 +{
16406 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
16407 +}
16408 +
16409 +void free_task_struct(struct task_struct *task)
16410 +{
16411 + free_thread_xstate(task);
16412 + kmem_cache_free(task_struct_cachep, task);
16413 }
16414
16415 /*
16416 @@ -73,7 +90,7 @@ void exit_thread(void)
16417 unsigned long *bp = t->io_bitmap_ptr;
16418
16419 if (bp) {
16420 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
16421 + struct tss_struct *tss = init_tss + get_cpu();
16422
16423 t->io_bitmap_ptr = NULL;
16424 clear_thread_flag(TIF_IO_BITMAP);
16425 @@ -93,6 +110,9 @@ void flush_thread(void)
16426
16427 clear_tsk_thread_flag(tsk, TIF_DEBUG);
16428
16429 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
16430 + loadsegment(gs, 0);
16431 +#endif
16432 tsk->thread.debugreg0 = 0;
16433 tsk->thread.debugreg1 = 0;
16434 tsk->thread.debugreg2 = 0;
16435 @@ -307,7 +327,7 @@ void default_idle(void)
16436 EXPORT_SYMBOL(default_idle);
16437 #endif
16438
16439 -void stop_this_cpu(void *dummy)
16440 +__noreturn void stop_this_cpu(void *dummy)
16441 {
16442 local_irq_disable();
16443 /*
16444 @@ -568,16 +588,35 @@ static int __init idle_setup(char *str)
16445 }
16446 early_param("idle", idle_setup);
16447
16448 -unsigned long arch_align_stack(unsigned long sp)
16449 +#ifdef CONFIG_PAX_RANDKSTACK
16450 +asmlinkage void pax_randomize_kstack(void)
16451 {
16452 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
16453 - sp -= get_random_int() % 8192;
16454 - return sp & ~0xf;
16455 -}
16456 + struct thread_struct *thread = &current->thread;
16457 + unsigned long time;
16458
16459 -unsigned long arch_randomize_brk(struct mm_struct *mm)
16460 -{
16461 - unsigned long range_end = mm->brk + 0x02000000;
16462 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
16463 + if (!randomize_va_space)
16464 + return;
16465 +
16466 + rdtscl(time);
16467 +
16468 + /* P4 seems to return a 0 LSB, ignore it */
16469 +#ifdef CONFIG_MPENTIUM4
16470 + time &= 0x3EUL;
16471 + time <<= 2;
16472 +#elif defined(CONFIG_X86_64)
16473 + time &= 0xFUL;
16474 + time <<= 4;
16475 +#else
16476 + time &= 0x1FUL;
16477 + time <<= 3;
16478 +#endif
16479 +
16480 + thread->sp0 ^= time;
16481 + load_sp0(init_tss + smp_processor_id(), thread);
16482 +
16483 +#ifdef CONFIG_X86_64
16484 + percpu_write(kernel_stack, thread->sp0);
16485 +#endif
16486 }
16487 +#endif
16488
16489 diff -urNp linux-2.6.32.46/arch/x86/kernel/ptrace.c linux-2.6.32.46/arch/x86/kernel/ptrace.c
16490 --- linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
16491 +++ linux-2.6.32.46/arch/x86/kernel/ptrace.c 2011-04-17 15:56:46.000000000 -0400
16492 @@ -925,7 +925,7 @@ static const struct user_regset_view use
16493 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
16494 {
16495 int ret;
16496 - unsigned long __user *datap = (unsigned long __user *)data;
16497 + unsigned long __user *datap = (__force unsigned long __user *)data;
16498
16499 switch (request) {
16500 /* read the word at location addr in the USER area. */
16501 @@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
16502 if (addr < 0)
16503 return -EIO;
16504 ret = do_get_thread_area(child, addr,
16505 - (struct user_desc __user *) data);
16506 + (__force struct user_desc __user *) data);
16507 break;
16508
16509 case PTRACE_SET_THREAD_AREA:
16510 if (addr < 0)
16511 return -EIO;
16512 ret = do_set_thread_area(child, addr,
16513 - (struct user_desc __user *) data, 0);
16514 + (__force struct user_desc __user *) data, 0);
16515 break;
16516 #endif
16517
16518 @@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
16519 #ifdef CONFIG_X86_PTRACE_BTS
16520 case PTRACE_BTS_CONFIG:
16521 ret = ptrace_bts_config
16522 - (child, data, (struct ptrace_bts_config __user *)addr);
16523 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16524 break;
16525
16526 case PTRACE_BTS_STATUS:
16527 ret = ptrace_bts_status
16528 - (child, data, (struct ptrace_bts_config __user *)addr);
16529 + (child, data, (__force struct ptrace_bts_config __user *)addr);
16530 break;
16531
16532 case PTRACE_BTS_SIZE:
16533 @@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
16534
16535 case PTRACE_BTS_GET:
16536 ret = ptrace_bts_read_record
16537 - (child, data, (struct bts_struct __user *) addr);
16538 + (child, data, (__force struct bts_struct __user *) addr);
16539 break;
16540
16541 case PTRACE_BTS_CLEAR:
16542 @@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
16543
16544 case PTRACE_BTS_DRAIN:
16545 ret = ptrace_bts_drain
16546 - (child, data, (struct bts_struct __user *) addr);
16547 + (child, data, (__force struct bts_struct __user *) addr);
16548 break;
16549 #endif /* CONFIG_X86_PTRACE_BTS */
16550
16551 @@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
16552 info.si_code = si_code;
16553
16554 /* User-mode ip? */
16555 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
16556 + info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
16557
16558 /* Send us the fake SIGTRAP */
16559 force_sig_info(SIGTRAP, &info, tsk);
16560 @@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
16561 * We must return the syscall number to actually look up in the table.
16562 * This can be -1L to skip running any syscall at all.
16563 */
16564 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
16565 +long syscall_trace_enter(struct pt_regs *regs)
16566 {
16567 long ret = 0;
16568
16569 @@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
16570 return ret ?: regs->orig_ax;
16571 }
16572
16573 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
16574 +void syscall_trace_leave(struct pt_regs *regs)
16575 {
16576 if (unlikely(current->audit_context))
16577 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
16578 diff -urNp linux-2.6.32.46/arch/x86/kernel/reboot.c linux-2.6.32.46/arch/x86/kernel/reboot.c
16579 --- linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:35:28.000000000 -0400
16580 +++ linux-2.6.32.46/arch/x86/kernel/reboot.c 2011-08-09 18:33:59.000000000 -0400
16581 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
16582 EXPORT_SYMBOL(pm_power_off);
16583
16584 static const struct desc_ptr no_idt = {};
16585 -static int reboot_mode;
16586 +static unsigned short reboot_mode;
16587 enum reboot_type reboot_type = BOOT_KBD;
16588 int reboot_force;
16589
16590 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
16591 controller to pulse the CPU reset line, which is more thorough, but
16592 doesn't work with at least one type of 486 motherboard. It is easy
16593 to stop this code working; hence the copious comments. */
16594 -static const unsigned long long
16595 -real_mode_gdt_entries [3] =
16596 +static struct desc_struct
16597 +real_mode_gdt_entries [3] __read_only =
16598 {
16599 - 0x0000000000000000ULL, /* Null descriptor */
16600 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
16601 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
16602 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
16603 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
16604 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
16605 };
16606
16607 static const struct desc_ptr
16608 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
16609 * specified by the code and length parameters.
16610 * We assume that length will aways be less that 100!
16611 */
16612 -void machine_real_restart(const unsigned char *code, int length)
16613 +__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
16614 {
16615 local_irq_disable();
16616
16617 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
16618 /* Remap the kernel at virtual address zero, as well as offset zero
16619 from the kernel segment. This assumes the kernel segment starts at
16620 virtual address PAGE_OFFSET. */
16621 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16622 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
16623 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16624 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
16625
16626 /*
16627 * Use `swapper_pg_dir' as our page directory.
16628 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
16629 boot)". This seems like a fairly standard thing that gets set by
16630 REBOOT.COM programs, and the previous reset routine did this
16631 too. */
16632 - *((unsigned short *)0x472) = reboot_mode;
16633 + *(unsigned short *)(__va(0x472)) = reboot_mode;
16634
16635 /* For the switch to real mode, copy some code to low memory. It has
16636 to be in the first 64k because it is running in 16-bit mode, and it
16637 has to have the same physical and virtual address, because it turns
16638 off paging. Copy it near the end of the first page, out of the way
16639 of BIOS variables. */
16640 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
16641 - real_mode_switch, sizeof (real_mode_switch));
16642 - memcpy((void *)(0x1000 - 100), code, length);
16643 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
16644 + memcpy(__va(0x1000 - 100), code, length);
16645
16646 /* Set up the IDT for real mode. */
16647 load_idt(&real_mode_idt);
16648 @@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
16649 __asm__ __volatile__ ("ljmp $0x0008,%0"
16650 :
16651 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
16652 + do { } while (1);
16653 }
16654 #ifdef CONFIG_APM_MODULE
16655 EXPORT_SYMBOL(machine_real_restart);
16656 @@ -544,7 +544,7 @@ void __attribute__((weak)) mach_reboot_f
16657 {
16658 }
16659
16660 -static void native_machine_emergency_restart(void)
16661 +__noreturn static void native_machine_emergency_restart(void)
16662 {
16663 int i;
16664
16665 @@ -659,13 +659,13 @@ void native_machine_shutdown(void)
16666 #endif
16667 }
16668
16669 -static void __machine_emergency_restart(int emergency)
16670 +static __noreturn void __machine_emergency_restart(int emergency)
16671 {
16672 reboot_emergency = emergency;
16673 machine_ops.emergency_restart();
16674 }
16675
16676 -static void native_machine_restart(char *__unused)
16677 +static __noreturn void native_machine_restart(char *__unused)
16678 {
16679 printk("machine restart\n");
16680
16681 @@ -674,7 +674,7 @@ static void native_machine_restart(char
16682 __machine_emergency_restart(0);
16683 }
16684
16685 -static void native_machine_halt(void)
16686 +static __noreturn void native_machine_halt(void)
16687 {
16688 /* stop other cpus and apics */
16689 machine_shutdown();
16690 @@ -685,7 +685,7 @@ static void native_machine_halt(void)
16691 stop_this_cpu(NULL);
16692 }
16693
16694 -static void native_machine_power_off(void)
16695 +__noreturn static void native_machine_power_off(void)
16696 {
16697 if (pm_power_off) {
16698 if (!reboot_force)
16699 @@ -694,6 +694,7 @@ static void native_machine_power_off(voi
16700 }
16701 /* a fallback in case there is no PM info available */
16702 tboot_shutdown(TB_SHUTDOWN_HALT);
16703 + do { } while (1);
16704 }
16705
16706 struct machine_ops machine_ops = {
16707 diff -urNp linux-2.6.32.46/arch/x86/kernel/setup.c linux-2.6.32.46/arch/x86/kernel/setup.c
16708 --- linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:00:52.000000000 -0400
16709 +++ linux-2.6.32.46/arch/x86/kernel/setup.c 2011-04-17 17:03:05.000000000 -0400
16710 @@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
16711
16712 if (!boot_params.hdr.root_flags)
16713 root_mountflags &= ~MS_RDONLY;
16714 - init_mm.start_code = (unsigned long) _text;
16715 - init_mm.end_code = (unsigned long) _etext;
16716 + init_mm.start_code = ktla_ktva((unsigned long) _text);
16717 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
16718 init_mm.end_data = (unsigned long) _edata;
16719 init_mm.brk = _brk_end;
16720
16721 - code_resource.start = virt_to_phys(_text);
16722 - code_resource.end = virt_to_phys(_etext)-1;
16723 - data_resource.start = virt_to_phys(_etext);
16724 + code_resource.start = virt_to_phys(ktla_ktva(_text));
16725 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
16726 + data_resource.start = virt_to_phys(_sdata);
16727 data_resource.end = virt_to_phys(_edata)-1;
16728 bss_resource.start = virt_to_phys(&__bss_start);
16729 bss_resource.end = virt_to_phys(&__bss_stop)-1;
16730 diff -urNp linux-2.6.32.46/arch/x86/kernel/setup_percpu.c linux-2.6.32.46/arch/x86/kernel/setup_percpu.c
16731 --- linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-03-27 14:31:47.000000000 -0400
16732 +++ linux-2.6.32.46/arch/x86/kernel/setup_percpu.c 2011-06-04 20:36:29.000000000 -0400
16733 @@ -25,19 +25,17 @@
16734 # define DBG(x...)
16735 #endif
16736
16737 -DEFINE_PER_CPU(int, cpu_number);
16738 +#ifdef CONFIG_SMP
16739 +DEFINE_PER_CPU(unsigned int, cpu_number);
16740 EXPORT_PER_CPU_SYMBOL(cpu_number);
16741 +#endif
16742
16743 -#ifdef CONFIG_X86_64
16744 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
16745 -#else
16746 -#define BOOT_PERCPU_OFFSET 0
16747 -#endif
16748
16749 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
16750 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
16751
16752 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
16753 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
16754 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
16755 };
16756 EXPORT_SYMBOL(__per_cpu_offset);
16757 @@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
16758 {
16759 #ifdef CONFIG_X86_32
16760 struct desc_struct gdt;
16761 + unsigned long base = per_cpu_offset(cpu);
16762
16763 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
16764 - 0x2 | DESCTYPE_S, 0x8);
16765 - gdt.s = 1;
16766 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
16767 + 0x83 | DESCTYPE_S, 0xC);
16768 write_gdt_entry(get_cpu_gdt_table(cpu),
16769 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
16770 #endif
16771 @@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
16772 /* alrighty, percpu areas up and running */
16773 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
16774 for_each_possible_cpu(cpu) {
16775 +#ifdef CONFIG_CC_STACKPROTECTOR
16776 +#ifdef CONFIG_X86_32
16777 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
16778 +#endif
16779 +#endif
16780 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
16781 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
16782 per_cpu(cpu_number, cpu) = cpu;
16783 @@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
16784 early_per_cpu_map(x86_cpu_to_node_map, cpu);
16785 #endif
16786 #endif
16787 +#ifdef CONFIG_CC_STACKPROTECTOR
16788 +#ifdef CONFIG_X86_32
16789 + if (!cpu)
16790 + per_cpu(stack_canary.canary, cpu) = canary;
16791 +#endif
16792 +#endif
16793 /*
16794 * Up to this point, the boot CPU has been using .data.init
16795 * area. Reload any changed state for the boot CPU.
16796 diff -urNp linux-2.6.32.46/arch/x86/kernel/signal.c linux-2.6.32.46/arch/x86/kernel/signal.c
16797 --- linux-2.6.32.46/arch/x86/kernel/signal.c 2011-03-27 14:31:47.000000000 -0400
16798 +++ linux-2.6.32.46/arch/x86/kernel/signal.c 2011-05-22 23:02:03.000000000 -0400
16799 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
16800 * Align the stack pointer according to the i386 ABI,
16801 * i.e. so that on function entry ((sp + 4) & 15) == 0.
16802 */
16803 - sp = ((sp + 4) & -16ul) - 4;
16804 + sp = ((sp - 12) & -16ul) - 4;
16805 #else /* !CONFIG_X86_32 */
16806 sp = round_down(sp, 16) - 8;
16807 #endif
16808 @@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
16809 * Return an always-bogus address instead so we will die with SIGSEGV.
16810 */
16811 if (onsigstack && !likely(on_sig_stack(sp)))
16812 - return (void __user *)-1L;
16813 + return (__force void __user *)-1L;
16814
16815 /* save i387 state */
16816 if (used_math() && save_i387_xstate(*fpstate) < 0)
16817 - return (void __user *)-1L;
16818 + return (__force void __user *)-1L;
16819
16820 return (void __user *)sp;
16821 }
16822 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
16823 }
16824
16825 if (current->mm->context.vdso)
16826 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16827 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16828 else
16829 - restorer = &frame->retcode;
16830 + restorer = (void __user *)&frame->retcode;
16831 if (ka->sa.sa_flags & SA_RESTORER)
16832 restorer = ka->sa.sa_restorer;
16833
16834 @@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
16835 * reasons and because gdb uses it as a signature to notice
16836 * signal handler stack frames.
16837 */
16838 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
16839 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
16840
16841 if (err)
16842 return -EFAULT;
16843 @@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
16844 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
16845
16846 /* Set up to return from userspace. */
16847 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16848 + if (current->mm->context.vdso)
16849 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16850 + else
16851 + restorer = (void __user *)&frame->retcode;
16852 if (ka->sa.sa_flags & SA_RESTORER)
16853 restorer = ka->sa.sa_restorer;
16854 put_user_ex(restorer, &frame->pretcode);
16855 @@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
16856 * reasons and because gdb uses it as a signature to notice
16857 * signal handler stack frames.
16858 */
16859 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
16860 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
16861 } put_user_catch(err);
16862
16863 if (err)
16864 @@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
16865 int signr;
16866 sigset_t *oldset;
16867
16868 + pax_track_stack();
16869 +
16870 /*
16871 * We want the common case to go fast, which is why we may in certain
16872 * cases get here from kernel mode. Just return without doing anything
16873 @@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
16874 * X86_32: vm86 regs switched out by assembly code before reaching
16875 * here, so testing against kernel CS suffices.
16876 */
16877 - if (!user_mode(regs))
16878 + if (!user_mode_novm(regs))
16879 return;
16880
16881 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
16882 diff -urNp linux-2.6.32.46/arch/x86/kernel/smpboot.c linux-2.6.32.46/arch/x86/kernel/smpboot.c
16883 --- linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-03-27 14:31:47.000000000 -0400
16884 +++ linux-2.6.32.46/arch/x86/kernel/smpboot.c 2011-07-01 19:10:03.000000000 -0400
16885 @@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
16886 */
16887 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
16888
16889 -void cpu_hotplug_driver_lock()
16890 +void cpu_hotplug_driver_lock(void)
16891 {
16892 - mutex_lock(&x86_cpu_hotplug_driver_mutex);
16893 + mutex_lock(&x86_cpu_hotplug_driver_mutex);
16894 }
16895
16896 -void cpu_hotplug_driver_unlock()
16897 +void cpu_hotplug_driver_unlock(void)
16898 {
16899 - mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16900 + mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16901 }
16902
16903 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
16904 @@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
16905 * target processor state.
16906 */
16907 startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
16908 - (unsigned long)stack_start.sp);
16909 + stack_start);
16910
16911 /*
16912 * Run STARTUP IPI loop.
16913 @@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
16914 set_idle_for_cpu(cpu, c_idle.idle);
16915 do_rest:
16916 per_cpu(current_task, cpu) = c_idle.idle;
16917 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
16918 #ifdef CONFIG_X86_32
16919 /* Stack for startup_32 can be just as for start_secondary onwards */
16920 irq_ctx_init(cpu);
16921 @@ -750,13 +751,15 @@ do_rest:
16922 #else
16923 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
16924 initial_gs = per_cpu_offset(cpu);
16925 - per_cpu(kernel_stack, cpu) =
16926 - (unsigned long)task_stack_page(c_idle.idle) -
16927 - KERNEL_STACK_OFFSET + THREAD_SIZE;
16928 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
16929 #endif
16930 +
16931 + pax_open_kernel();
16932 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
16933 + pax_close_kernel();
16934 +
16935 initial_code = (unsigned long)start_secondary;
16936 - stack_start.sp = (void *) c_idle.idle->thread.sp;
16937 + stack_start = c_idle.idle->thread.sp;
16938
16939 /* start_ip had better be page-aligned! */
16940 start_ip = setup_trampoline();
16941 @@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
16942
16943 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
16944
16945 +#ifdef CONFIG_PAX_PER_CPU_PGD
16946 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
16947 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16948 + KERNEL_PGD_PTRS);
16949 +#endif
16950 +
16951 err = do_boot_cpu(apicid, cpu);
16952
16953 if (err) {
16954 diff -urNp linux-2.6.32.46/arch/x86/kernel/step.c linux-2.6.32.46/arch/x86/kernel/step.c
16955 --- linux-2.6.32.46/arch/x86/kernel/step.c 2011-03-27 14:31:47.000000000 -0400
16956 +++ linux-2.6.32.46/arch/x86/kernel/step.c 2011-04-17 15:56:46.000000000 -0400
16957 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
16958 struct desc_struct *desc;
16959 unsigned long base;
16960
16961 - seg &= ~7UL;
16962 + seg >>= 3;
16963
16964 mutex_lock(&child->mm->context.lock);
16965 - if (unlikely((seg >> 3) >= child->mm->context.size))
16966 + if (unlikely(seg >= child->mm->context.size))
16967 addr = -1L; /* bogus selector, access would fault */
16968 else {
16969 desc = child->mm->context.ldt + seg;
16970 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
16971 addr += base;
16972 }
16973 mutex_unlock(&child->mm->context.lock);
16974 - }
16975 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
16976 + addr = ktla_ktva(addr);
16977
16978 return addr;
16979 }
16980 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
16981 unsigned char opcode[15];
16982 unsigned long addr = convert_ip_to_linear(child, regs);
16983
16984 + if (addr == -EINVAL)
16985 + return 0;
16986 +
16987 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
16988 for (i = 0; i < copied; i++) {
16989 switch (opcode[i]) {
16990 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
16991
16992 #ifdef CONFIG_X86_64
16993 case 0x40 ... 0x4f:
16994 - if (regs->cs != __USER_CS)
16995 + if ((regs->cs & 0xffff) != __USER_CS)
16996 /* 32-bit mode: register increment */
16997 return 0;
16998 /* 64-bit mode: REX prefix */
16999 diff -urNp linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S
17000 --- linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-03-27 14:31:47.000000000 -0400
17001 +++ linux-2.6.32.46/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:56:46.000000000 -0400
17002 @@ -1,3 +1,4 @@
17003 +.section .rodata,"a",@progbits
17004 ENTRY(sys_call_table)
17005 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
17006 .long sys_exit
17007 diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c
17008 --- linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-03-27 14:31:47.000000000 -0400
17009 +++ linux-2.6.32.46/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:56:46.000000000 -0400
17010 @@ -24,6 +24,21 @@
17011
17012 #include <asm/syscalls.h>
17013
17014 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
17015 +{
17016 + unsigned long pax_task_size = TASK_SIZE;
17017 +
17018 +#ifdef CONFIG_PAX_SEGMEXEC
17019 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
17020 + pax_task_size = SEGMEXEC_TASK_SIZE;
17021 +#endif
17022 +
17023 + if (len > pax_task_size || addr > pax_task_size - len)
17024 + return -EINVAL;
17025 +
17026 + return 0;
17027 +}
17028 +
17029 /*
17030 * Perform the select(nd, in, out, ex, tv) and mmap() system
17031 * calls. Linux/i386 didn't use to be able to handle more than
17032 @@ -58,6 +73,212 @@ out:
17033 return err;
17034 }
17035
17036 +unsigned long
17037 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
17038 + unsigned long len, unsigned long pgoff, unsigned long flags)
17039 +{
17040 + struct mm_struct *mm = current->mm;
17041 + struct vm_area_struct *vma;
17042 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17043 +
17044 +#ifdef CONFIG_PAX_SEGMEXEC
17045 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17046 + pax_task_size = SEGMEXEC_TASK_SIZE;
17047 +#endif
17048 +
17049 + pax_task_size -= PAGE_SIZE;
17050 +
17051 + if (len > pax_task_size)
17052 + return -ENOMEM;
17053 +
17054 + if (flags & MAP_FIXED)
17055 + return addr;
17056 +
17057 +#ifdef CONFIG_PAX_RANDMMAP
17058 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17059 +#endif
17060 +
17061 + if (addr) {
17062 + addr = PAGE_ALIGN(addr);
17063 + if (pax_task_size - len >= addr) {
17064 + vma = find_vma(mm, addr);
17065 + if (check_heap_stack_gap(vma, addr, len))
17066 + return addr;
17067 + }
17068 + }
17069 + if (len > mm->cached_hole_size) {
17070 + start_addr = addr = mm->free_area_cache;
17071 + } else {
17072 + start_addr = addr = mm->mmap_base;
17073 + mm->cached_hole_size = 0;
17074 + }
17075 +
17076 +#ifdef CONFIG_PAX_PAGEEXEC
17077 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
17078 + start_addr = 0x00110000UL;
17079 +
17080 +#ifdef CONFIG_PAX_RANDMMAP
17081 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17082 + start_addr += mm->delta_mmap & 0x03FFF000UL;
17083 +#endif
17084 +
17085 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
17086 + start_addr = addr = mm->mmap_base;
17087 + else
17088 + addr = start_addr;
17089 + }
17090 +#endif
17091 +
17092 +full_search:
17093 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17094 + /* At this point: (!vma || addr < vma->vm_end). */
17095 + if (pax_task_size - len < addr) {
17096 + /*
17097 + * Start a new search - just in case we missed
17098 + * some holes.
17099 + */
17100 + if (start_addr != mm->mmap_base) {
17101 + start_addr = addr = mm->mmap_base;
17102 + mm->cached_hole_size = 0;
17103 + goto full_search;
17104 + }
17105 + return -ENOMEM;
17106 + }
17107 + if (check_heap_stack_gap(vma, addr, len))
17108 + break;
17109 + if (addr + mm->cached_hole_size < vma->vm_start)
17110 + mm->cached_hole_size = vma->vm_start - addr;
17111 + addr = vma->vm_end;
17112 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
17113 + start_addr = addr = mm->mmap_base;
17114 + mm->cached_hole_size = 0;
17115 + goto full_search;
17116 + }
17117 + }
17118 +
17119 + /*
17120 + * Remember the place where we stopped the search:
17121 + */
17122 + mm->free_area_cache = addr + len;
17123 + return addr;
17124 +}
17125 +
17126 +unsigned long
17127 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
17128 + const unsigned long len, const unsigned long pgoff,
17129 + const unsigned long flags)
17130 +{
17131 + struct vm_area_struct *vma;
17132 + struct mm_struct *mm = current->mm;
17133 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
17134 +
17135 +#ifdef CONFIG_PAX_SEGMEXEC
17136 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17137 + pax_task_size = SEGMEXEC_TASK_SIZE;
17138 +#endif
17139 +
17140 + pax_task_size -= PAGE_SIZE;
17141 +
17142 + /* requested length too big for entire address space */
17143 + if (len > pax_task_size)
17144 + return -ENOMEM;
17145 +
17146 + if (flags & MAP_FIXED)
17147 + return addr;
17148 +
17149 +#ifdef CONFIG_PAX_PAGEEXEC
17150 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
17151 + goto bottomup;
17152 +#endif
17153 +
17154 +#ifdef CONFIG_PAX_RANDMMAP
17155 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17156 +#endif
17157 +
17158 + /* requesting a specific address */
17159 + if (addr) {
17160 + addr = PAGE_ALIGN(addr);
17161 + if (pax_task_size - len >= addr) {
17162 + vma = find_vma(mm, addr);
17163 + if (check_heap_stack_gap(vma, addr, len))
17164 + return addr;
17165 + }
17166 + }
17167 +
17168 + /* check if free_area_cache is useful for us */
17169 + if (len <= mm->cached_hole_size) {
17170 + mm->cached_hole_size = 0;
17171 + mm->free_area_cache = mm->mmap_base;
17172 + }
17173 +
17174 + /* either no address requested or can't fit in requested address hole */
17175 + addr = mm->free_area_cache;
17176 +
17177 + /* make sure it can fit in the remaining address space */
17178 + if (addr > len) {
17179 + vma = find_vma(mm, addr-len);
17180 + if (check_heap_stack_gap(vma, addr - len, len))
17181 + /* remember the address as a hint for next time */
17182 + return (mm->free_area_cache = addr-len);
17183 + }
17184 +
17185 + if (mm->mmap_base < len)
17186 + goto bottomup;
17187 +
17188 + addr = mm->mmap_base-len;
17189 +
17190 + do {
17191 + /*
17192 + * Lookup failure means no vma is above this address,
17193 + * else if new region fits below vma->vm_start,
17194 + * return with success:
17195 + */
17196 + vma = find_vma(mm, addr);
17197 + if (check_heap_stack_gap(vma, addr, len))
17198 + /* remember the address as a hint for next time */
17199 + return (mm->free_area_cache = addr);
17200 +
17201 + /* remember the largest hole we saw so far */
17202 + if (addr + mm->cached_hole_size < vma->vm_start)
17203 + mm->cached_hole_size = vma->vm_start - addr;
17204 +
17205 + /* try just below the current vma->vm_start */
17206 + addr = skip_heap_stack_gap(vma, len);
17207 + } while (!IS_ERR_VALUE(addr));
17208 +
17209 +bottomup:
17210 + /*
17211 + * A failed mmap() very likely causes application failure,
17212 + * so fall back to the bottom-up function here. This scenario
17213 + * can happen with large stack limits and large mmap()
17214 + * allocations.
17215 + */
17216 +
17217 +#ifdef CONFIG_PAX_SEGMEXEC
17218 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17219 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
17220 + else
17221 +#endif
17222 +
17223 + mm->mmap_base = TASK_UNMAPPED_BASE;
17224 +
17225 +#ifdef CONFIG_PAX_RANDMMAP
17226 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17227 + mm->mmap_base += mm->delta_mmap;
17228 +#endif
17229 +
17230 + mm->free_area_cache = mm->mmap_base;
17231 + mm->cached_hole_size = ~0UL;
17232 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17233 + /*
17234 + * Restore the topdown base:
17235 + */
17236 + mm->mmap_base = base;
17237 + mm->free_area_cache = base;
17238 + mm->cached_hole_size = ~0UL;
17239 +
17240 + return addr;
17241 +}
17242
17243 struct sel_arg_struct {
17244 unsigned long n;
17245 @@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
17246 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
17247 case SEMTIMEDOP:
17248 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
17249 - (const struct timespec __user *)fifth);
17250 + (__force const struct timespec __user *)fifth);
17251
17252 case SEMGET:
17253 return sys_semget(first, second, third);
17254 @@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
17255 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
17256 if (ret)
17257 return ret;
17258 - return put_user(raddr, (ulong __user *) third);
17259 + return put_user(raddr, (__force ulong __user *) third);
17260 }
17261 case 1: /* iBCS2 emulator entry point */
17262 if (!segment_eq(get_fs(), get_ds()))
17263 @@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
17264
17265 return error;
17266 }
17267 -
17268 -
17269 -/*
17270 - * Do a system call from kernel instead of calling sys_execve so we
17271 - * end up with proper pt_regs.
17272 - */
17273 -int kernel_execve(const char *filename, char *const argv[], char *const envp[])
17274 -{
17275 - long __res;
17276 - asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
17277 - : "=a" (__res)
17278 - : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
17279 - return __res;
17280 -}
17281 diff -urNp linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c
17282 --- linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-03-27 14:31:47.000000000 -0400
17283 +++ linux-2.6.32.46/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:56:46.000000000 -0400
17284 @@ -32,8 +32,8 @@ out:
17285 return error;
17286 }
17287
17288 -static void find_start_end(unsigned long flags, unsigned long *begin,
17289 - unsigned long *end)
17290 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
17291 + unsigned long *begin, unsigned long *end)
17292 {
17293 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
17294 unsigned long new_begin;
17295 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
17296 *begin = new_begin;
17297 }
17298 } else {
17299 - *begin = TASK_UNMAPPED_BASE;
17300 + *begin = mm->mmap_base;
17301 *end = TASK_SIZE;
17302 }
17303 }
17304 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
17305 if (flags & MAP_FIXED)
17306 return addr;
17307
17308 - find_start_end(flags, &begin, &end);
17309 + find_start_end(mm, flags, &begin, &end);
17310
17311 if (len > end)
17312 return -ENOMEM;
17313
17314 +#ifdef CONFIG_PAX_RANDMMAP
17315 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17316 +#endif
17317 +
17318 if (addr) {
17319 addr = PAGE_ALIGN(addr);
17320 vma = find_vma(mm, addr);
17321 - if (end - len >= addr &&
17322 - (!vma || addr + len <= vma->vm_start))
17323 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
17324 return addr;
17325 }
17326 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
17327 @@ -106,7 +109,7 @@ full_search:
17328 }
17329 return -ENOMEM;
17330 }
17331 - if (!vma || addr + len <= vma->vm_start) {
17332 + if (check_heap_stack_gap(vma, addr, len)) {
17333 /*
17334 * Remember the place where we stopped the search:
17335 */
17336 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
17337 {
17338 struct vm_area_struct *vma;
17339 struct mm_struct *mm = current->mm;
17340 - unsigned long addr = addr0;
17341 + unsigned long base = mm->mmap_base, addr = addr0;
17342
17343 /* requested length too big for entire address space */
17344 if (len > TASK_SIZE)
17345 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
17346 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
17347 goto bottomup;
17348
17349 +#ifdef CONFIG_PAX_RANDMMAP
17350 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
17351 +#endif
17352 +
17353 /* requesting a specific address */
17354 if (addr) {
17355 addr = PAGE_ALIGN(addr);
17356 - vma = find_vma(mm, addr);
17357 - if (TASK_SIZE - len >= addr &&
17358 - (!vma || addr + len <= vma->vm_start))
17359 - return addr;
17360 + if (TASK_SIZE - len >= addr) {
17361 + vma = find_vma(mm, addr);
17362 + if (check_heap_stack_gap(vma, addr, len))
17363 + return addr;
17364 + }
17365 }
17366
17367 /* check if free_area_cache is useful for us */
17368 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
17369 /* make sure it can fit in the remaining address space */
17370 if (addr > len) {
17371 vma = find_vma(mm, addr-len);
17372 - if (!vma || addr <= vma->vm_start)
17373 + if (check_heap_stack_gap(vma, addr - len, len))
17374 /* remember the address as a hint for next time */
17375 return mm->free_area_cache = addr-len;
17376 }
17377 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
17378 * return with success:
17379 */
17380 vma = find_vma(mm, addr);
17381 - if (!vma || addr+len <= vma->vm_start)
17382 + if (check_heap_stack_gap(vma, addr, len))
17383 /* remember the address as a hint for next time */
17384 return mm->free_area_cache = addr;
17385
17386 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
17387 mm->cached_hole_size = vma->vm_start - addr;
17388
17389 /* try just below the current vma->vm_start */
17390 - addr = vma->vm_start-len;
17391 - } while (len < vma->vm_start);
17392 + addr = skip_heap_stack_gap(vma, len);
17393 + } while (!IS_ERR_VALUE(addr));
17394
17395 bottomup:
17396 /*
17397 @@ -198,13 +206,21 @@ bottomup:
17398 * can happen with large stack limits and large mmap()
17399 * allocations.
17400 */
17401 + mm->mmap_base = TASK_UNMAPPED_BASE;
17402 +
17403 +#ifdef CONFIG_PAX_RANDMMAP
17404 + if (mm->pax_flags & MF_PAX_RANDMMAP)
17405 + mm->mmap_base += mm->delta_mmap;
17406 +#endif
17407 +
17408 + mm->free_area_cache = mm->mmap_base;
17409 mm->cached_hole_size = ~0UL;
17410 - mm->free_area_cache = TASK_UNMAPPED_BASE;
17411 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
17412 /*
17413 * Restore the topdown base:
17414 */
17415 - mm->free_area_cache = mm->mmap_base;
17416 + mm->mmap_base = base;
17417 + mm->free_area_cache = base;
17418 mm->cached_hole_size = ~0UL;
17419
17420 return addr;
17421 diff -urNp linux-2.6.32.46/arch/x86/kernel/tboot.c linux-2.6.32.46/arch/x86/kernel/tboot.c
17422 --- linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-03-27 14:31:47.000000000 -0400
17423 +++ linux-2.6.32.46/arch/x86/kernel/tboot.c 2011-05-22 23:02:03.000000000 -0400
17424 @@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
17425
17426 void tboot_shutdown(u32 shutdown_type)
17427 {
17428 - void (*shutdown)(void);
17429 + void (* __noreturn shutdown)(void);
17430
17431 if (!tboot_enabled())
17432 return;
17433 @@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
17434
17435 switch_to_tboot_pt();
17436
17437 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
17438 + shutdown = (void *)tboot->shutdown_entry;
17439 shutdown();
17440
17441 /* should not reach here */
17442 @@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
17443 tboot_shutdown(acpi_shutdown_map[sleep_state]);
17444 }
17445
17446 -static atomic_t ap_wfs_count;
17447 +static atomic_unchecked_t ap_wfs_count;
17448
17449 static int tboot_wait_for_aps(int num_aps)
17450 {
17451 @@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
17452 {
17453 switch (action) {
17454 case CPU_DYING:
17455 - atomic_inc(&ap_wfs_count);
17456 + atomic_inc_unchecked(&ap_wfs_count);
17457 if (num_online_cpus() == 1)
17458 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
17459 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
17460 return NOTIFY_BAD;
17461 break;
17462 }
17463 @@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
17464
17465 tboot_create_trampoline();
17466
17467 - atomic_set(&ap_wfs_count, 0);
17468 + atomic_set_unchecked(&ap_wfs_count, 0);
17469 register_hotcpu_notifier(&tboot_cpu_notifier);
17470 return 0;
17471 }
17472 diff -urNp linux-2.6.32.46/arch/x86/kernel/time.c linux-2.6.32.46/arch/x86/kernel/time.c
17473 --- linux-2.6.32.46/arch/x86/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
17474 +++ linux-2.6.32.46/arch/x86/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
17475 @@ -26,17 +26,13 @@
17476 int timer_ack;
17477 #endif
17478
17479 -#ifdef CONFIG_X86_64
17480 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
17481 -#endif
17482 -
17483 unsigned long profile_pc(struct pt_regs *regs)
17484 {
17485 unsigned long pc = instruction_pointer(regs);
17486
17487 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
17488 + if (!user_mode(regs) && in_lock_functions(pc)) {
17489 #ifdef CONFIG_FRAME_POINTER
17490 - return *(unsigned long *)(regs->bp + sizeof(long));
17491 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
17492 #else
17493 unsigned long *sp =
17494 (unsigned long *)kernel_stack_pointer(regs);
17495 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
17496 * or above a saved flags. Eflags has bits 22-31 zero,
17497 * kernel addresses don't.
17498 */
17499 +
17500 +#ifdef CONFIG_PAX_KERNEXEC
17501 + return ktla_ktva(sp[0]);
17502 +#else
17503 if (sp[0] >> 22)
17504 return sp[0];
17505 if (sp[1] >> 22)
17506 return sp[1];
17507 #endif
17508 +
17509 +#endif
17510 }
17511 return pc;
17512 }
17513 diff -urNp linux-2.6.32.46/arch/x86/kernel/tls.c linux-2.6.32.46/arch/x86/kernel/tls.c
17514 --- linux-2.6.32.46/arch/x86/kernel/tls.c 2011-03-27 14:31:47.000000000 -0400
17515 +++ linux-2.6.32.46/arch/x86/kernel/tls.c 2011-04-17 15:56:46.000000000 -0400
17516 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
17517 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
17518 return -EINVAL;
17519
17520 +#ifdef CONFIG_PAX_SEGMEXEC
17521 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
17522 + return -EINVAL;
17523 +#endif
17524 +
17525 set_tls_desc(p, idx, &info, 1);
17526
17527 return 0;
17528 diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_32.S linux-2.6.32.46/arch/x86/kernel/trampoline_32.S
17529 --- linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-03-27 14:31:47.000000000 -0400
17530 +++ linux-2.6.32.46/arch/x86/kernel/trampoline_32.S 2011-04-17 15:56:46.000000000 -0400
17531 @@ -32,6 +32,12 @@
17532 #include <asm/segment.h>
17533 #include <asm/page_types.h>
17534
17535 +#ifdef CONFIG_PAX_KERNEXEC
17536 +#define ta(X) (X)
17537 +#else
17538 +#define ta(X) ((X) - __PAGE_OFFSET)
17539 +#endif
17540 +
17541 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
17542 __CPUINITRODATA
17543 .code16
17544 @@ -60,7 +66,7 @@ r_base = .
17545 inc %ax # protected mode (PE) bit
17546 lmsw %ax # into protected mode
17547 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
17548 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
17549 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
17550
17551 # These need to be in the same 64K segment as the above;
17552 # hence we don't use the boot_gdt_descr defined in head.S
17553 diff -urNp linux-2.6.32.46/arch/x86/kernel/trampoline_64.S linux-2.6.32.46/arch/x86/kernel/trampoline_64.S
17554 --- linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-03-27 14:31:47.000000000 -0400
17555 +++ linux-2.6.32.46/arch/x86/kernel/trampoline_64.S 2011-07-01 18:53:26.000000000 -0400
17556 @@ -91,7 +91,7 @@ startup_32:
17557 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
17558 movl %eax, %ds
17559
17560 - movl $X86_CR4_PAE, %eax
17561 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
17562 movl %eax, %cr4 # Enable PAE mode
17563
17564 # Setup trampoline 4 level pagetables
17565 @@ -127,7 +127,7 @@ startup_64:
17566 no_longmode:
17567 hlt
17568 jmp no_longmode
17569 -#include "verify_cpu_64.S"
17570 +#include "verify_cpu.S"
17571
17572 # Careful these need to be in the same 64K segment as the above;
17573 tidt:
17574 @@ -138,7 +138,7 @@ tidt:
17575 # so the kernel can live anywhere
17576 .balign 4
17577 tgdt:
17578 - .short tgdt_end - tgdt # gdt limit
17579 + .short tgdt_end - tgdt - 1 # gdt limit
17580 .long tgdt - r_base
17581 .short 0
17582 .quad 0x00cf9b000000ffff # __KERNEL32_CS
17583 diff -urNp linux-2.6.32.46/arch/x86/kernel/traps.c linux-2.6.32.46/arch/x86/kernel/traps.c
17584 --- linux-2.6.32.46/arch/x86/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
17585 +++ linux-2.6.32.46/arch/x86/kernel/traps.c 2011-07-06 19:53:33.000000000 -0400
17586 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
17587
17588 /* Do we ignore FPU interrupts ? */
17589 char ignore_fpu_irq;
17590 -
17591 -/*
17592 - * The IDT has to be page-aligned to simplify the Pentium
17593 - * F0 0F bug workaround.
17594 - */
17595 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
17596 #endif
17597
17598 DECLARE_BITMAP(used_vectors, NR_VECTORS);
17599 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
17600 static inline void
17601 die_if_kernel(const char *str, struct pt_regs *regs, long err)
17602 {
17603 - if (!user_mode_vm(regs))
17604 + if (!user_mode(regs))
17605 die(str, regs, err);
17606 }
17607 #endif
17608
17609 static void __kprobes
17610 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
17611 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
17612 long error_code, siginfo_t *info)
17613 {
17614 struct task_struct *tsk = current;
17615
17616 #ifdef CONFIG_X86_32
17617 - if (regs->flags & X86_VM_MASK) {
17618 + if (v8086_mode(regs)) {
17619 /*
17620 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
17621 * On nmi (interrupt 2), do_trap should not be called.
17622 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
17623 }
17624 #endif
17625
17626 - if (!user_mode(regs))
17627 + if (!user_mode_novm(regs))
17628 goto kernel_trap;
17629
17630 #ifdef CONFIG_X86_32
17631 @@ -158,7 +152,7 @@ trap_signal:
17632 printk_ratelimit()) {
17633 printk(KERN_INFO
17634 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
17635 - tsk->comm, tsk->pid, str,
17636 + tsk->comm, task_pid_nr(tsk), str,
17637 regs->ip, regs->sp, error_code);
17638 print_vma_addr(" in ", regs->ip);
17639 printk("\n");
17640 @@ -175,8 +169,20 @@ kernel_trap:
17641 if (!fixup_exception(regs)) {
17642 tsk->thread.error_code = error_code;
17643 tsk->thread.trap_no = trapnr;
17644 +
17645 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17646 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
17647 + str = "PAX: suspicious stack segment fault";
17648 +#endif
17649 +
17650 die(str, regs, error_code);
17651 }
17652 +
17653 +#ifdef CONFIG_PAX_REFCOUNT
17654 + if (trapnr == 4)
17655 + pax_report_refcount_overflow(regs);
17656 +#endif
17657 +
17658 return;
17659
17660 #ifdef CONFIG_X86_32
17661 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
17662 conditional_sti(regs);
17663
17664 #ifdef CONFIG_X86_32
17665 - if (regs->flags & X86_VM_MASK)
17666 + if (v8086_mode(regs))
17667 goto gp_in_vm86;
17668 #endif
17669
17670 tsk = current;
17671 - if (!user_mode(regs))
17672 + if (!user_mode_novm(regs))
17673 goto gp_in_kernel;
17674
17675 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17676 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
17677 + struct mm_struct *mm = tsk->mm;
17678 + unsigned long limit;
17679 +
17680 + down_write(&mm->mmap_sem);
17681 + limit = mm->context.user_cs_limit;
17682 + if (limit < TASK_SIZE) {
17683 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
17684 + up_write(&mm->mmap_sem);
17685 + return;
17686 + }
17687 + up_write(&mm->mmap_sem);
17688 + }
17689 +#endif
17690 +
17691 tsk->thread.error_code = error_code;
17692 tsk->thread.trap_no = 13;
17693
17694 @@ -305,6 +327,13 @@ gp_in_kernel:
17695 if (notify_die(DIE_GPF, "general protection fault", regs,
17696 error_code, 13, SIGSEGV) == NOTIFY_STOP)
17697 return;
17698 +
17699 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17700 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
17701 + die("PAX: suspicious general protection fault", regs, error_code);
17702 + else
17703 +#endif
17704 +
17705 die("general protection fault", regs, error_code);
17706 }
17707
17708 @@ -435,6 +464,17 @@ static notrace __kprobes void default_do
17709 dotraplinkage notrace __kprobes void
17710 do_nmi(struct pt_regs *regs, long error_code)
17711 {
17712 +
17713 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17714 + if (!user_mode(regs)) {
17715 + unsigned long cs = regs->cs & 0xFFFF;
17716 + unsigned long ip = ktva_ktla(regs->ip);
17717 +
17718 + if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
17719 + regs->ip = ip;
17720 + }
17721 +#endif
17722 +
17723 nmi_enter();
17724
17725 inc_irq_stat(__nmi_count);
17726 @@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
17727 }
17728
17729 #ifdef CONFIG_X86_32
17730 - if (regs->flags & X86_VM_MASK)
17731 + if (v8086_mode(regs))
17732 goto debug_vm86;
17733 #endif
17734
17735 @@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
17736 * kernel space (but re-enable TF when returning to user mode).
17737 */
17738 if (condition & DR_STEP) {
17739 - if (!user_mode(regs))
17740 + if (!user_mode_novm(regs))
17741 goto clear_TF_reenable;
17742 }
17743
17744 @@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
17745 * Handle strange cache flush from user space exception
17746 * in all other cases. This is undocumented behaviour.
17747 */
17748 - if (regs->flags & X86_VM_MASK) {
17749 + if (v8086_mode(regs)) {
17750 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
17751 return;
17752 }
17753 @@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
17754 void __math_state_restore(void)
17755 {
17756 struct thread_info *thread = current_thread_info();
17757 - struct task_struct *tsk = thread->task;
17758 + struct task_struct *tsk = current;
17759
17760 /*
17761 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
17762 @@ -825,8 +865,7 @@ void __math_state_restore(void)
17763 */
17764 asmlinkage void math_state_restore(void)
17765 {
17766 - struct thread_info *thread = current_thread_info();
17767 - struct task_struct *tsk = thread->task;
17768 + struct task_struct *tsk = current;
17769
17770 if (!tsk_used_math(tsk)) {
17771 local_irq_enable();
17772 diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S
17773 --- linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 2011-03-27 14:31:47.000000000 -0400
17774 +++ linux-2.6.32.46/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
17775 @@ -1,105 +0,0 @@
17776 -/*
17777 - *
17778 - * verify_cpu.S - Code for cpu long mode and SSE verification. This
17779 - * code has been borrowed from boot/setup.S and was introduced by
17780 - * Andi Kleen.
17781 - *
17782 - * Copyright (c) 2007 Andi Kleen (ak@suse.de)
17783 - * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
17784 - * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
17785 - *
17786 - * This source code is licensed under the GNU General Public License,
17787 - * Version 2. See the file COPYING for more details.
17788 - *
17789 - * This is a common code for verification whether CPU supports
17790 - * long mode and SSE or not. It is not called directly instead this
17791 - * file is included at various places and compiled in that context.
17792 - * Following are the current usage.
17793 - *
17794 - * This file is included by both 16bit and 32bit code.
17795 - *
17796 - * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
17797 - * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
17798 - * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
17799 - * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
17800 - *
17801 - * verify_cpu, returns the status of cpu check in register %eax.
17802 - * 0: Success 1: Failure
17803 - *
17804 - * The caller needs to check for the error code and take the action
17805 - * appropriately. Either display a message or halt.
17806 - */
17807 -
17808 -#include <asm/cpufeature.h>
17809 -
17810 -verify_cpu:
17811 - pushfl # Save caller passed flags
17812 - pushl $0 # Kill any dangerous flags
17813 - popfl
17814 -
17815 - pushfl # standard way to check for cpuid
17816 - popl %eax
17817 - movl %eax,%ebx
17818 - xorl $0x200000,%eax
17819 - pushl %eax
17820 - popfl
17821 - pushfl
17822 - popl %eax
17823 - cmpl %eax,%ebx
17824 - jz verify_cpu_no_longmode # cpu has no cpuid
17825 -
17826 - movl $0x0,%eax # See if cpuid 1 is implemented
17827 - cpuid
17828 - cmpl $0x1,%eax
17829 - jb verify_cpu_no_longmode # no cpuid 1
17830 -
17831 - xor %di,%di
17832 - cmpl $0x68747541,%ebx # AuthenticAMD
17833 - jnz verify_cpu_noamd
17834 - cmpl $0x69746e65,%edx
17835 - jnz verify_cpu_noamd
17836 - cmpl $0x444d4163,%ecx
17837 - jnz verify_cpu_noamd
17838 - mov $1,%di # cpu is from AMD
17839 -
17840 -verify_cpu_noamd:
17841 - movl $0x1,%eax # Does the cpu have what it takes
17842 - cpuid
17843 - andl $REQUIRED_MASK0,%edx
17844 - xorl $REQUIRED_MASK0,%edx
17845 - jnz verify_cpu_no_longmode
17846 -
17847 - movl $0x80000000,%eax # See if extended cpuid is implemented
17848 - cpuid
17849 - cmpl $0x80000001,%eax
17850 - jb verify_cpu_no_longmode # no extended cpuid
17851 -
17852 - movl $0x80000001,%eax # Does the cpu have what it takes
17853 - cpuid
17854 - andl $REQUIRED_MASK1,%edx
17855 - xorl $REQUIRED_MASK1,%edx
17856 - jnz verify_cpu_no_longmode
17857 -
17858 -verify_cpu_sse_test:
17859 - movl $1,%eax
17860 - cpuid
17861 - andl $SSE_MASK,%edx
17862 - cmpl $SSE_MASK,%edx
17863 - je verify_cpu_sse_ok
17864 - test %di,%di
17865 - jz verify_cpu_no_longmode # only try to force SSE on AMD
17866 - movl $0xc0010015,%ecx # HWCR
17867 - rdmsr
17868 - btr $15,%eax # enable SSE
17869 - wrmsr
17870 - xor %di,%di # don't loop
17871 - jmp verify_cpu_sse_test # try again
17872 -
17873 -verify_cpu_no_longmode:
17874 - popfl # Restore caller passed flags
17875 - movl $1,%eax
17876 - ret
17877 -verify_cpu_sse_ok:
17878 - popfl # Restore caller passed flags
17879 - xorl %eax, %eax
17880 - ret
17881 diff -urNp linux-2.6.32.46/arch/x86/kernel/verify_cpu.S linux-2.6.32.46/arch/x86/kernel/verify_cpu.S
17882 --- linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
17883 +++ linux-2.6.32.46/arch/x86/kernel/verify_cpu.S 2011-07-01 18:28:42.000000000 -0400
17884 @@ -0,0 +1,140 @@
17885 +/*
17886 + *
17887 + * verify_cpu.S - Code for cpu long mode and SSE verification. This
17888 + * code has been borrowed from boot/setup.S and was introduced by
17889 + * Andi Kleen.
17890 + *
17891 + * Copyright (c) 2007 Andi Kleen (ak@suse.de)
17892 + * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
17893 + * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
17894 + * Copyright (c) 2010 Kees Cook (kees.cook@canonical.com)
17895 + *
17896 + * This source code is licensed under the GNU General Public License,
17897 + * Version 2. See the file COPYING for more details.
17898 + *
17899 + * This is a common code for verification whether CPU supports
17900 + * long mode and SSE or not. It is not called directly instead this
17901 + * file is included at various places and compiled in that context.
17902 + * This file is expected to run in 32bit code. Currently:
17903 + *
17904 + * arch/x86/boot/compressed/head_64.S: Boot cpu verification
17905 + * arch/x86/kernel/trampoline_64.S: secondary processor verification
17906 + * arch/x86/kernel/head_32.S: processor startup
17907 + * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
17908 + *
17909 + * verify_cpu, returns the status of longmode and SSE in register %eax.
17910 + * 0: Success 1: Failure
17911 + *
17912 + * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
17913 + *
17914 + * The caller needs to check for the error code and take the action
17915 + * appropriately. Either display a message or halt.
17916 + */
17917 +
17918 +#include <asm/cpufeature.h>
17919 +#include <asm/msr-index.h>
17920 +
17921 +verify_cpu:
17922 + pushfl # Save caller passed flags
17923 + pushl $0 # Kill any dangerous flags
17924 + popfl
17925 +
17926 + pushfl # standard way to check for cpuid
17927 + popl %eax
17928 + movl %eax,%ebx
17929 + xorl $0x200000,%eax
17930 + pushl %eax
17931 + popfl
17932 + pushfl
17933 + popl %eax
17934 + cmpl %eax,%ebx
17935 + jz verify_cpu_no_longmode # cpu has no cpuid
17936 +
17937 + movl $0x0,%eax # See if cpuid 1 is implemented
17938 + cpuid
17939 + cmpl $0x1,%eax
17940 + jb verify_cpu_no_longmode # no cpuid 1
17941 +
17942 + xor %di,%di
17943 + cmpl $0x68747541,%ebx # AuthenticAMD
17944 + jnz verify_cpu_noamd
17945 + cmpl $0x69746e65,%edx
17946 + jnz verify_cpu_noamd
17947 + cmpl $0x444d4163,%ecx
17948 + jnz verify_cpu_noamd
17949 + mov $1,%di # cpu is from AMD
17950 + jmp verify_cpu_check
17951 +
17952 +verify_cpu_noamd:
17953 + cmpl $0x756e6547,%ebx # GenuineIntel?
17954 + jnz verify_cpu_check
17955 + cmpl $0x49656e69,%edx
17956 + jnz verify_cpu_check
17957 + cmpl $0x6c65746e,%ecx
17958 + jnz verify_cpu_check
17959 +
17960 + # only call IA32_MISC_ENABLE when:
17961 + # family > 6 || (family == 6 && model >= 0xd)
17962 + movl $0x1, %eax # check CPU family and model
17963 + cpuid
17964 + movl %eax, %ecx
17965 +
17966 + andl $0x0ff00f00, %eax # mask family and extended family
17967 + shrl $8, %eax
17968 + cmpl $6, %eax
17969 + ja verify_cpu_clear_xd # family > 6, ok
17970 + jb verify_cpu_check # family < 6, skip
17971 +
17972 + andl $0x000f00f0, %ecx # mask model and extended model
17973 + shrl $4, %ecx
17974 + cmpl $0xd, %ecx
17975 + jb verify_cpu_check # family == 6, model < 0xd, skip
17976 +
17977 +verify_cpu_clear_xd:
17978 + movl $MSR_IA32_MISC_ENABLE, %ecx
17979 + rdmsr
17980 + btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
17981 + jnc verify_cpu_check # only write MSR if bit was changed
17982 + wrmsr
17983 +
17984 +verify_cpu_check:
17985 + movl $0x1,%eax # Does the cpu have what it takes
17986 + cpuid
17987 + andl $REQUIRED_MASK0,%edx
17988 + xorl $REQUIRED_MASK0,%edx
17989 + jnz verify_cpu_no_longmode
17990 +
17991 + movl $0x80000000,%eax # See if extended cpuid is implemented
17992 + cpuid
17993 + cmpl $0x80000001,%eax
17994 + jb verify_cpu_no_longmode # no extended cpuid
17995 +
17996 + movl $0x80000001,%eax # Does the cpu have what it takes
17997 + cpuid
17998 + andl $REQUIRED_MASK1,%edx
17999 + xorl $REQUIRED_MASK1,%edx
18000 + jnz verify_cpu_no_longmode
18001 +
18002 +verify_cpu_sse_test:
18003 + movl $1,%eax
18004 + cpuid
18005 + andl $SSE_MASK,%edx
18006 + cmpl $SSE_MASK,%edx
18007 + je verify_cpu_sse_ok
18008 + test %di,%di
18009 + jz verify_cpu_no_longmode # only try to force SSE on AMD
18010 + movl $MSR_K7_HWCR,%ecx
18011 + rdmsr
18012 + btr $15,%eax # enable SSE
18013 + wrmsr
18014 + xor %di,%di # don't loop
18015 + jmp verify_cpu_sse_test # try again
18016 +
18017 +verify_cpu_no_longmode:
18018 + popfl # Restore caller passed flags
18019 + movl $1,%eax
18020 + ret
18021 +verify_cpu_sse_ok:
18022 + popfl # Restore caller passed flags
18023 + xorl %eax, %eax
18024 + ret
18025 diff -urNp linux-2.6.32.46/arch/x86/kernel/vm86_32.c linux-2.6.32.46/arch/x86/kernel/vm86_32.c
18026 --- linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-03-27 14:31:47.000000000 -0400
18027 +++ linux-2.6.32.46/arch/x86/kernel/vm86_32.c 2011-04-17 15:56:46.000000000 -0400
18028 @@ -41,6 +41,7 @@
18029 #include <linux/ptrace.h>
18030 #include <linux/audit.h>
18031 #include <linux/stddef.h>
18032 +#include <linux/grsecurity.h>
18033
18034 #include <asm/uaccess.h>
18035 #include <asm/io.h>
18036 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
18037 do_exit(SIGSEGV);
18038 }
18039
18040 - tss = &per_cpu(init_tss, get_cpu());
18041 + tss = init_tss + get_cpu();
18042 current->thread.sp0 = current->thread.saved_sp0;
18043 current->thread.sysenter_cs = __KERNEL_CS;
18044 load_sp0(tss, &current->thread);
18045 @@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
18046 struct task_struct *tsk;
18047 int tmp, ret = -EPERM;
18048
18049 +#ifdef CONFIG_GRKERNSEC_VM86
18050 + if (!capable(CAP_SYS_RAWIO)) {
18051 + gr_handle_vm86();
18052 + goto out;
18053 + }
18054 +#endif
18055 +
18056 tsk = current;
18057 if (tsk->thread.saved_sp0)
18058 goto out;
18059 @@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
18060 int tmp, ret;
18061 struct vm86plus_struct __user *v86;
18062
18063 +#ifdef CONFIG_GRKERNSEC_VM86
18064 + if (!capable(CAP_SYS_RAWIO)) {
18065 + gr_handle_vm86();
18066 + ret = -EPERM;
18067 + goto out;
18068 + }
18069 +#endif
18070 +
18071 tsk = current;
18072 switch (regs->bx) {
18073 case VM86_REQUEST_IRQ:
18074 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
18075 tsk->thread.saved_fs = info->regs32->fs;
18076 tsk->thread.saved_gs = get_user_gs(info->regs32);
18077
18078 - tss = &per_cpu(init_tss, get_cpu());
18079 + tss = init_tss + get_cpu();
18080 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
18081 if (cpu_has_sep)
18082 tsk->thread.sysenter_cs = 0;
18083 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
18084 goto cannot_handle;
18085 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
18086 goto cannot_handle;
18087 - intr_ptr = (unsigned long __user *) (i << 2);
18088 + intr_ptr = (__force unsigned long __user *) (i << 2);
18089 if (get_user(segoffs, intr_ptr))
18090 goto cannot_handle;
18091 if ((segoffs >> 16) == BIOSSEG)
18092 diff -urNp linux-2.6.32.46/arch/x86/kernel/vmi_32.c linux-2.6.32.46/arch/x86/kernel/vmi_32.c
18093 --- linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-03-27 14:31:47.000000000 -0400
18094 +++ linux-2.6.32.46/arch/x86/kernel/vmi_32.c 2011-08-05 20:33:55.000000000 -0400
18095 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
18096 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
18097
18098 #define call_vrom_func(rom,func) \
18099 - (((VROMFUNC *)(rom->func))())
18100 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
18101
18102 #define call_vrom_long_func(rom,func,arg) \
18103 - (((VROMLONGFUNC *)(rom->func)) (arg))
18104 +({\
18105 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
18106 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
18107 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
18108 + __reloc;\
18109 +})
18110
18111 -static struct vrom_header *vmi_rom;
18112 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
18113 static int disable_pge;
18114 static int disable_pse;
18115 static int disable_sep;
18116 @@ -76,10 +81,10 @@ static struct {
18117 void (*set_initial_ap_state)(int, int);
18118 void (*halt)(void);
18119 void (*set_lazy_mode)(int mode);
18120 -} vmi_ops;
18121 +} __no_const vmi_ops __read_only;
18122
18123 /* Cached VMI operations */
18124 -struct vmi_timer_ops vmi_timer_ops;
18125 +struct vmi_timer_ops vmi_timer_ops __read_only;
18126
18127 /*
18128 * VMI patching routines.
18129 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
18130 static inline void patch_offset(void *insnbuf,
18131 unsigned long ip, unsigned long dest)
18132 {
18133 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
18134 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
18135 }
18136
18137 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
18138 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
18139 {
18140 u64 reloc;
18141 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
18142 +
18143 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
18144 switch(rel->type) {
18145 case VMI_RELOCATION_CALL_REL:
18146 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
18147
18148 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
18149 {
18150 - const pte_t pte = { .pte = 0 };
18151 + const pte_t pte = __pte(0ULL);
18152 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
18153 }
18154
18155 static void vmi_pmd_clear(pmd_t *pmd)
18156 {
18157 - const pte_t pte = { .pte = 0 };
18158 + const pte_t pte = __pte(0ULL);
18159 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
18160 }
18161 #endif
18162 @@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
18163 ap.ss = __KERNEL_DS;
18164 ap.esp = (unsigned long) start_esp;
18165
18166 - ap.ds = __USER_DS;
18167 - ap.es = __USER_DS;
18168 + ap.ds = __KERNEL_DS;
18169 + ap.es = __KERNEL_DS;
18170 ap.fs = __KERNEL_PERCPU;
18171 - ap.gs = __KERNEL_STACK_CANARY;
18172 + savesegment(gs, ap.gs);
18173
18174 ap.eflags = 0;
18175
18176 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
18177 paravirt_leave_lazy_mmu();
18178 }
18179
18180 +#ifdef CONFIG_PAX_KERNEXEC
18181 +static unsigned long vmi_pax_open_kernel(void)
18182 +{
18183 + return 0;
18184 +}
18185 +
18186 +static unsigned long vmi_pax_close_kernel(void)
18187 +{
18188 + return 0;
18189 +}
18190 +#endif
18191 +
18192 static inline int __init check_vmi_rom(struct vrom_header *rom)
18193 {
18194 struct pci_header *pci;
18195 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
18196 return 0;
18197 if (rom->vrom_signature != VMI_SIGNATURE)
18198 return 0;
18199 + if (rom->rom_length * 512 > sizeof(*rom)) {
18200 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
18201 + return 0;
18202 + }
18203 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
18204 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
18205 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
18206 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
18207 struct vrom_header *romstart;
18208 romstart = (struct vrom_header *)isa_bus_to_virt(base);
18209 if (check_vmi_rom(romstart)) {
18210 - vmi_rom = romstart;
18211 + vmi_rom = *romstart;
18212 return 1;
18213 }
18214 }
18215 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
18216
18217 para_fill(pv_irq_ops.safe_halt, Halt);
18218
18219 +#ifdef CONFIG_PAX_KERNEXEC
18220 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
18221 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
18222 +#endif
18223 +
18224 /*
18225 * Alternative instruction rewriting doesn't happen soon enough
18226 * to convert VMI_IRET to a call instead of a jump; so we have
18227 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
18228
18229 void __init vmi_init(void)
18230 {
18231 - if (!vmi_rom)
18232 + if (!vmi_rom.rom_signature)
18233 probe_vmi_rom();
18234 else
18235 - check_vmi_rom(vmi_rom);
18236 + check_vmi_rom(&vmi_rom);
18237
18238 /* In case probing for or validating the ROM failed, basil */
18239 - if (!vmi_rom)
18240 + if (!vmi_rom.rom_signature)
18241 return;
18242
18243 - reserve_top_address(-vmi_rom->virtual_top);
18244 + reserve_top_address(-vmi_rom.virtual_top);
18245
18246 #ifdef CONFIG_X86_IO_APIC
18247 /* This is virtual hardware; timer routing is wired correctly */
18248 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
18249 {
18250 unsigned long flags;
18251
18252 - if (!vmi_rom)
18253 + if (!vmi_rom.rom_signature)
18254 return;
18255
18256 local_irq_save(flags);
18257 diff -urNp linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S
18258 --- linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
18259 +++ linux-2.6.32.46/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:56:46.000000000 -0400
18260 @@ -26,6 +26,13 @@
18261 #include <asm/page_types.h>
18262 #include <asm/cache.h>
18263 #include <asm/boot.h>
18264 +#include <asm/segment.h>
18265 +
18266 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18267 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
18268 +#else
18269 +#define __KERNEL_TEXT_OFFSET 0
18270 +#endif
18271
18272 #undef i386 /* in case the preprocessor is a 32bit one */
18273
18274 @@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
18275 #ifdef CONFIG_X86_32
18276 OUTPUT_ARCH(i386)
18277 ENTRY(phys_startup_32)
18278 -jiffies = jiffies_64;
18279 #else
18280 OUTPUT_ARCH(i386:x86-64)
18281 ENTRY(phys_startup_64)
18282 -jiffies_64 = jiffies;
18283 #endif
18284
18285 PHDRS {
18286 text PT_LOAD FLAGS(5); /* R_E */
18287 - data PT_LOAD FLAGS(7); /* RWE */
18288 +#ifdef CONFIG_X86_32
18289 + module PT_LOAD FLAGS(5); /* R_E */
18290 +#endif
18291 +#ifdef CONFIG_XEN
18292 + rodata PT_LOAD FLAGS(5); /* R_E */
18293 +#else
18294 + rodata PT_LOAD FLAGS(4); /* R__ */
18295 +#endif
18296 + data PT_LOAD FLAGS(6); /* RW_ */
18297 #ifdef CONFIG_X86_64
18298 user PT_LOAD FLAGS(5); /* R_E */
18299 +#endif
18300 + init.begin PT_LOAD FLAGS(6); /* RW_ */
18301 #ifdef CONFIG_SMP
18302 percpu PT_LOAD FLAGS(6); /* RW_ */
18303 #endif
18304 + text.init PT_LOAD FLAGS(5); /* R_E */
18305 + text.exit PT_LOAD FLAGS(5); /* R_E */
18306 init PT_LOAD FLAGS(7); /* RWE */
18307 -#endif
18308 note PT_NOTE FLAGS(0); /* ___ */
18309 }
18310
18311 SECTIONS
18312 {
18313 #ifdef CONFIG_X86_32
18314 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
18315 - phys_startup_32 = startup_32 - LOAD_OFFSET;
18316 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
18317 #else
18318 - . = __START_KERNEL;
18319 - phys_startup_64 = startup_64 - LOAD_OFFSET;
18320 + . = __START_KERNEL;
18321 #endif
18322
18323 /* Text and read-only data */
18324 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
18325 - _text = .;
18326 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18327 /* bootstrapping code */
18328 +#ifdef CONFIG_X86_32
18329 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18330 +#else
18331 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18332 +#endif
18333 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
18334 + _text = .;
18335 HEAD_TEXT
18336 #ifdef CONFIG_X86_32
18337 . = ALIGN(PAGE_SIZE);
18338 @@ -82,28 +102,71 @@ SECTIONS
18339 IRQENTRY_TEXT
18340 *(.fixup)
18341 *(.gnu.warning)
18342 - /* End of text section */
18343 - _etext = .;
18344 } :text = 0x9090
18345
18346 - NOTES :text :note
18347 + . += __KERNEL_TEXT_OFFSET;
18348 +
18349 +#ifdef CONFIG_X86_32
18350 + . = ALIGN(PAGE_SIZE);
18351 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
18352 + *(.vmi.rom)
18353 + } :module
18354 +
18355 + . = ALIGN(PAGE_SIZE);
18356 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
18357 +
18358 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
18359 + MODULES_EXEC_VADDR = .;
18360 + BYTE(0)
18361 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
18362 + . = ALIGN(HPAGE_SIZE);
18363 + MODULES_EXEC_END = . - 1;
18364 +#endif
18365 +
18366 + } :module
18367 +#endif
18368
18369 - EXCEPTION_TABLE(16) :text = 0x9090
18370 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
18371 + /* End of text section */
18372 + _etext = . - __KERNEL_TEXT_OFFSET;
18373 + }
18374 +
18375 +#ifdef CONFIG_X86_32
18376 + . = ALIGN(PAGE_SIZE);
18377 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
18378 + *(.idt)
18379 + . = ALIGN(PAGE_SIZE);
18380 + *(.empty_zero_page)
18381 + *(.swapper_pg_fixmap)
18382 + *(.swapper_pg_pmd)
18383 + *(.swapper_pg_dir)
18384 + *(.trampoline_pg_dir)
18385 + } :rodata
18386 +#endif
18387 +
18388 + . = ALIGN(PAGE_SIZE);
18389 + NOTES :rodata :note
18390 +
18391 + EXCEPTION_TABLE(16) :rodata
18392
18393 RO_DATA(PAGE_SIZE)
18394
18395 /* Data */
18396 .data : AT(ADDR(.data) - LOAD_OFFSET) {
18397 +
18398 +#ifdef CONFIG_PAX_KERNEXEC
18399 + . = ALIGN(HPAGE_SIZE);
18400 +#else
18401 + . = ALIGN(PAGE_SIZE);
18402 +#endif
18403 +
18404 /* Start of data section */
18405 _sdata = .;
18406
18407 /* init_task */
18408 INIT_TASK_DATA(THREAD_SIZE)
18409
18410 -#ifdef CONFIG_X86_32
18411 - /* 32 bit has nosave before _edata */
18412 NOSAVE_DATA
18413 -#endif
18414
18415 PAGE_ALIGNED_DATA(PAGE_SIZE)
18416
18417 @@ -112,6 +175,8 @@ SECTIONS
18418 DATA_DATA
18419 CONSTRUCTORS
18420
18421 + jiffies = jiffies_64;
18422 +
18423 /* rarely changed data like cpu maps */
18424 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
18425
18426 @@ -166,12 +231,6 @@ SECTIONS
18427 }
18428 vgetcpu_mode = VVIRT(.vgetcpu_mode);
18429
18430 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
18431 - .jiffies : AT(VLOAD(.jiffies)) {
18432 - *(.jiffies)
18433 - }
18434 - jiffies = VVIRT(.jiffies);
18435 -
18436 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
18437 *(.vsyscall_3)
18438 }
18439 @@ -187,12 +246,19 @@ SECTIONS
18440 #endif /* CONFIG_X86_64 */
18441
18442 /* Init code and data - will be freed after init */
18443 - . = ALIGN(PAGE_SIZE);
18444 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
18445 + BYTE(0)
18446 +
18447 +#ifdef CONFIG_PAX_KERNEXEC
18448 + . = ALIGN(HPAGE_SIZE);
18449 +#else
18450 + . = ALIGN(PAGE_SIZE);
18451 +#endif
18452 +
18453 __init_begin = .; /* paired with __init_end */
18454 - }
18455 + } :init.begin
18456
18457 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
18458 +#ifdef CONFIG_SMP
18459 /*
18460 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
18461 * output PHDR, so the next output section - .init.text - should
18462 @@ -201,12 +267,27 @@ SECTIONS
18463 PERCPU_VADDR(0, :percpu)
18464 #endif
18465
18466 - INIT_TEXT_SECTION(PAGE_SIZE)
18467 -#ifdef CONFIG_X86_64
18468 - :init
18469 -#endif
18470 + . = ALIGN(PAGE_SIZE);
18471 + init_begin = .;
18472 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
18473 + VMLINUX_SYMBOL(_sinittext) = .;
18474 + INIT_TEXT
18475 + VMLINUX_SYMBOL(_einittext) = .;
18476 + . = ALIGN(PAGE_SIZE);
18477 + } :text.init
18478
18479 - INIT_DATA_SECTION(16)
18480 + /*
18481 + * .exit.text is discard at runtime, not link time, to deal with
18482 + * references from .altinstructions and .eh_frame
18483 + */
18484 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
18485 + EXIT_TEXT
18486 + . = ALIGN(16);
18487 + } :text.exit
18488 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
18489 +
18490 + . = ALIGN(PAGE_SIZE);
18491 + INIT_DATA_SECTION(16) :init
18492
18493 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
18494 __x86_cpu_dev_start = .;
18495 @@ -232,19 +313,11 @@ SECTIONS
18496 *(.altinstr_replacement)
18497 }
18498
18499 - /*
18500 - * .exit.text is discard at runtime, not link time, to deal with
18501 - * references from .altinstructions and .eh_frame
18502 - */
18503 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
18504 - EXIT_TEXT
18505 - }
18506 -
18507 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
18508 EXIT_DATA
18509 }
18510
18511 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
18512 +#ifndef CONFIG_SMP
18513 PERCPU(PAGE_SIZE)
18514 #endif
18515
18516 @@ -267,12 +340,6 @@ SECTIONS
18517 . = ALIGN(PAGE_SIZE);
18518 }
18519
18520 -#ifdef CONFIG_X86_64
18521 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
18522 - NOSAVE_DATA
18523 - }
18524 -#endif
18525 -
18526 /* BSS */
18527 . = ALIGN(PAGE_SIZE);
18528 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
18529 @@ -288,6 +355,7 @@ SECTIONS
18530 __brk_base = .;
18531 . += 64 * 1024; /* 64k alignment slop space */
18532 *(.brk_reservation) /* areas brk users have reserved */
18533 + . = ALIGN(HPAGE_SIZE);
18534 __brk_limit = .;
18535 }
18536
18537 @@ -316,13 +384,12 @@ SECTIONS
18538 * for the boot processor.
18539 */
18540 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
18541 -INIT_PER_CPU(gdt_page);
18542 INIT_PER_CPU(irq_stack_union);
18543
18544 /*
18545 * Build-time check on the image size:
18546 */
18547 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
18548 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
18549 "kernel image bigger than KERNEL_IMAGE_SIZE");
18550
18551 #ifdef CONFIG_SMP
18552 diff -urNp linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c
18553 --- linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-03-27 14:31:47.000000000 -0400
18554 +++ linux-2.6.32.46/arch/x86/kernel/vsyscall_64.c 2011-04-23 12:56:10.000000000 -0400
18555 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
18556
18557 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
18558 /* copy vsyscall data */
18559 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
18560 vsyscall_gtod_data.clock.vread = clock->vread;
18561 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
18562 vsyscall_gtod_data.clock.mask = clock->mask;
18563 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
18564 We do this here because otherwise user space would do it on
18565 its own in a likely inferior way (no access to jiffies).
18566 If you don't like it pass NULL. */
18567 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
18568 + if (tcache && tcache->blob[0] == (j = jiffies)) {
18569 p = tcache->blob[1];
18570 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
18571 /* Load per CPU data from RDTSCP */
18572 diff -urNp linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c
18573 --- linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-03-27 14:31:47.000000000 -0400
18574 +++ linux-2.6.32.46/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:56:46.000000000 -0400
18575 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
18576
18577 EXPORT_SYMBOL(copy_user_generic);
18578 EXPORT_SYMBOL(__copy_user_nocache);
18579 -EXPORT_SYMBOL(copy_from_user);
18580 -EXPORT_SYMBOL(copy_to_user);
18581 EXPORT_SYMBOL(__copy_from_user_inatomic);
18582
18583 EXPORT_SYMBOL(copy_page);
18584 diff -urNp linux-2.6.32.46/arch/x86/kernel/xsave.c linux-2.6.32.46/arch/x86/kernel/xsave.c
18585 --- linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400
18586 +++ linux-2.6.32.46/arch/x86/kernel/xsave.c 2011-04-17 15:56:46.000000000 -0400
18587 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
18588 fx_sw_user->xstate_size > fx_sw_user->extended_size)
18589 return -1;
18590
18591 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
18592 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
18593 fx_sw_user->extended_size -
18594 FP_XSTATE_MAGIC2_SIZE));
18595 /*
18596 @@ -196,7 +196,7 @@ fx_only:
18597 * the other extended state.
18598 */
18599 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
18600 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
18601 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
18602 }
18603
18604 /*
18605 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
18606 if (task_thread_info(tsk)->status & TS_XSAVE)
18607 err = restore_user_xstate(buf);
18608 else
18609 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
18610 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
18611 buf);
18612 if (unlikely(err)) {
18613 /*
18614 diff -urNp linux-2.6.32.46/arch/x86/kvm/emulate.c linux-2.6.32.46/arch/x86/kvm/emulate.c
18615 --- linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-03-27 14:31:47.000000000 -0400
18616 +++ linux-2.6.32.46/arch/x86/kvm/emulate.c 2011-04-17 15:56:46.000000000 -0400
18617 @@ -81,8 +81,8 @@
18618 #define Src2CL (1<<29)
18619 #define Src2ImmByte (2<<29)
18620 #define Src2One (3<<29)
18621 -#define Src2Imm16 (4<<29)
18622 -#define Src2Mask (7<<29)
18623 +#define Src2Imm16 (4U<<29)
18624 +#define Src2Mask (7U<<29)
18625
18626 enum {
18627 Group1_80, Group1_81, Group1_82, Group1_83,
18628 @@ -411,6 +411,7 @@ static u32 group2_table[] = {
18629
18630 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
18631 do { \
18632 + unsigned long _tmp; \
18633 __asm__ __volatile__ ( \
18634 _PRE_EFLAGS("0", "4", "2") \
18635 _op _suffix " %"_x"3,%1; " \
18636 @@ -424,8 +425,6 @@ static u32 group2_table[] = {
18637 /* Raw emulation: instruction has two explicit operands. */
18638 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
18639 do { \
18640 - unsigned long _tmp; \
18641 - \
18642 switch ((_dst).bytes) { \
18643 case 2: \
18644 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
18645 @@ -441,7 +440,6 @@ static u32 group2_table[] = {
18646
18647 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
18648 do { \
18649 - unsigned long _tmp; \
18650 switch ((_dst).bytes) { \
18651 case 1: \
18652 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
18653 diff -urNp linux-2.6.32.46/arch/x86/kvm/lapic.c linux-2.6.32.46/arch/x86/kvm/lapic.c
18654 --- linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-03-27 14:31:47.000000000 -0400
18655 +++ linux-2.6.32.46/arch/x86/kvm/lapic.c 2011-04-17 15:56:46.000000000 -0400
18656 @@ -52,7 +52,7 @@
18657 #define APIC_BUS_CYCLE_NS 1
18658
18659 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
18660 -#define apic_debug(fmt, arg...)
18661 +#define apic_debug(fmt, arg...) do {} while (0)
18662
18663 #define APIC_LVT_NUM 6
18664 /* 14 is the version for Xeon and Pentium 8.4.8*/
18665 diff -urNp linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h
18666 --- linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-03-27 14:31:47.000000000 -0400
18667 +++ linux-2.6.32.46/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:46:57.000000000 -0400
18668 @@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
18669 int level = PT_PAGE_TABLE_LEVEL;
18670 unsigned long mmu_seq;
18671
18672 + pax_track_stack();
18673 +
18674 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
18675 kvm_mmu_audit(vcpu, "pre page fault");
18676
18677 diff -urNp linux-2.6.32.46/arch/x86/kvm/svm.c linux-2.6.32.46/arch/x86/kvm/svm.c
18678 --- linux-2.6.32.46/arch/x86/kvm/svm.c 2011-03-27 14:31:47.000000000 -0400
18679 +++ linux-2.6.32.46/arch/x86/kvm/svm.c 2011-08-05 20:33:55.000000000 -0400
18680 @@ -2485,7 +2485,11 @@ static void reload_tss(struct kvm_vcpu *
18681 int cpu = raw_smp_processor_id();
18682
18683 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
18684 +
18685 + pax_open_kernel();
18686 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
18687 + pax_close_kernel();
18688 +
18689 load_TR_desc();
18690 }
18691
18692 @@ -2946,7 +2950,7 @@ static bool svm_gb_page_enable(void)
18693 return true;
18694 }
18695
18696 -static struct kvm_x86_ops svm_x86_ops = {
18697 +static const struct kvm_x86_ops svm_x86_ops = {
18698 .cpu_has_kvm_support = has_svm,
18699 .disabled_by_bios = is_disabled,
18700 .hardware_setup = svm_hardware_setup,
18701 diff -urNp linux-2.6.32.46/arch/x86/kvm/vmx.c linux-2.6.32.46/arch/x86/kvm/vmx.c
18702 --- linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-03-27 14:31:47.000000000 -0400
18703 +++ linux-2.6.32.46/arch/x86/kvm/vmx.c 2011-05-04 17:56:20.000000000 -0400
18704 @@ -570,7 +570,11 @@ static void reload_tss(void)
18705
18706 kvm_get_gdt(&gdt);
18707 descs = (void *)gdt.base;
18708 +
18709 + pax_open_kernel();
18710 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
18711 + pax_close_kernel();
18712 +
18713 load_TR_desc();
18714 }
18715
18716 @@ -1409,8 +1413,11 @@ static __init int hardware_setup(void)
18717 if (!cpu_has_vmx_flexpriority())
18718 flexpriority_enabled = 0;
18719
18720 - if (!cpu_has_vmx_tpr_shadow())
18721 - kvm_x86_ops->update_cr8_intercept = NULL;
18722 + if (!cpu_has_vmx_tpr_shadow()) {
18723 + pax_open_kernel();
18724 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
18725 + pax_close_kernel();
18726 + }
18727
18728 if (enable_ept && !cpu_has_vmx_ept_2m_page())
18729 kvm_disable_largepages();
18730 @@ -2361,7 +2368,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
18731 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
18732
18733 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
18734 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
18735 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
18736 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
18737 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
18738 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
18739 @@ -3717,6 +3724,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
18740 "jmp .Lkvm_vmx_return \n\t"
18741 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
18742 ".Lkvm_vmx_return: "
18743 +
18744 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18745 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
18746 + ".Lkvm_vmx_return2: "
18747 +#endif
18748 +
18749 /* Save guest registers, load host registers, keep flags */
18750 "xchg %0, (%%"R"sp) \n\t"
18751 "mov %%"R"ax, %c[rax](%0) \n\t"
18752 @@ -3763,8 +3776,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
18753 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
18754 #endif
18755 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
18756 +
18757 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18758 + ,[cs]"i"(__KERNEL_CS)
18759 +#endif
18760 +
18761 : "cc", "memory"
18762 - , R"bx", R"di", R"si"
18763 + , R"ax", R"bx", R"di", R"si"
18764 #ifdef CONFIG_X86_64
18765 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
18766 #endif
18767 @@ -3781,7 +3799,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
18768 if (vmx->rmode.irq.pending)
18769 fixup_rmode_irq(vmx);
18770
18771 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
18772 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
18773 +
18774 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18775 + loadsegment(fs, __KERNEL_PERCPU);
18776 +#endif
18777 +
18778 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18779 + __set_fs(current_thread_info()->addr_limit);
18780 +#endif
18781 +
18782 vmx->launched = 1;
18783
18784 vmx_complete_interrupts(vmx);
18785 @@ -3956,7 +3983,7 @@ static bool vmx_gb_page_enable(void)
18786 return false;
18787 }
18788
18789 -static struct kvm_x86_ops vmx_x86_ops = {
18790 +static const struct kvm_x86_ops vmx_x86_ops = {
18791 .cpu_has_kvm_support = cpu_has_kvm_support,
18792 .disabled_by_bios = vmx_disabled_by_bios,
18793 .hardware_setup = hardware_setup,
18794 diff -urNp linux-2.6.32.46/arch/x86/kvm/x86.c linux-2.6.32.46/arch/x86/kvm/x86.c
18795 --- linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:01.000000000 -0400
18796 +++ linux-2.6.32.46/arch/x86/kvm/x86.c 2011-05-10 22:12:26.000000000 -0400
18797 @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
18798 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
18799 struct kvm_cpuid_entry2 __user *entries);
18800
18801 -struct kvm_x86_ops *kvm_x86_ops;
18802 +const struct kvm_x86_ops *kvm_x86_ops;
18803 EXPORT_SYMBOL_GPL(kvm_x86_ops);
18804
18805 int ignore_msrs = 0;
18806 @@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
18807 struct kvm_cpuid2 *cpuid,
18808 struct kvm_cpuid_entry2 __user *entries)
18809 {
18810 - int r;
18811 + int r, i;
18812
18813 r = -E2BIG;
18814 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
18815 goto out;
18816 r = -EFAULT;
18817 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
18818 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18819 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
18820 goto out;
18821 + for (i = 0; i < cpuid->nent; ++i) {
18822 + struct kvm_cpuid_entry2 cpuid_entry;
18823 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
18824 + goto out;
18825 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
18826 + }
18827 vcpu->arch.cpuid_nent = cpuid->nent;
18828 kvm_apic_set_version(vcpu);
18829 return 0;
18830 @@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
18831 struct kvm_cpuid2 *cpuid,
18832 struct kvm_cpuid_entry2 __user *entries)
18833 {
18834 - int r;
18835 + int r, i;
18836
18837 vcpu_load(vcpu);
18838 r = -E2BIG;
18839 if (cpuid->nent < vcpu->arch.cpuid_nent)
18840 goto out;
18841 r = -EFAULT;
18842 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
18843 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18844 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
18845 goto out;
18846 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
18847 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
18848 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
18849 + goto out;
18850 + }
18851 return 0;
18852
18853 out:
18854 @@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
18855 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
18856 struct kvm_interrupt *irq)
18857 {
18858 - if (irq->irq < 0 || irq->irq >= 256)
18859 + if (irq->irq >= 256)
18860 return -EINVAL;
18861 if (irqchip_in_kernel(vcpu->kvm))
18862 return -ENXIO;
18863 @@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
18864 .notifier_call = kvmclock_cpufreq_notifier
18865 };
18866
18867 -int kvm_arch_init(void *opaque)
18868 +int kvm_arch_init(const void *opaque)
18869 {
18870 int r, cpu;
18871 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
18872 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
18873
18874 if (kvm_x86_ops) {
18875 printk(KERN_ERR "kvm: already loaded the other module\n");
18876 diff -urNp linux-2.6.32.46/arch/x86/lguest/boot.c linux-2.6.32.46/arch/x86/lguest/boot.c
18877 --- linux-2.6.32.46/arch/x86/lguest/boot.c 2011-03-27 14:31:47.000000000 -0400
18878 +++ linux-2.6.32.46/arch/x86/lguest/boot.c 2011-08-05 20:33:55.000000000 -0400
18879 @@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
18880 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
18881 * Launcher to reboot us.
18882 */
18883 -static void lguest_restart(char *reason)
18884 +static __noreturn void lguest_restart(char *reason)
18885 {
18886 kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
18887 + BUG();
18888 }
18889
18890 /*G:050
18891 diff -urNp linux-2.6.32.46/arch/x86/lib/atomic64_32.c linux-2.6.32.46/arch/x86/lib/atomic64_32.c
18892 --- linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-03-27 14:31:47.000000000 -0400
18893 +++ linux-2.6.32.46/arch/x86/lib/atomic64_32.c 2011-05-04 17:56:28.000000000 -0400
18894 @@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
18895 }
18896 EXPORT_SYMBOL(atomic64_cmpxchg);
18897
18898 +u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
18899 +{
18900 + return cmpxchg8b(&ptr->counter, old_val, new_val);
18901 +}
18902 +EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
18903 +
18904 /**
18905 * atomic64_xchg - xchg atomic64 variable
18906 * @ptr: pointer to type atomic64_t
18907 @@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
18908 EXPORT_SYMBOL(atomic64_xchg);
18909
18910 /**
18911 + * atomic64_xchg_unchecked - xchg atomic64 variable
18912 + * @ptr: pointer to type atomic64_unchecked_t
18913 + * @new_val: value to assign
18914 + *
18915 + * Atomically xchgs the value of @ptr to @new_val and returns
18916 + * the old value.
18917 + */
18918 +u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
18919 +{
18920 + /*
18921 + * Try first with a (possibly incorrect) assumption about
18922 + * what we have there. We'll do two loops most likely,
18923 + * but we'll get an ownership MESI transaction straight away
18924 + * instead of a read transaction followed by a
18925 + * flush-for-ownership transaction:
18926 + */
18927 + u64 old_val, real_val = 0;
18928 +
18929 + do {
18930 + old_val = real_val;
18931 +
18932 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
18933 +
18934 + } while (real_val != old_val);
18935 +
18936 + return old_val;
18937 +}
18938 +EXPORT_SYMBOL(atomic64_xchg_unchecked);
18939 +
18940 +/**
18941 * atomic64_set - set atomic64 variable
18942 * @ptr: pointer to type atomic64_t
18943 * @new_val: value to assign
18944 @@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
18945 EXPORT_SYMBOL(atomic64_set);
18946
18947 /**
18948 -EXPORT_SYMBOL(atomic64_read);
18949 + * atomic64_unchecked_set - set atomic64 variable
18950 + * @ptr: pointer to type atomic64_unchecked_t
18951 + * @new_val: value to assign
18952 + *
18953 + * Atomically sets the value of @ptr to @new_val.
18954 + */
18955 +void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
18956 +{
18957 + atomic64_xchg_unchecked(ptr, new_val);
18958 +}
18959 +EXPORT_SYMBOL(atomic64_set_unchecked);
18960 +
18961 +/**
18962 * atomic64_add_return - add and return
18963 * @delta: integer value to add
18964 * @ptr: pointer to type atomic64_t
18965 @@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
18966 }
18967 EXPORT_SYMBOL(atomic64_add_return);
18968
18969 +/**
18970 + * atomic64_add_return_unchecked - add and return
18971 + * @delta: integer value to add
18972 + * @ptr: pointer to type atomic64_unchecked_t
18973 + *
18974 + * Atomically adds @delta to @ptr and returns @delta + *@ptr
18975 + */
18976 +noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18977 +{
18978 + /*
18979 + * Try first with a (possibly incorrect) assumption about
18980 + * what we have there. We'll do two loops most likely,
18981 + * but we'll get an ownership MESI transaction straight away
18982 + * instead of a read transaction followed by a
18983 + * flush-for-ownership transaction:
18984 + */
18985 + u64 old_val, new_val, real_val = 0;
18986 +
18987 + do {
18988 + old_val = real_val;
18989 + new_val = old_val + delta;
18990 +
18991 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
18992 +
18993 + } while (real_val != old_val);
18994 +
18995 + return new_val;
18996 +}
18997 +EXPORT_SYMBOL(atomic64_add_return_unchecked);
18998 +
18999 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
19000 {
19001 return atomic64_add_return(-delta, ptr);
19002 }
19003 EXPORT_SYMBOL(atomic64_sub_return);
19004
19005 +u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19006 +{
19007 + return atomic64_add_return_unchecked(-delta, ptr);
19008 +}
19009 +EXPORT_SYMBOL(atomic64_sub_return_unchecked);
19010 +
19011 u64 atomic64_inc_return(atomic64_t *ptr)
19012 {
19013 return atomic64_add_return(1, ptr);
19014 }
19015 EXPORT_SYMBOL(atomic64_inc_return);
19016
19017 +u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
19018 +{
19019 + return atomic64_add_return_unchecked(1, ptr);
19020 +}
19021 +EXPORT_SYMBOL(atomic64_inc_return_unchecked);
19022 +
19023 u64 atomic64_dec_return(atomic64_t *ptr)
19024 {
19025 return atomic64_sub_return(1, ptr);
19026 }
19027 EXPORT_SYMBOL(atomic64_dec_return);
19028
19029 +u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
19030 +{
19031 + return atomic64_sub_return_unchecked(1, ptr);
19032 +}
19033 +EXPORT_SYMBOL(atomic64_dec_return_unchecked);
19034 +
19035 /**
19036 * atomic64_add - add integer to atomic64 variable
19037 * @delta: integer value to add
19038 @@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
19039 EXPORT_SYMBOL(atomic64_add);
19040
19041 /**
19042 + * atomic64_add_unchecked - add integer to atomic64 variable
19043 + * @delta: integer value to add
19044 + * @ptr: pointer to type atomic64_unchecked_t
19045 + *
19046 + * Atomically adds @delta to @ptr.
19047 + */
19048 +void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19049 +{
19050 + atomic64_add_return_unchecked(delta, ptr);
19051 +}
19052 +EXPORT_SYMBOL(atomic64_add_unchecked);
19053 +
19054 +/**
19055 * atomic64_sub - subtract the atomic64 variable
19056 * @delta: integer value to subtract
19057 * @ptr: pointer to type atomic64_t
19058 @@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
19059 EXPORT_SYMBOL(atomic64_sub);
19060
19061 /**
19062 + * atomic64_sub_unchecked - subtract the atomic64 variable
19063 + * @delta: integer value to subtract
19064 + * @ptr: pointer to type atomic64_unchecked_t
19065 + *
19066 + * Atomically subtracts @delta from @ptr.
19067 + */
19068 +void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
19069 +{
19070 + atomic64_add_unchecked(-delta, ptr);
19071 +}
19072 +EXPORT_SYMBOL(atomic64_sub_unchecked);
19073 +
19074 +/**
19075 * atomic64_sub_and_test - subtract value from variable and test result
19076 * @delta: integer value to subtract
19077 * @ptr: pointer to type atomic64_t
19078 @@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
19079 EXPORT_SYMBOL(atomic64_inc);
19080
19081 /**
19082 + * atomic64_inc_unchecked - increment atomic64 variable
19083 + * @ptr: pointer to type atomic64_unchecked_t
19084 + *
19085 + * Atomically increments @ptr by 1.
19086 + */
19087 +void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
19088 +{
19089 + atomic64_add_unchecked(1, ptr);
19090 +}
19091 +EXPORT_SYMBOL(atomic64_inc_unchecked);
19092 +
19093 +/**
19094 * atomic64_dec - decrement atomic64 variable
19095 * @ptr: pointer to type atomic64_t
19096 *
19097 @@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
19098 EXPORT_SYMBOL(atomic64_dec);
19099
19100 /**
19101 + * atomic64_dec_unchecked - decrement atomic64 variable
19102 + * @ptr: pointer to type atomic64_unchecked_t
19103 + *
19104 + * Atomically decrements @ptr by 1.
19105 + */
19106 +void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
19107 +{
19108 + atomic64_sub_unchecked(1, ptr);
19109 +}
19110 +EXPORT_SYMBOL(atomic64_dec_unchecked);
19111 +
19112 +/**
19113 * atomic64_dec_and_test - decrement and test
19114 * @ptr: pointer to type atomic64_t
19115 *
19116 diff -urNp linux-2.6.32.46/arch/x86/lib/checksum_32.S linux-2.6.32.46/arch/x86/lib/checksum_32.S
19117 --- linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-03-27 14:31:47.000000000 -0400
19118 +++ linux-2.6.32.46/arch/x86/lib/checksum_32.S 2011-04-17 15:56:46.000000000 -0400
19119 @@ -28,7 +28,8 @@
19120 #include <linux/linkage.h>
19121 #include <asm/dwarf2.h>
19122 #include <asm/errno.h>
19123 -
19124 +#include <asm/segment.h>
19125 +
19126 /*
19127 * computes a partial checksum, e.g. for TCP/UDP fragments
19128 */
19129 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
19130
19131 #define ARGBASE 16
19132 #define FP 12
19133 -
19134 -ENTRY(csum_partial_copy_generic)
19135 +
19136 +ENTRY(csum_partial_copy_generic_to_user)
19137 CFI_STARTPROC
19138 +
19139 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19140 + pushl %gs
19141 + CFI_ADJUST_CFA_OFFSET 4
19142 + popl %es
19143 + CFI_ADJUST_CFA_OFFSET -4
19144 + jmp csum_partial_copy_generic
19145 +#endif
19146 +
19147 +ENTRY(csum_partial_copy_generic_from_user)
19148 +
19149 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19150 + pushl %gs
19151 + CFI_ADJUST_CFA_OFFSET 4
19152 + popl %ds
19153 + CFI_ADJUST_CFA_OFFSET -4
19154 +#endif
19155 +
19156 +ENTRY(csum_partial_copy_generic)
19157 subl $4,%esp
19158 CFI_ADJUST_CFA_OFFSET 4
19159 pushl %edi
19160 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
19161 jmp 4f
19162 SRC(1: movw (%esi), %bx )
19163 addl $2, %esi
19164 -DST( movw %bx, (%edi) )
19165 +DST( movw %bx, %es:(%edi) )
19166 addl $2, %edi
19167 addw %bx, %ax
19168 adcl $0, %eax
19169 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
19170 SRC(1: movl (%esi), %ebx )
19171 SRC( movl 4(%esi), %edx )
19172 adcl %ebx, %eax
19173 -DST( movl %ebx, (%edi) )
19174 +DST( movl %ebx, %es:(%edi) )
19175 adcl %edx, %eax
19176 -DST( movl %edx, 4(%edi) )
19177 +DST( movl %edx, %es:4(%edi) )
19178
19179 SRC( movl 8(%esi), %ebx )
19180 SRC( movl 12(%esi), %edx )
19181 adcl %ebx, %eax
19182 -DST( movl %ebx, 8(%edi) )
19183 +DST( movl %ebx, %es:8(%edi) )
19184 adcl %edx, %eax
19185 -DST( movl %edx, 12(%edi) )
19186 +DST( movl %edx, %es:12(%edi) )
19187
19188 SRC( movl 16(%esi), %ebx )
19189 SRC( movl 20(%esi), %edx )
19190 adcl %ebx, %eax
19191 -DST( movl %ebx, 16(%edi) )
19192 +DST( movl %ebx, %es:16(%edi) )
19193 adcl %edx, %eax
19194 -DST( movl %edx, 20(%edi) )
19195 +DST( movl %edx, %es:20(%edi) )
19196
19197 SRC( movl 24(%esi), %ebx )
19198 SRC( movl 28(%esi), %edx )
19199 adcl %ebx, %eax
19200 -DST( movl %ebx, 24(%edi) )
19201 +DST( movl %ebx, %es:24(%edi) )
19202 adcl %edx, %eax
19203 -DST( movl %edx, 28(%edi) )
19204 +DST( movl %edx, %es:28(%edi) )
19205
19206 lea 32(%esi), %esi
19207 lea 32(%edi), %edi
19208 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
19209 shrl $2, %edx # This clears CF
19210 SRC(3: movl (%esi), %ebx )
19211 adcl %ebx, %eax
19212 -DST( movl %ebx, (%edi) )
19213 +DST( movl %ebx, %es:(%edi) )
19214 lea 4(%esi), %esi
19215 lea 4(%edi), %edi
19216 dec %edx
19217 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
19218 jb 5f
19219 SRC( movw (%esi), %cx )
19220 leal 2(%esi), %esi
19221 -DST( movw %cx, (%edi) )
19222 +DST( movw %cx, %es:(%edi) )
19223 leal 2(%edi), %edi
19224 je 6f
19225 shll $16,%ecx
19226 SRC(5: movb (%esi), %cl )
19227 -DST( movb %cl, (%edi) )
19228 +DST( movb %cl, %es:(%edi) )
19229 6: addl %ecx, %eax
19230 adcl $0, %eax
19231 7:
19232 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
19233
19234 6001:
19235 movl ARGBASE+20(%esp), %ebx # src_err_ptr
19236 - movl $-EFAULT, (%ebx)
19237 + movl $-EFAULT, %ss:(%ebx)
19238
19239 # zero the complete destination - computing the rest
19240 # is too much work
19241 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
19242
19243 6002:
19244 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19245 - movl $-EFAULT,(%ebx)
19246 + movl $-EFAULT,%ss:(%ebx)
19247 jmp 5000b
19248
19249 .previous
19250
19251 + pushl %ss
19252 + CFI_ADJUST_CFA_OFFSET 4
19253 + popl %ds
19254 + CFI_ADJUST_CFA_OFFSET -4
19255 + pushl %ss
19256 + CFI_ADJUST_CFA_OFFSET 4
19257 + popl %es
19258 + CFI_ADJUST_CFA_OFFSET -4
19259 popl %ebx
19260 CFI_ADJUST_CFA_OFFSET -4
19261 CFI_RESTORE ebx
19262 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
19263 CFI_ADJUST_CFA_OFFSET -4
19264 ret
19265 CFI_ENDPROC
19266 -ENDPROC(csum_partial_copy_generic)
19267 +ENDPROC(csum_partial_copy_generic_to_user)
19268
19269 #else
19270
19271 /* Version for PentiumII/PPro */
19272
19273 #define ROUND1(x) \
19274 + nop; nop; nop; \
19275 SRC(movl x(%esi), %ebx ) ; \
19276 addl %ebx, %eax ; \
19277 - DST(movl %ebx, x(%edi) ) ;
19278 + DST(movl %ebx, %es:x(%edi)) ;
19279
19280 #define ROUND(x) \
19281 + nop; nop; nop; \
19282 SRC(movl x(%esi), %ebx ) ; \
19283 adcl %ebx, %eax ; \
19284 - DST(movl %ebx, x(%edi) ) ;
19285 + DST(movl %ebx, %es:x(%edi)) ;
19286
19287 #define ARGBASE 12
19288 -
19289 -ENTRY(csum_partial_copy_generic)
19290 +
19291 +ENTRY(csum_partial_copy_generic_to_user)
19292 CFI_STARTPROC
19293 +
19294 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19295 + pushl %gs
19296 + CFI_ADJUST_CFA_OFFSET 4
19297 + popl %es
19298 + CFI_ADJUST_CFA_OFFSET -4
19299 + jmp csum_partial_copy_generic
19300 +#endif
19301 +
19302 +ENTRY(csum_partial_copy_generic_from_user)
19303 +
19304 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19305 + pushl %gs
19306 + CFI_ADJUST_CFA_OFFSET 4
19307 + popl %ds
19308 + CFI_ADJUST_CFA_OFFSET -4
19309 +#endif
19310 +
19311 +ENTRY(csum_partial_copy_generic)
19312 pushl %ebx
19313 CFI_ADJUST_CFA_OFFSET 4
19314 CFI_REL_OFFSET ebx, 0
19315 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
19316 subl %ebx, %edi
19317 lea -1(%esi),%edx
19318 andl $-32,%edx
19319 - lea 3f(%ebx,%ebx), %ebx
19320 + lea 3f(%ebx,%ebx,2), %ebx
19321 testl %esi, %esi
19322 jmp *%ebx
19323 1: addl $64,%esi
19324 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
19325 jb 5f
19326 SRC( movw (%esi), %dx )
19327 leal 2(%esi), %esi
19328 -DST( movw %dx, (%edi) )
19329 +DST( movw %dx, %es:(%edi) )
19330 leal 2(%edi), %edi
19331 je 6f
19332 shll $16,%edx
19333 5:
19334 SRC( movb (%esi), %dl )
19335 -DST( movb %dl, (%edi) )
19336 +DST( movb %dl, %es:(%edi) )
19337 6: addl %edx, %eax
19338 adcl $0, %eax
19339 7:
19340 .section .fixup, "ax"
19341 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
19342 - movl $-EFAULT, (%ebx)
19343 + movl $-EFAULT, %ss:(%ebx)
19344 # zero the complete destination (computing the rest is too much work)
19345 movl ARGBASE+8(%esp),%edi # dst
19346 movl ARGBASE+12(%esp),%ecx # len
19347 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
19348 rep; stosb
19349 jmp 7b
19350 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
19351 - movl $-EFAULT, (%ebx)
19352 + movl $-EFAULT, %ss:(%ebx)
19353 jmp 7b
19354 .previous
19355
19356 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19357 + pushl %ss
19358 + CFI_ADJUST_CFA_OFFSET 4
19359 + popl %ds
19360 + CFI_ADJUST_CFA_OFFSET -4
19361 + pushl %ss
19362 + CFI_ADJUST_CFA_OFFSET 4
19363 + popl %es
19364 + CFI_ADJUST_CFA_OFFSET -4
19365 +#endif
19366 +
19367 popl %esi
19368 CFI_ADJUST_CFA_OFFSET -4
19369 CFI_RESTORE esi
19370 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
19371 CFI_RESTORE ebx
19372 ret
19373 CFI_ENDPROC
19374 -ENDPROC(csum_partial_copy_generic)
19375 +ENDPROC(csum_partial_copy_generic_to_user)
19376
19377 #undef ROUND
19378 #undef ROUND1
19379 diff -urNp linux-2.6.32.46/arch/x86/lib/clear_page_64.S linux-2.6.32.46/arch/x86/lib/clear_page_64.S
19380 --- linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400
19381 +++ linux-2.6.32.46/arch/x86/lib/clear_page_64.S 2011-04-17 15:56:46.000000000 -0400
19382 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
19383
19384 #include <asm/cpufeature.h>
19385
19386 - .section .altinstr_replacement,"ax"
19387 + .section .altinstr_replacement,"a"
19388 1: .byte 0xeb /* jmp <disp8> */
19389 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
19390 2:
19391 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_page_64.S linux-2.6.32.46/arch/x86/lib/copy_page_64.S
19392 --- linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400
19393 +++ linux-2.6.32.46/arch/x86/lib/copy_page_64.S 2011-04-17 15:56:46.000000000 -0400
19394 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
19395
19396 #include <asm/cpufeature.h>
19397
19398 - .section .altinstr_replacement,"ax"
19399 + .section .altinstr_replacement,"a"
19400 1: .byte 0xeb /* jmp <disp8> */
19401 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
19402 2:
19403 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_64.S linux-2.6.32.46/arch/x86/lib/copy_user_64.S
19404 --- linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400
19405 +++ linux-2.6.32.46/arch/x86/lib/copy_user_64.S 2011-06-25 12:56:37.000000000 -0400
19406 @@ -15,13 +15,14 @@
19407 #include <asm/asm-offsets.h>
19408 #include <asm/thread_info.h>
19409 #include <asm/cpufeature.h>
19410 +#include <asm/pgtable.h>
19411
19412 .macro ALTERNATIVE_JUMP feature,orig,alt
19413 0:
19414 .byte 0xe9 /* 32bit jump */
19415 .long \orig-1f /* by default jump to orig */
19416 1:
19417 - .section .altinstr_replacement,"ax"
19418 + .section .altinstr_replacement,"a"
19419 2: .byte 0xe9 /* near jump with 32bit immediate */
19420 .long \alt-1b /* offset */ /* or alternatively to alt */
19421 .previous
19422 @@ -64,49 +65,19 @@
19423 #endif
19424 .endm
19425
19426 -/* Standard copy_to_user with segment limit checking */
19427 -ENTRY(copy_to_user)
19428 - CFI_STARTPROC
19429 - GET_THREAD_INFO(%rax)
19430 - movq %rdi,%rcx
19431 - addq %rdx,%rcx
19432 - jc bad_to_user
19433 - cmpq TI_addr_limit(%rax),%rcx
19434 - ja bad_to_user
19435 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19436 - CFI_ENDPROC
19437 -ENDPROC(copy_to_user)
19438 -
19439 -/* Standard copy_from_user with segment limit checking */
19440 -ENTRY(copy_from_user)
19441 - CFI_STARTPROC
19442 - GET_THREAD_INFO(%rax)
19443 - movq %rsi,%rcx
19444 - addq %rdx,%rcx
19445 - jc bad_from_user
19446 - cmpq TI_addr_limit(%rax),%rcx
19447 - ja bad_from_user
19448 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19449 - CFI_ENDPROC
19450 -ENDPROC(copy_from_user)
19451 -
19452 ENTRY(copy_user_generic)
19453 CFI_STARTPROC
19454 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19455 CFI_ENDPROC
19456 ENDPROC(copy_user_generic)
19457
19458 -ENTRY(__copy_from_user_inatomic)
19459 - CFI_STARTPROC
19460 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
19461 - CFI_ENDPROC
19462 -ENDPROC(__copy_from_user_inatomic)
19463 -
19464 .section .fixup,"ax"
19465 /* must zero dest */
19466 ENTRY(bad_from_user)
19467 bad_from_user:
19468 CFI_STARTPROC
19469 + testl %edx,%edx
19470 + js bad_to_user
19471 movl %edx,%ecx
19472 xorl %eax,%eax
19473 rep
19474 diff -urNp linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S
19475 --- linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400
19476 +++ linux-2.6.32.46/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:56:46.000000000 -0400
19477 @@ -14,6 +14,7 @@
19478 #include <asm/current.h>
19479 #include <asm/asm-offsets.h>
19480 #include <asm/thread_info.h>
19481 +#include <asm/pgtable.h>
19482
19483 .macro ALIGN_DESTINATION
19484 #ifdef FIX_ALIGNMENT
19485 @@ -50,6 +51,15 @@
19486 */
19487 ENTRY(__copy_user_nocache)
19488 CFI_STARTPROC
19489 +
19490 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19491 + mov $PAX_USER_SHADOW_BASE,%rcx
19492 + cmp %rcx,%rsi
19493 + jae 1f
19494 + add %rcx,%rsi
19495 +1:
19496 +#endif
19497 +
19498 cmpl $8,%edx
19499 jb 20f /* less then 8 bytes, go to byte copy loop */
19500 ALIGN_DESTINATION
19501 diff -urNp linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c
19502 --- linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400
19503 +++ linux-2.6.32.46/arch/x86/lib/csum-wrappers_64.c 2011-05-04 17:56:20.000000000 -0400
19504 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
19505 len -= 2;
19506 }
19507 }
19508 +
19509 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19510 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19511 + src += PAX_USER_SHADOW_BASE;
19512 +#endif
19513 +
19514 isum = csum_partial_copy_generic((__force const void *)src,
19515 dst, len, isum, errp, NULL);
19516 if (unlikely(*errp))
19517 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
19518 }
19519
19520 *errp = 0;
19521 +
19522 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19523 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
19524 + dst += PAX_USER_SHADOW_BASE;
19525 +#endif
19526 +
19527 return csum_partial_copy_generic(src, (void __force *)dst,
19528 len, isum, NULL, errp);
19529 }
19530 diff -urNp linux-2.6.32.46/arch/x86/lib/getuser.S linux-2.6.32.46/arch/x86/lib/getuser.S
19531 --- linux-2.6.32.46/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400
19532 +++ linux-2.6.32.46/arch/x86/lib/getuser.S 2011-04-17 15:56:46.000000000 -0400
19533 @@ -33,14 +33,35 @@
19534 #include <asm/asm-offsets.h>
19535 #include <asm/thread_info.h>
19536 #include <asm/asm.h>
19537 +#include <asm/segment.h>
19538 +#include <asm/pgtable.h>
19539 +
19540 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19541 +#define __copyuser_seg gs;
19542 +#else
19543 +#define __copyuser_seg
19544 +#endif
19545
19546 .text
19547 ENTRY(__get_user_1)
19548 CFI_STARTPROC
19549 +
19550 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19551 GET_THREAD_INFO(%_ASM_DX)
19552 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19553 jae bad_get_user
19554 -1: movzb (%_ASM_AX),%edx
19555 +
19556 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19557 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19558 + cmp %_ASM_DX,%_ASM_AX
19559 + jae 1234f
19560 + add %_ASM_DX,%_ASM_AX
19561 +1234:
19562 +#endif
19563 +
19564 +#endif
19565 +
19566 +1: __copyuser_seg movzb (%_ASM_AX),%edx
19567 xor %eax,%eax
19568 ret
19569 CFI_ENDPROC
19570 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
19571 ENTRY(__get_user_2)
19572 CFI_STARTPROC
19573 add $1,%_ASM_AX
19574 +
19575 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19576 jc bad_get_user
19577 GET_THREAD_INFO(%_ASM_DX)
19578 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19579 jae bad_get_user
19580 -2: movzwl -1(%_ASM_AX),%edx
19581 +
19582 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19583 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19584 + cmp %_ASM_DX,%_ASM_AX
19585 + jae 1234f
19586 + add %_ASM_DX,%_ASM_AX
19587 +1234:
19588 +#endif
19589 +
19590 +#endif
19591 +
19592 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
19593 xor %eax,%eax
19594 ret
19595 CFI_ENDPROC
19596 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
19597 ENTRY(__get_user_4)
19598 CFI_STARTPROC
19599 add $3,%_ASM_AX
19600 +
19601 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19602 jc bad_get_user
19603 GET_THREAD_INFO(%_ASM_DX)
19604 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19605 jae bad_get_user
19606 -3: mov -3(%_ASM_AX),%edx
19607 +
19608 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19609 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19610 + cmp %_ASM_DX,%_ASM_AX
19611 + jae 1234f
19612 + add %_ASM_DX,%_ASM_AX
19613 +1234:
19614 +#endif
19615 +
19616 +#endif
19617 +
19618 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
19619 xor %eax,%eax
19620 ret
19621 CFI_ENDPROC
19622 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
19623 GET_THREAD_INFO(%_ASM_DX)
19624 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
19625 jae bad_get_user
19626 +
19627 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19628 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
19629 + cmp %_ASM_DX,%_ASM_AX
19630 + jae 1234f
19631 + add %_ASM_DX,%_ASM_AX
19632 +1234:
19633 +#endif
19634 +
19635 4: movq -7(%_ASM_AX),%_ASM_DX
19636 xor %eax,%eax
19637 ret
19638 diff -urNp linux-2.6.32.46/arch/x86/lib/memcpy_64.S linux-2.6.32.46/arch/x86/lib/memcpy_64.S
19639 --- linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400
19640 +++ linux-2.6.32.46/arch/x86/lib/memcpy_64.S 2011-04-17 15:56:46.000000000 -0400
19641 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
19642 * It is also a lot simpler. Use this when possible:
19643 */
19644
19645 - .section .altinstr_replacement, "ax"
19646 + .section .altinstr_replacement, "a"
19647 1: .byte 0xeb /* jmp <disp8> */
19648 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
19649 2:
19650 diff -urNp linux-2.6.32.46/arch/x86/lib/memset_64.S linux-2.6.32.46/arch/x86/lib/memset_64.S
19651 --- linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400
19652 +++ linux-2.6.32.46/arch/x86/lib/memset_64.S 2011-04-17 15:56:46.000000000 -0400
19653 @@ -118,7 +118,7 @@ ENDPROC(__memset)
19654
19655 #include <asm/cpufeature.h>
19656
19657 - .section .altinstr_replacement,"ax"
19658 + .section .altinstr_replacement,"a"
19659 1: .byte 0xeb /* jmp <disp8> */
19660 .byte (memset_c - memset) - (2f - 1b) /* offset */
19661 2:
19662 diff -urNp linux-2.6.32.46/arch/x86/lib/mmx_32.c linux-2.6.32.46/arch/x86/lib/mmx_32.c
19663 --- linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-03-27 14:31:47.000000000 -0400
19664 +++ linux-2.6.32.46/arch/x86/lib/mmx_32.c 2011-04-17 15:56:46.000000000 -0400
19665 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
19666 {
19667 void *p;
19668 int i;
19669 + unsigned long cr0;
19670
19671 if (unlikely(in_interrupt()))
19672 return __memcpy(to, from, len);
19673 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
19674 kernel_fpu_begin();
19675
19676 __asm__ __volatile__ (
19677 - "1: prefetch (%0)\n" /* This set is 28 bytes */
19678 - " prefetch 64(%0)\n"
19679 - " prefetch 128(%0)\n"
19680 - " prefetch 192(%0)\n"
19681 - " prefetch 256(%0)\n"
19682 + "1: prefetch (%1)\n" /* This set is 28 bytes */
19683 + " prefetch 64(%1)\n"
19684 + " prefetch 128(%1)\n"
19685 + " prefetch 192(%1)\n"
19686 + " prefetch 256(%1)\n"
19687 "2: \n"
19688 ".section .fixup, \"ax\"\n"
19689 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19690 + "3: \n"
19691 +
19692 +#ifdef CONFIG_PAX_KERNEXEC
19693 + " movl %%cr0, %0\n"
19694 + " movl %0, %%eax\n"
19695 + " andl $0xFFFEFFFF, %%eax\n"
19696 + " movl %%eax, %%cr0\n"
19697 +#endif
19698 +
19699 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19700 +
19701 +#ifdef CONFIG_PAX_KERNEXEC
19702 + " movl %0, %%cr0\n"
19703 +#endif
19704 +
19705 " jmp 2b\n"
19706 ".previous\n"
19707 _ASM_EXTABLE(1b, 3b)
19708 - : : "r" (from));
19709 + : "=&r" (cr0) : "r" (from) : "ax");
19710
19711 for ( ; i > 5; i--) {
19712 __asm__ __volatile__ (
19713 - "1: prefetch 320(%0)\n"
19714 - "2: movq (%0), %%mm0\n"
19715 - " movq 8(%0), %%mm1\n"
19716 - " movq 16(%0), %%mm2\n"
19717 - " movq 24(%0), %%mm3\n"
19718 - " movq %%mm0, (%1)\n"
19719 - " movq %%mm1, 8(%1)\n"
19720 - " movq %%mm2, 16(%1)\n"
19721 - " movq %%mm3, 24(%1)\n"
19722 - " movq 32(%0), %%mm0\n"
19723 - " movq 40(%0), %%mm1\n"
19724 - " movq 48(%0), %%mm2\n"
19725 - " movq 56(%0), %%mm3\n"
19726 - " movq %%mm0, 32(%1)\n"
19727 - " movq %%mm1, 40(%1)\n"
19728 - " movq %%mm2, 48(%1)\n"
19729 - " movq %%mm3, 56(%1)\n"
19730 + "1: prefetch 320(%1)\n"
19731 + "2: movq (%1), %%mm0\n"
19732 + " movq 8(%1), %%mm1\n"
19733 + " movq 16(%1), %%mm2\n"
19734 + " movq 24(%1), %%mm3\n"
19735 + " movq %%mm0, (%2)\n"
19736 + " movq %%mm1, 8(%2)\n"
19737 + " movq %%mm2, 16(%2)\n"
19738 + " movq %%mm3, 24(%2)\n"
19739 + " movq 32(%1), %%mm0\n"
19740 + " movq 40(%1), %%mm1\n"
19741 + " movq 48(%1), %%mm2\n"
19742 + " movq 56(%1), %%mm3\n"
19743 + " movq %%mm0, 32(%2)\n"
19744 + " movq %%mm1, 40(%2)\n"
19745 + " movq %%mm2, 48(%2)\n"
19746 + " movq %%mm3, 56(%2)\n"
19747 ".section .fixup, \"ax\"\n"
19748 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19749 + "3:\n"
19750 +
19751 +#ifdef CONFIG_PAX_KERNEXEC
19752 + " movl %%cr0, %0\n"
19753 + " movl %0, %%eax\n"
19754 + " andl $0xFFFEFFFF, %%eax\n"
19755 + " movl %%eax, %%cr0\n"
19756 +#endif
19757 +
19758 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19759 +
19760 +#ifdef CONFIG_PAX_KERNEXEC
19761 + " movl %0, %%cr0\n"
19762 +#endif
19763 +
19764 " jmp 2b\n"
19765 ".previous\n"
19766 _ASM_EXTABLE(1b, 3b)
19767 - : : "r" (from), "r" (to) : "memory");
19768 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19769
19770 from += 64;
19771 to += 64;
19772 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
19773 static void fast_copy_page(void *to, void *from)
19774 {
19775 int i;
19776 + unsigned long cr0;
19777
19778 kernel_fpu_begin();
19779
19780 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
19781 * but that is for later. -AV
19782 */
19783 __asm__ __volatile__(
19784 - "1: prefetch (%0)\n"
19785 - " prefetch 64(%0)\n"
19786 - " prefetch 128(%0)\n"
19787 - " prefetch 192(%0)\n"
19788 - " prefetch 256(%0)\n"
19789 + "1: prefetch (%1)\n"
19790 + " prefetch 64(%1)\n"
19791 + " prefetch 128(%1)\n"
19792 + " prefetch 192(%1)\n"
19793 + " prefetch 256(%1)\n"
19794 "2: \n"
19795 ".section .fixup, \"ax\"\n"
19796 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19797 + "3: \n"
19798 +
19799 +#ifdef CONFIG_PAX_KERNEXEC
19800 + " movl %%cr0, %0\n"
19801 + " movl %0, %%eax\n"
19802 + " andl $0xFFFEFFFF, %%eax\n"
19803 + " movl %%eax, %%cr0\n"
19804 +#endif
19805 +
19806 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19807 +
19808 +#ifdef CONFIG_PAX_KERNEXEC
19809 + " movl %0, %%cr0\n"
19810 +#endif
19811 +
19812 " jmp 2b\n"
19813 ".previous\n"
19814 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
19815 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
19816
19817 for (i = 0; i < (4096-320)/64; i++) {
19818 __asm__ __volatile__ (
19819 - "1: prefetch 320(%0)\n"
19820 - "2: movq (%0), %%mm0\n"
19821 - " movntq %%mm0, (%1)\n"
19822 - " movq 8(%0), %%mm1\n"
19823 - " movntq %%mm1, 8(%1)\n"
19824 - " movq 16(%0), %%mm2\n"
19825 - " movntq %%mm2, 16(%1)\n"
19826 - " movq 24(%0), %%mm3\n"
19827 - " movntq %%mm3, 24(%1)\n"
19828 - " movq 32(%0), %%mm4\n"
19829 - " movntq %%mm4, 32(%1)\n"
19830 - " movq 40(%0), %%mm5\n"
19831 - " movntq %%mm5, 40(%1)\n"
19832 - " movq 48(%0), %%mm6\n"
19833 - " movntq %%mm6, 48(%1)\n"
19834 - " movq 56(%0), %%mm7\n"
19835 - " movntq %%mm7, 56(%1)\n"
19836 + "1: prefetch 320(%1)\n"
19837 + "2: movq (%1), %%mm0\n"
19838 + " movntq %%mm0, (%2)\n"
19839 + " movq 8(%1), %%mm1\n"
19840 + " movntq %%mm1, 8(%2)\n"
19841 + " movq 16(%1), %%mm2\n"
19842 + " movntq %%mm2, 16(%2)\n"
19843 + " movq 24(%1), %%mm3\n"
19844 + " movntq %%mm3, 24(%2)\n"
19845 + " movq 32(%1), %%mm4\n"
19846 + " movntq %%mm4, 32(%2)\n"
19847 + " movq 40(%1), %%mm5\n"
19848 + " movntq %%mm5, 40(%2)\n"
19849 + " movq 48(%1), %%mm6\n"
19850 + " movntq %%mm6, 48(%2)\n"
19851 + " movq 56(%1), %%mm7\n"
19852 + " movntq %%mm7, 56(%2)\n"
19853 ".section .fixup, \"ax\"\n"
19854 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19855 + "3:\n"
19856 +
19857 +#ifdef CONFIG_PAX_KERNEXEC
19858 + " movl %%cr0, %0\n"
19859 + " movl %0, %%eax\n"
19860 + " andl $0xFFFEFFFF, %%eax\n"
19861 + " movl %%eax, %%cr0\n"
19862 +#endif
19863 +
19864 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19865 +
19866 +#ifdef CONFIG_PAX_KERNEXEC
19867 + " movl %0, %%cr0\n"
19868 +#endif
19869 +
19870 " jmp 2b\n"
19871 ".previous\n"
19872 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
19873 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19874
19875 from += 64;
19876 to += 64;
19877 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
19878 static void fast_copy_page(void *to, void *from)
19879 {
19880 int i;
19881 + unsigned long cr0;
19882
19883 kernel_fpu_begin();
19884
19885 __asm__ __volatile__ (
19886 - "1: prefetch (%0)\n"
19887 - " prefetch 64(%0)\n"
19888 - " prefetch 128(%0)\n"
19889 - " prefetch 192(%0)\n"
19890 - " prefetch 256(%0)\n"
19891 + "1: prefetch (%1)\n"
19892 + " prefetch 64(%1)\n"
19893 + " prefetch 128(%1)\n"
19894 + " prefetch 192(%1)\n"
19895 + " prefetch 256(%1)\n"
19896 "2: \n"
19897 ".section .fixup, \"ax\"\n"
19898 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19899 + "3: \n"
19900 +
19901 +#ifdef CONFIG_PAX_KERNEXEC
19902 + " movl %%cr0, %0\n"
19903 + " movl %0, %%eax\n"
19904 + " andl $0xFFFEFFFF, %%eax\n"
19905 + " movl %%eax, %%cr0\n"
19906 +#endif
19907 +
19908 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
19909 +
19910 +#ifdef CONFIG_PAX_KERNEXEC
19911 + " movl %0, %%cr0\n"
19912 +#endif
19913 +
19914 " jmp 2b\n"
19915 ".previous\n"
19916 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
19917 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
19918
19919 for (i = 0; i < 4096/64; i++) {
19920 __asm__ __volatile__ (
19921 - "1: prefetch 320(%0)\n"
19922 - "2: movq (%0), %%mm0\n"
19923 - " movq 8(%0), %%mm1\n"
19924 - " movq 16(%0), %%mm2\n"
19925 - " movq 24(%0), %%mm3\n"
19926 - " movq %%mm0, (%1)\n"
19927 - " movq %%mm1, 8(%1)\n"
19928 - " movq %%mm2, 16(%1)\n"
19929 - " movq %%mm3, 24(%1)\n"
19930 - " movq 32(%0), %%mm0\n"
19931 - " movq 40(%0), %%mm1\n"
19932 - " movq 48(%0), %%mm2\n"
19933 - " movq 56(%0), %%mm3\n"
19934 - " movq %%mm0, 32(%1)\n"
19935 - " movq %%mm1, 40(%1)\n"
19936 - " movq %%mm2, 48(%1)\n"
19937 - " movq %%mm3, 56(%1)\n"
19938 + "1: prefetch 320(%1)\n"
19939 + "2: movq (%1), %%mm0\n"
19940 + " movq 8(%1), %%mm1\n"
19941 + " movq 16(%1), %%mm2\n"
19942 + " movq 24(%1), %%mm3\n"
19943 + " movq %%mm0, (%2)\n"
19944 + " movq %%mm1, 8(%2)\n"
19945 + " movq %%mm2, 16(%2)\n"
19946 + " movq %%mm3, 24(%2)\n"
19947 + " movq 32(%1), %%mm0\n"
19948 + " movq 40(%1), %%mm1\n"
19949 + " movq 48(%1), %%mm2\n"
19950 + " movq 56(%1), %%mm3\n"
19951 + " movq %%mm0, 32(%2)\n"
19952 + " movq %%mm1, 40(%2)\n"
19953 + " movq %%mm2, 48(%2)\n"
19954 + " movq %%mm3, 56(%2)\n"
19955 ".section .fixup, \"ax\"\n"
19956 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19957 + "3:\n"
19958 +
19959 +#ifdef CONFIG_PAX_KERNEXEC
19960 + " movl %%cr0, %0\n"
19961 + " movl %0, %%eax\n"
19962 + " andl $0xFFFEFFFF, %%eax\n"
19963 + " movl %%eax, %%cr0\n"
19964 +#endif
19965 +
19966 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
19967 +
19968 +#ifdef CONFIG_PAX_KERNEXEC
19969 + " movl %0, %%cr0\n"
19970 +#endif
19971 +
19972 " jmp 2b\n"
19973 ".previous\n"
19974 _ASM_EXTABLE(1b, 3b)
19975 - : : "r" (from), "r" (to) : "memory");
19976 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
19977
19978 from += 64;
19979 to += 64;
19980 diff -urNp linux-2.6.32.46/arch/x86/lib/putuser.S linux-2.6.32.46/arch/x86/lib/putuser.S
19981 --- linux-2.6.32.46/arch/x86/lib/putuser.S 2011-03-27 14:31:47.000000000 -0400
19982 +++ linux-2.6.32.46/arch/x86/lib/putuser.S 2011-04-17 15:56:46.000000000 -0400
19983 @@ -15,7 +15,8 @@
19984 #include <asm/thread_info.h>
19985 #include <asm/errno.h>
19986 #include <asm/asm.h>
19987 -
19988 +#include <asm/segment.h>
19989 +#include <asm/pgtable.h>
19990
19991 /*
19992 * __put_user_X
19993 @@ -29,52 +30,119 @@
19994 * as they get called from within inline assembly.
19995 */
19996
19997 -#define ENTER CFI_STARTPROC ; \
19998 - GET_THREAD_INFO(%_ASM_BX)
19999 +#define ENTER CFI_STARTPROC
20000 #define EXIT ret ; \
20001 CFI_ENDPROC
20002
20003 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20004 +#define _DEST %_ASM_CX,%_ASM_BX
20005 +#else
20006 +#define _DEST %_ASM_CX
20007 +#endif
20008 +
20009 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20010 +#define __copyuser_seg gs;
20011 +#else
20012 +#define __copyuser_seg
20013 +#endif
20014 +
20015 .text
20016 ENTRY(__put_user_1)
20017 ENTER
20018 +
20019 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20020 + GET_THREAD_INFO(%_ASM_BX)
20021 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
20022 jae bad_put_user
20023 -1: movb %al,(%_ASM_CX)
20024 +
20025 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20026 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20027 + cmp %_ASM_BX,%_ASM_CX
20028 + jb 1234f
20029 + xor %ebx,%ebx
20030 +1234:
20031 +#endif
20032 +
20033 +#endif
20034 +
20035 +1: __copyuser_seg movb %al,(_DEST)
20036 xor %eax,%eax
20037 EXIT
20038 ENDPROC(__put_user_1)
20039
20040 ENTRY(__put_user_2)
20041 ENTER
20042 +
20043 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20044 + GET_THREAD_INFO(%_ASM_BX)
20045 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20046 sub $1,%_ASM_BX
20047 cmp %_ASM_BX,%_ASM_CX
20048 jae bad_put_user
20049 -2: movw %ax,(%_ASM_CX)
20050 +
20051 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20052 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20053 + cmp %_ASM_BX,%_ASM_CX
20054 + jb 1234f
20055 + xor %ebx,%ebx
20056 +1234:
20057 +#endif
20058 +
20059 +#endif
20060 +
20061 +2: __copyuser_seg movw %ax,(_DEST)
20062 xor %eax,%eax
20063 EXIT
20064 ENDPROC(__put_user_2)
20065
20066 ENTRY(__put_user_4)
20067 ENTER
20068 +
20069 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20070 + GET_THREAD_INFO(%_ASM_BX)
20071 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20072 sub $3,%_ASM_BX
20073 cmp %_ASM_BX,%_ASM_CX
20074 jae bad_put_user
20075 -3: movl %eax,(%_ASM_CX)
20076 +
20077 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20078 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20079 + cmp %_ASM_BX,%_ASM_CX
20080 + jb 1234f
20081 + xor %ebx,%ebx
20082 +1234:
20083 +#endif
20084 +
20085 +#endif
20086 +
20087 +3: __copyuser_seg movl %eax,(_DEST)
20088 xor %eax,%eax
20089 EXIT
20090 ENDPROC(__put_user_4)
20091
20092 ENTRY(__put_user_8)
20093 ENTER
20094 +
20095 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20096 + GET_THREAD_INFO(%_ASM_BX)
20097 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
20098 sub $7,%_ASM_BX
20099 cmp %_ASM_BX,%_ASM_CX
20100 jae bad_put_user
20101 -4: mov %_ASM_AX,(%_ASM_CX)
20102 +
20103 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20104 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
20105 + cmp %_ASM_BX,%_ASM_CX
20106 + jb 1234f
20107 + xor %ebx,%ebx
20108 +1234:
20109 +#endif
20110 +
20111 +#endif
20112 +
20113 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
20114 #ifdef CONFIG_X86_32
20115 -5: movl %edx,4(%_ASM_CX)
20116 +5: __copyuser_seg movl %edx,4(_DEST)
20117 #endif
20118 xor %eax,%eax
20119 EXIT
20120 diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_32.c linux-2.6.32.46/arch/x86/lib/usercopy_32.c
20121 --- linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400
20122 +++ linux-2.6.32.46/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400
20123 @@ -43,7 +43,7 @@ do { \
20124 __asm__ __volatile__( \
20125 " testl %1,%1\n" \
20126 " jz 2f\n" \
20127 - "0: lodsb\n" \
20128 + "0: "__copyuser_seg"lodsb\n" \
20129 " stosb\n" \
20130 " testb %%al,%%al\n" \
20131 " jz 1f\n" \
20132 @@ -128,10 +128,12 @@ do { \
20133 int __d0; \
20134 might_fault(); \
20135 __asm__ __volatile__( \
20136 + __COPYUSER_SET_ES \
20137 "0: rep; stosl\n" \
20138 " movl %2,%0\n" \
20139 "1: rep; stosb\n" \
20140 "2:\n" \
20141 + __COPYUSER_RESTORE_ES \
20142 ".section .fixup,\"ax\"\n" \
20143 "3: lea 0(%2,%0,4),%0\n" \
20144 " jmp 2b\n" \
20145 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
20146 might_fault();
20147
20148 __asm__ __volatile__(
20149 + __COPYUSER_SET_ES
20150 " testl %0, %0\n"
20151 " jz 3f\n"
20152 " andl %0,%%ecx\n"
20153 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
20154 " subl %%ecx,%0\n"
20155 " addl %0,%%eax\n"
20156 "1:\n"
20157 + __COPYUSER_RESTORE_ES
20158 ".section .fixup,\"ax\"\n"
20159 "2: xorl %%eax,%%eax\n"
20160 " jmp 1b\n"
20161 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
20162
20163 #ifdef CONFIG_X86_INTEL_USERCOPY
20164 static unsigned long
20165 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
20166 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
20167 {
20168 int d0, d1;
20169 __asm__ __volatile__(
20170 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
20171 " .align 2,0x90\n"
20172 "3: movl 0(%4), %%eax\n"
20173 "4: movl 4(%4), %%edx\n"
20174 - "5: movl %%eax, 0(%3)\n"
20175 - "6: movl %%edx, 4(%3)\n"
20176 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
20177 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
20178 "7: movl 8(%4), %%eax\n"
20179 "8: movl 12(%4),%%edx\n"
20180 - "9: movl %%eax, 8(%3)\n"
20181 - "10: movl %%edx, 12(%3)\n"
20182 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
20183 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
20184 "11: movl 16(%4), %%eax\n"
20185 "12: movl 20(%4), %%edx\n"
20186 - "13: movl %%eax, 16(%3)\n"
20187 - "14: movl %%edx, 20(%3)\n"
20188 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
20189 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
20190 "15: movl 24(%4), %%eax\n"
20191 "16: movl 28(%4), %%edx\n"
20192 - "17: movl %%eax, 24(%3)\n"
20193 - "18: movl %%edx, 28(%3)\n"
20194 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
20195 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
20196 "19: movl 32(%4), %%eax\n"
20197 "20: movl 36(%4), %%edx\n"
20198 - "21: movl %%eax, 32(%3)\n"
20199 - "22: movl %%edx, 36(%3)\n"
20200 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
20201 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
20202 "23: movl 40(%4), %%eax\n"
20203 "24: movl 44(%4), %%edx\n"
20204 - "25: movl %%eax, 40(%3)\n"
20205 - "26: movl %%edx, 44(%3)\n"
20206 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
20207 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
20208 "27: movl 48(%4), %%eax\n"
20209 "28: movl 52(%4), %%edx\n"
20210 - "29: movl %%eax, 48(%3)\n"
20211 - "30: movl %%edx, 52(%3)\n"
20212 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
20213 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
20214 "31: movl 56(%4), %%eax\n"
20215 "32: movl 60(%4), %%edx\n"
20216 - "33: movl %%eax, 56(%3)\n"
20217 - "34: movl %%edx, 60(%3)\n"
20218 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
20219 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
20220 " addl $-64, %0\n"
20221 " addl $64, %4\n"
20222 " addl $64, %3\n"
20223 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
20224 " shrl $2, %0\n"
20225 " andl $3, %%eax\n"
20226 " cld\n"
20227 + __COPYUSER_SET_ES
20228 "99: rep; movsl\n"
20229 "36: movl %%eax, %0\n"
20230 "37: rep; movsb\n"
20231 "100:\n"
20232 + __COPYUSER_RESTORE_ES
20233 + ".section .fixup,\"ax\"\n"
20234 + "101: lea 0(%%eax,%0,4),%0\n"
20235 + " jmp 100b\n"
20236 + ".previous\n"
20237 + ".section __ex_table,\"a\"\n"
20238 + " .align 4\n"
20239 + " .long 1b,100b\n"
20240 + " .long 2b,100b\n"
20241 + " .long 3b,100b\n"
20242 + " .long 4b,100b\n"
20243 + " .long 5b,100b\n"
20244 + " .long 6b,100b\n"
20245 + " .long 7b,100b\n"
20246 + " .long 8b,100b\n"
20247 + " .long 9b,100b\n"
20248 + " .long 10b,100b\n"
20249 + " .long 11b,100b\n"
20250 + " .long 12b,100b\n"
20251 + " .long 13b,100b\n"
20252 + " .long 14b,100b\n"
20253 + " .long 15b,100b\n"
20254 + " .long 16b,100b\n"
20255 + " .long 17b,100b\n"
20256 + " .long 18b,100b\n"
20257 + " .long 19b,100b\n"
20258 + " .long 20b,100b\n"
20259 + " .long 21b,100b\n"
20260 + " .long 22b,100b\n"
20261 + " .long 23b,100b\n"
20262 + " .long 24b,100b\n"
20263 + " .long 25b,100b\n"
20264 + " .long 26b,100b\n"
20265 + " .long 27b,100b\n"
20266 + " .long 28b,100b\n"
20267 + " .long 29b,100b\n"
20268 + " .long 30b,100b\n"
20269 + " .long 31b,100b\n"
20270 + " .long 32b,100b\n"
20271 + " .long 33b,100b\n"
20272 + " .long 34b,100b\n"
20273 + " .long 35b,100b\n"
20274 + " .long 36b,100b\n"
20275 + " .long 37b,100b\n"
20276 + " .long 99b,101b\n"
20277 + ".previous"
20278 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
20279 + : "1"(to), "2"(from), "0"(size)
20280 + : "eax", "edx", "memory");
20281 + return size;
20282 +}
20283 +
20284 +static unsigned long
20285 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
20286 +{
20287 + int d0, d1;
20288 + __asm__ __volatile__(
20289 + " .align 2,0x90\n"
20290 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
20291 + " cmpl $67, %0\n"
20292 + " jbe 3f\n"
20293 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
20294 + " .align 2,0x90\n"
20295 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
20296 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
20297 + "5: movl %%eax, 0(%3)\n"
20298 + "6: movl %%edx, 4(%3)\n"
20299 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
20300 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
20301 + "9: movl %%eax, 8(%3)\n"
20302 + "10: movl %%edx, 12(%3)\n"
20303 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
20304 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
20305 + "13: movl %%eax, 16(%3)\n"
20306 + "14: movl %%edx, 20(%3)\n"
20307 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
20308 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
20309 + "17: movl %%eax, 24(%3)\n"
20310 + "18: movl %%edx, 28(%3)\n"
20311 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
20312 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
20313 + "21: movl %%eax, 32(%3)\n"
20314 + "22: movl %%edx, 36(%3)\n"
20315 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
20316 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
20317 + "25: movl %%eax, 40(%3)\n"
20318 + "26: movl %%edx, 44(%3)\n"
20319 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
20320 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
20321 + "29: movl %%eax, 48(%3)\n"
20322 + "30: movl %%edx, 52(%3)\n"
20323 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
20324 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
20325 + "33: movl %%eax, 56(%3)\n"
20326 + "34: movl %%edx, 60(%3)\n"
20327 + " addl $-64, %0\n"
20328 + " addl $64, %4\n"
20329 + " addl $64, %3\n"
20330 + " cmpl $63, %0\n"
20331 + " ja 1b\n"
20332 + "35: movl %0, %%eax\n"
20333 + " shrl $2, %0\n"
20334 + " andl $3, %%eax\n"
20335 + " cld\n"
20336 + "99: rep; "__copyuser_seg" movsl\n"
20337 + "36: movl %%eax, %0\n"
20338 + "37: rep; "__copyuser_seg" movsb\n"
20339 + "100:\n"
20340 ".section .fixup,\"ax\"\n"
20341 "101: lea 0(%%eax,%0,4),%0\n"
20342 " jmp 100b\n"
20343 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
20344 int d0, d1;
20345 __asm__ __volatile__(
20346 " .align 2,0x90\n"
20347 - "0: movl 32(%4), %%eax\n"
20348 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20349 " cmpl $67, %0\n"
20350 " jbe 2f\n"
20351 - "1: movl 64(%4), %%eax\n"
20352 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20353 " .align 2,0x90\n"
20354 - "2: movl 0(%4), %%eax\n"
20355 - "21: movl 4(%4), %%edx\n"
20356 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20357 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20358 " movl %%eax, 0(%3)\n"
20359 " movl %%edx, 4(%3)\n"
20360 - "3: movl 8(%4), %%eax\n"
20361 - "31: movl 12(%4),%%edx\n"
20362 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20363 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20364 " movl %%eax, 8(%3)\n"
20365 " movl %%edx, 12(%3)\n"
20366 - "4: movl 16(%4), %%eax\n"
20367 - "41: movl 20(%4), %%edx\n"
20368 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20369 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20370 " movl %%eax, 16(%3)\n"
20371 " movl %%edx, 20(%3)\n"
20372 - "10: movl 24(%4), %%eax\n"
20373 - "51: movl 28(%4), %%edx\n"
20374 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20375 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20376 " movl %%eax, 24(%3)\n"
20377 " movl %%edx, 28(%3)\n"
20378 - "11: movl 32(%4), %%eax\n"
20379 - "61: movl 36(%4), %%edx\n"
20380 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20381 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20382 " movl %%eax, 32(%3)\n"
20383 " movl %%edx, 36(%3)\n"
20384 - "12: movl 40(%4), %%eax\n"
20385 - "71: movl 44(%4), %%edx\n"
20386 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20387 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20388 " movl %%eax, 40(%3)\n"
20389 " movl %%edx, 44(%3)\n"
20390 - "13: movl 48(%4), %%eax\n"
20391 - "81: movl 52(%4), %%edx\n"
20392 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20393 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20394 " movl %%eax, 48(%3)\n"
20395 " movl %%edx, 52(%3)\n"
20396 - "14: movl 56(%4), %%eax\n"
20397 - "91: movl 60(%4), %%edx\n"
20398 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20399 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20400 " movl %%eax, 56(%3)\n"
20401 " movl %%edx, 60(%3)\n"
20402 " addl $-64, %0\n"
20403 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
20404 " shrl $2, %0\n"
20405 " andl $3, %%eax\n"
20406 " cld\n"
20407 - "6: rep; movsl\n"
20408 + "6: rep; "__copyuser_seg" movsl\n"
20409 " movl %%eax,%0\n"
20410 - "7: rep; movsb\n"
20411 + "7: rep; "__copyuser_seg" movsb\n"
20412 "8:\n"
20413 ".section .fixup,\"ax\"\n"
20414 "9: lea 0(%%eax,%0,4),%0\n"
20415 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
20416
20417 __asm__ __volatile__(
20418 " .align 2,0x90\n"
20419 - "0: movl 32(%4), %%eax\n"
20420 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20421 " cmpl $67, %0\n"
20422 " jbe 2f\n"
20423 - "1: movl 64(%4), %%eax\n"
20424 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20425 " .align 2,0x90\n"
20426 - "2: movl 0(%4), %%eax\n"
20427 - "21: movl 4(%4), %%edx\n"
20428 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20429 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20430 " movnti %%eax, 0(%3)\n"
20431 " movnti %%edx, 4(%3)\n"
20432 - "3: movl 8(%4), %%eax\n"
20433 - "31: movl 12(%4),%%edx\n"
20434 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20435 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20436 " movnti %%eax, 8(%3)\n"
20437 " movnti %%edx, 12(%3)\n"
20438 - "4: movl 16(%4), %%eax\n"
20439 - "41: movl 20(%4), %%edx\n"
20440 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20441 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20442 " movnti %%eax, 16(%3)\n"
20443 " movnti %%edx, 20(%3)\n"
20444 - "10: movl 24(%4), %%eax\n"
20445 - "51: movl 28(%4), %%edx\n"
20446 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20447 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20448 " movnti %%eax, 24(%3)\n"
20449 " movnti %%edx, 28(%3)\n"
20450 - "11: movl 32(%4), %%eax\n"
20451 - "61: movl 36(%4), %%edx\n"
20452 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20453 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20454 " movnti %%eax, 32(%3)\n"
20455 " movnti %%edx, 36(%3)\n"
20456 - "12: movl 40(%4), %%eax\n"
20457 - "71: movl 44(%4), %%edx\n"
20458 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20459 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20460 " movnti %%eax, 40(%3)\n"
20461 " movnti %%edx, 44(%3)\n"
20462 - "13: movl 48(%4), %%eax\n"
20463 - "81: movl 52(%4), %%edx\n"
20464 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20465 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20466 " movnti %%eax, 48(%3)\n"
20467 " movnti %%edx, 52(%3)\n"
20468 - "14: movl 56(%4), %%eax\n"
20469 - "91: movl 60(%4), %%edx\n"
20470 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20471 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20472 " movnti %%eax, 56(%3)\n"
20473 " movnti %%edx, 60(%3)\n"
20474 " addl $-64, %0\n"
20475 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
20476 " shrl $2, %0\n"
20477 " andl $3, %%eax\n"
20478 " cld\n"
20479 - "6: rep; movsl\n"
20480 + "6: rep; "__copyuser_seg" movsl\n"
20481 " movl %%eax,%0\n"
20482 - "7: rep; movsb\n"
20483 + "7: rep; "__copyuser_seg" movsb\n"
20484 "8:\n"
20485 ".section .fixup,\"ax\"\n"
20486 "9: lea 0(%%eax,%0,4),%0\n"
20487 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
20488
20489 __asm__ __volatile__(
20490 " .align 2,0x90\n"
20491 - "0: movl 32(%4), %%eax\n"
20492 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
20493 " cmpl $67, %0\n"
20494 " jbe 2f\n"
20495 - "1: movl 64(%4), %%eax\n"
20496 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
20497 " .align 2,0x90\n"
20498 - "2: movl 0(%4), %%eax\n"
20499 - "21: movl 4(%4), %%edx\n"
20500 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
20501 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
20502 " movnti %%eax, 0(%3)\n"
20503 " movnti %%edx, 4(%3)\n"
20504 - "3: movl 8(%4), %%eax\n"
20505 - "31: movl 12(%4),%%edx\n"
20506 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
20507 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
20508 " movnti %%eax, 8(%3)\n"
20509 " movnti %%edx, 12(%3)\n"
20510 - "4: movl 16(%4), %%eax\n"
20511 - "41: movl 20(%4), %%edx\n"
20512 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
20513 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
20514 " movnti %%eax, 16(%3)\n"
20515 " movnti %%edx, 20(%3)\n"
20516 - "10: movl 24(%4), %%eax\n"
20517 - "51: movl 28(%4), %%edx\n"
20518 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
20519 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
20520 " movnti %%eax, 24(%3)\n"
20521 " movnti %%edx, 28(%3)\n"
20522 - "11: movl 32(%4), %%eax\n"
20523 - "61: movl 36(%4), %%edx\n"
20524 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
20525 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
20526 " movnti %%eax, 32(%3)\n"
20527 " movnti %%edx, 36(%3)\n"
20528 - "12: movl 40(%4), %%eax\n"
20529 - "71: movl 44(%4), %%edx\n"
20530 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
20531 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
20532 " movnti %%eax, 40(%3)\n"
20533 " movnti %%edx, 44(%3)\n"
20534 - "13: movl 48(%4), %%eax\n"
20535 - "81: movl 52(%4), %%edx\n"
20536 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
20537 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
20538 " movnti %%eax, 48(%3)\n"
20539 " movnti %%edx, 52(%3)\n"
20540 - "14: movl 56(%4), %%eax\n"
20541 - "91: movl 60(%4), %%edx\n"
20542 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
20543 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
20544 " movnti %%eax, 56(%3)\n"
20545 " movnti %%edx, 60(%3)\n"
20546 " addl $-64, %0\n"
20547 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
20548 " shrl $2, %0\n"
20549 " andl $3, %%eax\n"
20550 " cld\n"
20551 - "6: rep; movsl\n"
20552 + "6: rep; "__copyuser_seg" movsl\n"
20553 " movl %%eax,%0\n"
20554 - "7: rep; movsb\n"
20555 + "7: rep; "__copyuser_seg" movsb\n"
20556 "8:\n"
20557 ".section .fixup,\"ax\"\n"
20558 "9: lea 0(%%eax,%0,4),%0\n"
20559 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
20560 */
20561 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
20562 unsigned long size);
20563 -unsigned long __copy_user_intel(void __user *to, const void *from,
20564 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
20565 + unsigned long size);
20566 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
20567 unsigned long size);
20568 unsigned long __copy_user_zeroing_intel_nocache(void *to,
20569 const void __user *from, unsigned long size);
20570 #endif /* CONFIG_X86_INTEL_USERCOPY */
20571
20572 /* Generic arbitrary sized copy. */
20573 -#define __copy_user(to, from, size) \
20574 +#define __copy_user(to, from, size, prefix, set, restore) \
20575 do { \
20576 int __d0, __d1, __d2; \
20577 __asm__ __volatile__( \
20578 + set \
20579 " cmp $7,%0\n" \
20580 " jbe 1f\n" \
20581 " movl %1,%0\n" \
20582 " negl %0\n" \
20583 " andl $7,%0\n" \
20584 " subl %0,%3\n" \
20585 - "4: rep; movsb\n" \
20586 + "4: rep; "prefix"movsb\n" \
20587 " movl %3,%0\n" \
20588 " shrl $2,%0\n" \
20589 " andl $3,%3\n" \
20590 " .align 2,0x90\n" \
20591 - "0: rep; movsl\n" \
20592 + "0: rep; "prefix"movsl\n" \
20593 " movl %3,%0\n" \
20594 - "1: rep; movsb\n" \
20595 + "1: rep; "prefix"movsb\n" \
20596 "2:\n" \
20597 + restore \
20598 ".section .fixup,\"ax\"\n" \
20599 "5: addl %3,%0\n" \
20600 " jmp 2b\n" \
20601 @@ -682,14 +799,14 @@ do { \
20602 " negl %0\n" \
20603 " andl $7,%0\n" \
20604 " subl %0,%3\n" \
20605 - "4: rep; movsb\n" \
20606 + "4: rep; "__copyuser_seg"movsb\n" \
20607 " movl %3,%0\n" \
20608 " shrl $2,%0\n" \
20609 " andl $3,%3\n" \
20610 " .align 2,0x90\n" \
20611 - "0: rep; movsl\n" \
20612 + "0: rep; "__copyuser_seg"movsl\n" \
20613 " movl %3,%0\n" \
20614 - "1: rep; movsb\n" \
20615 + "1: rep; "__copyuser_seg"movsb\n" \
20616 "2:\n" \
20617 ".section .fixup,\"ax\"\n" \
20618 "5: addl %3,%0\n" \
20619 @@ -775,9 +892,9 @@ survive:
20620 }
20621 #endif
20622 if (movsl_is_ok(to, from, n))
20623 - __copy_user(to, from, n);
20624 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
20625 else
20626 - n = __copy_user_intel(to, from, n);
20627 + n = __generic_copy_to_user_intel(to, from, n);
20628 return n;
20629 }
20630 EXPORT_SYMBOL(__copy_to_user_ll);
20631 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
20632 unsigned long n)
20633 {
20634 if (movsl_is_ok(to, from, n))
20635 - __copy_user(to, from, n);
20636 + __copy_user(to, from, n, __copyuser_seg, "", "");
20637 else
20638 - n = __copy_user_intel((void __user *)to,
20639 - (const void *)from, n);
20640 + n = __generic_copy_from_user_intel(to, from, n);
20641 return n;
20642 }
20643 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
20644 @@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
20645 if (n > 64 && cpu_has_xmm2)
20646 n = __copy_user_intel_nocache(to, from, n);
20647 else
20648 - __copy_user(to, from, n);
20649 + __copy_user(to, from, n, __copyuser_seg, "", "");
20650 #else
20651 - __copy_user(to, from, n);
20652 + __copy_user(to, from, n, __copyuser_seg, "", "");
20653 #endif
20654 return n;
20655 }
20656 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
20657
20658 -/**
20659 - * copy_to_user: - Copy a block of data into user space.
20660 - * @to: Destination address, in user space.
20661 - * @from: Source address, in kernel space.
20662 - * @n: Number of bytes to copy.
20663 - *
20664 - * Context: User context only. This function may sleep.
20665 - *
20666 - * Copy data from kernel space to user space.
20667 - *
20668 - * Returns number of bytes that could not be copied.
20669 - * On success, this will be zero.
20670 - */
20671 -unsigned long
20672 -copy_to_user(void __user *to, const void *from, unsigned long n)
20673 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20674 +void __set_fs(mm_segment_t x)
20675 {
20676 - if (access_ok(VERIFY_WRITE, to, n))
20677 - n = __copy_to_user(to, from, n);
20678 - return n;
20679 + switch (x.seg) {
20680 + case 0:
20681 + loadsegment(gs, 0);
20682 + break;
20683 + case TASK_SIZE_MAX:
20684 + loadsegment(gs, __USER_DS);
20685 + break;
20686 + case -1UL:
20687 + loadsegment(gs, __KERNEL_DS);
20688 + break;
20689 + default:
20690 + BUG();
20691 + }
20692 + return;
20693 }
20694 -EXPORT_SYMBOL(copy_to_user);
20695 +EXPORT_SYMBOL(__set_fs);
20696
20697 -/**
20698 - * copy_from_user: - Copy a block of data from user space.
20699 - * @to: Destination address, in kernel space.
20700 - * @from: Source address, in user space.
20701 - * @n: Number of bytes to copy.
20702 - *
20703 - * Context: User context only. This function may sleep.
20704 - *
20705 - * Copy data from user space to kernel space.
20706 - *
20707 - * Returns number of bytes that could not be copied.
20708 - * On success, this will be zero.
20709 - *
20710 - * If some data could not be copied, this function will pad the copied
20711 - * data to the requested size using zero bytes.
20712 - */
20713 -unsigned long
20714 -copy_from_user(void *to, const void __user *from, unsigned long n)
20715 +void set_fs(mm_segment_t x)
20716 {
20717 - if (access_ok(VERIFY_READ, from, n))
20718 - n = __copy_from_user(to, from, n);
20719 - else
20720 - memset(to, 0, n);
20721 - return n;
20722 + current_thread_info()->addr_limit = x;
20723 + __set_fs(x);
20724 }
20725 -EXPORT_SYMBOL(copy_from_user);
20726 +EXPORT_SYMBOL(set_fs);
20727 +#endif
20728 diff -urNp linux-2.6.32.46/arch/x86/lib/usercopy_64.c linux-2.6.32.46/arch/x86/lib/usercopy_64.c
20729 --- linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
20730 +++ linux-2.6.32.46/arch/x86/lib/usercopy_64.c 2011-05-04 17:56:20.000000000 -0400
20731 @@ -42,6 +42,12 @@ long
20732 __strncpy_from_user(char *dst, const char __user *src, long count)
20733 {
20734 long res;
20735 +
20736 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20737 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20738 + src += PAX_USER_SHADOW_BASE;
20739 +#endif
20740 +
20741 __do_strncpy_from_user(dst, src, count, res);
20742 return res;
20743 }
20744 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
20745 {
20746 long __d0;
20747 might_fault();
20748 +
20749 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20750 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
20751 + addr += PAX_USER_SHADOW_BASE;
20752 +#endif
20753 +
20754 /* no memory constraint because it doesn't change any memory gcc knows
20755 about */
20756 asm volatile(
20757 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
20758
20759 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
20760 {
20761 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20762 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
20763 +
20764 +#ifdef CONFIG_PAX_MEMORY_UDEREF
20765 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
20766 + to += PAX_USER_SHADOW_BASE;
20767 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
20768 + from += PAX_USER_SHADOW_BASE;
20769 +#endif
20770 +
20771 return copy_user_generic((__force void *)to, (__force void *)from, len);
20772 - }
20773 - return len;
20774 + }
20775 + return len;
20776 }
20777 EXPORT_SYMBOL(copy_in_user);
20778
20779 diff -urNp linux-2.6.32.46/arch/x86/Makefile linux-2.6.32.46/arch/x86/Makefile
20780 --- linux-2.6.32.46/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400
20781 +++ linux-2.6.32.46/arch/x86/Makefile 2011-07-19 18:16:02.000000000 -0400
20782 @@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
20783 else
20784 BITS := 64
20785 UTS_MACHINE := x86_64
20786 + biarch := $(call cc-option,-m64)
20787 CHECKFLAGS += -D__x86_64__ -m64
20788
20789 KBUILD_AFLAGS += -m64
20790 @@ -189,3 +190,12 @@ define archhelp
20791 echo ' FDARGS="..." arguments for the booted kernel'
20792 echo ' FDINITRD=file initrd for the booted kernel'
20793 endef
20794 +
20795 +define OLD_LD
20796 +
20797 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
20798 +*** Please upgrade your binutils to 2.18 or newer
20799 +endef
20800 +
20801 +archprepare:
20802 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
20803 diff -urNp linux-2.6.32.46/arch/x86/mm/extable.c linux-2.6.32.46/arch/x86/mm/extable.c
20804 --- linux-2.6.32.46/arch/x86/mm/extable.c 2011-03-27 14:31:47.000000000 -0400
20805 +++ linux-2.6.32.46/arch/x86/mm/extable.c 2011-04-17 15:56:46.000000000 -0400
20806 @@ -1,14 +1,71 @@
20807 #include <linux/module.h>
20808 #include <linux/spinlock.h>
20809 +#include <linux/sort.h>
20810 #include <asm/uaccess.h>
20811 +#include <asm/pgtable.h>
20812
20813 +/*
20814 + * The exception table needs to be sorted so that the binary
20815 + * search that we use to find entries in it works properly.
20816 + * This is used both for the kernel exception table and for
20817 + * the exception tables of modules that get loaded.
20818 + */
20819 +static int cmp_ex(const void *a, const void *b)
20820 +{
20821 + const struct exception_table_entry *x = a, *y = b;
20822 +
20823 + /* avoid overflow */
20824 + if (x->insn > y->insn)
20825 + return 1;
20826 + if (x->insn < y->insn)
20827 + return -1;
20828 + return 0;
20829 +}
20830 +
20831 +static void swap_ex(void *a, void *b, int size)
20832 +{
20833 + struct exception_table_entry t, *x = a, *y = b;
20834 +
20835 + t = *x;
20836 +
20837 + pax_open_kernel();
20838 + *x = *y;
20839 + *y = t;
20840 + pax_close_kernel();
20841 +}
20842 +
20843 +void sort_extable(struct exception_table_entry *start,
20844 + struct exception_table_entry *finish)
20845 +{
20846 + sort(start, finish - start, sizeof(struct exception_table_entry),
20847 + cmp_ex, swap_ex);
20848 +}
20849 +
20850 +#ifdef CONFIG_MODULES
20851 +/*
20852 + * If the exception table is sorted, any referring to the module init
20853 + * will be at the beginning or the end.
20854 + */
20855 +void trim_init_extable(struct module *m)
20856 +{
20857 + /*trim the beginning*/
20858 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
20859 + m->extable++;
20860 + m->num_exentries--;
20861 + }
20862 + /*trim the end*/
20863 + while (m->num_exentries &&
20864 + within_module_init(m->extable[m->num_exentries-1].insn, m))
20865 + m->num_exentries--;
20866 +}
20867 +#endif /* CONFIG_MODULES */
20868
20869 int fixup_exception(struct pt_regs *regs)
20870 {
20871 const struct exception_table_entry *fixup;
20872
20873 #ifdef CONFIG_PNPBIOS
20874 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
20875 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
20876 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
20877 extern u32 pnp_bios_is_utter_crap;
20878 pnp_bios_is_utter_crap = 1;
20879 diff -urNp linux-2.6.32.46/arch/x86/mm/fault.c linux-2.6.32.46/arch/x86/mm/fault.c
20880 --- linux-2.6.32.46/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
20881 +++ linux-2.6.32.46/arch/x86/mm/fault.c 2011-08-17 20:06:44.000000000 -0400
20882 @@ -11,10 +11,19 @@
20883 #include <linux/kprobes.h> /* __kprobes, ... */
20884 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
20885 #include <linux/perf_event.h> /* perf_sw_event */
20886 +#include <linux/unistd.h>
20887 +#include <linux/compiler.h>
20888
20889 #include <asm/traps.h> /* dotraplinkage, ... */
20890 #include <asm/pgalloc.h> /* pgd_*(), ... */
20891 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
20892 +#include <asm/vsyscall.h>
20893 +#include <asm/tlbflush.h>
20894 +
20895 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20896 +#include <asm/stacktrace.h>
20897 +#include "../kernel/dumpstack.h"
20898 +#endif
20899
20900 /*
20901 * Page fault error code bits:
20902 @@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
20903 int ret = 0;
20904
20905 /* kprobe_running() needs smp_processor_id() */
20906 - if (kprobes_built_in() && !user_mode_vm(regs)) {
20907 + if (kprobes_built_in() && !user_mode(regs)) {
20908 preempt_disable();
20909 if (kprobe_running() && kprobe_fault_handler(regs, 14))
20910 ret = 1;
20911 @@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
20912 return !instr_lo || (instr_lo>>1) == 1;
20913 case 0x00:
20914 /* Prefetch instruction is 0x0F0D or 0x0F18 */
20915 - if (probe_kernel_address(instr, opcode))
20916 + if (user_mode(regs)) {
20917 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
20918 + return 0;
20919 + } else if (probe_kernel_address(instr, opcode))
20920 return 0;
20921
20922 *prefetch = (instr_lo == 0xF) &&
20923 @@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
20924 while (instr < max_instr) {
20925 unsigned char opcode;
20926
20927 - if (probe_kernel_address(instr, opcode))
20928 + if (user_mode(regs)) {
20929 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
20930 + break;
20931 + } else if (probe_kernel_address(instr, opcode))
20932 break;
20933
20934 instr++;
20935 @@ -172,6 +187,30 @@ force_sig_info_fault(int si_signo, int s
20936 force_sig_info(si_signo, &info, tsk);
20937 }
20938
20939 +#ifdef CONFIG_PAX_EMUTRAMP
20940 +static int pax_handle_fetch_fault(struct pt_regs *regs);
20941 +#endif
20942 +
20943 +#ifdef CONFIG_PAX_PAGEEXEC
20944 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
20945 +{
20946 + pgd_t *pgd;
20947 + pud_t *pud;
20948 + pmd_t *pmd;
20949 +
20950 + pgd = pgd_offset(mm, address);
20951 + if (!pgd_present(*pgd))
20952 + return NULL;
20953 + pud = pud_offset(pgd, address);
20954 + if (!pud_present(*pud))
20955 + return NULL;
20956 + pmd = pmd_offset(pud, address);
20957 + if (!pmd_present(*pmd))
20958 + return NULL;
20959 + return pmd;
20960 +}
20961 +#endif
20962 +
20963 DEFINE_SPINLOCK(pgd_lock);
20964 LIST_HEAD(pgd_list);
20965
20966 @@ -224,11 +263,24 @@ void vmalloc_sync_all(void)
20967 address += PMD_SIZE) {
20968
20969 unsigned long flags;
20970 +
20971 +#ifdef CONFIG_PAX_PER_CPU_PGD
20972 + unsigned long cpu;
20973 +#else
20974 struct page *page;
20975 +#endif
20976
20977 spin_lock_irqsave(&pgd_lock, flags);
20978 +
20979 +#ifdef CONFIG_PAX_PER_CPU_PGD
20980 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
20981 + pgd_t *pgd = get_cpu_pgd(cpu);
20982 +#else
20983 list_for_each_entry(page, &pgd_list, lru) {
20984 - if (!vmalloc_sync_one(page_address(page), address))
20985 + pgd_t *pgd = page_address(page);
20986 +#endif
20987 +
20988 + if (!vmalloc_sync_one(pgd, address))
20989 break;
20990 }
20991 spin_unlock_irqrestore(&pgd_lock, flags);
20992 @@ -258,6 +310,11 @@ static noinline int vmalloc_fault(unsign
20993 * an interrupt in the middle of a task switch..
20994 */
20995 pgd_paddr = read_cr3();
20996 +
20997 +#ifdef CONFIG_PAX_PER_CPU_PGD
20998 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
20999 +#endif
21000 +
21001 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
21002 if (!pmd_k)
21003 return -1;
21004 @@ -332,15 +389,27 @@ void vmalloc_sync_all(void)
21005
21006 const pgd_t *pgd_ref = pgd_offset_k(address);
21007 unsigned long flags;
21008 +
21009 +#ifdef CONFIG_PAX_PER_CPU_PGD
21010 + unsigned long cpu;
21011 +#else
21012 struct page *page;
21013 +#endif
21014
21015 if (pgd_none(*pgd_ref))
21016 continue;
21017
21018 spin_lock_irqsave(&pgd_lock, flags);
21019 +
21020 +#ifdef CONFIG_PAX_PER_CPU_PGD
21021 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21022 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
21023 +#else
21024 list_for_each_entry(page, &pgd_list, lru) {
21025 pgd_t *pgd;
21026 pgd = (pgd_t *)page_address(page) + pgd_index(address);
21027 +#endif
21028 +
21029 if (pgd_none(*pgd))
21030 set_pgd(pgd, *pgd_ref);
21031 else
21032 @@ -373,7 +442,14 @@ static noinline int vmalloc_fault(unsign
21033 * happen within a race in page table update. In the later
21034 * case just flush:
21035 */
21036 +
21037 +#ifdef CONFIG_PAX_PER_CPU_PGD
21038 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
21039 + pgd = pgd_offset_cpu(smp_processor_id(), address);
21040 +#else
21041 pgd = pgd_offset(current->active_mm, address);
21042 +#endif
21043 +
21044 pgd_ref = pgd_offset_k(address);
21045 if (pgd_none(*pgd_ref))
21046 return -1;
21047 @@ -535,7 +611,7 @@ static int is_errata93(struct pt_regs *r
21048 static int is_errata100(struct pt_regs *regs, unsigned long address)
21049 {
21050 #ifdef CONFIG_X86_64
21051 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
21052 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
21053 return 1;
21054 #endif
21055 return 0;
21056 @@ -562,7 +638,7 @@ static int is_f00f_bug(struct pt_regs *r
21057 }
21058
21059 static const char nx_warning[] = KERN_CRIT
21060 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
21061 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
21062
21063 static void
21064 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
21065 @@ -571,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, un
21066 if (!oops_may_print())
21067 return;
21068
21069 - if (error_code & PF_INSTR) {
21070 + if (nx_enabled && (error_code & PF_INSTR)) {
21071 unsigned int level;
21072
21073 pte_t *pte = lookup_address(address, &level);
21074
21075 if (pte && pte_present(*pte) && !pte_exec(*pte))
21076 - printk(nx_warning, current_uid());
21077 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
21078 }
21079
21080 +#ifdef CONFIG_PAX_KERNEXEC
21081 + if (init_mm.start_code <= address && address < init_mm.end_code) {
21082 + if (current->signal->curr_ip)
21083 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21084 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
21085 + else
21086 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
21087 + current->comm, task_pid_nr(current), current_uid(), current_euid());
21088 + }
21089 +#endif
21090 +
21091 printk(KERN_ALERT "BUG: unable to handle kernel ");
21092 if (address < PAGE_SIZE)
21093 printk(KERN_CONT "NULL pointer dereference");
21094 @@ -704,6 +791,70 @@ __bad_area_nosemaphore(struct pt_regs *r
21095 unsigned long address, int si_code)
21096 {
21097 struct task_struct *tsk = current;
21098 +#if defined(CONFIG_X86_64) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21099 + struct mm_struct *mm = tsk->mm;
21100 +#endif
21101 +
21102 +#ifdef CONFIG_X86_64
21103 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
21104 + if (regs->ip == (unsigned long)vgettimeofday) {
21105 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
21106 + return;
21107 + } else if (regs->ip == (unsigned long)vtime) {
21108 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
21109 + return;
21110 + } else if (regs->ip == (unsigned long)vgetcpu) {
21111 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
21112 + return;
21113 + }
21114 + }
21115 +#endif
21116 +
21117 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21118 + if (mm && (error_code & PF_USER)) {
21119 + unsigned long ip = regs->ip;
21120 +
21121 + if (v8086_mode(regs))
21122 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
21123 +
21124 + /*
21125 + * It's possible to have interrupts off here:
21126 + */
21127 + local_irq_enable();
21128 +
21129 +#ifdef CONFIG_PAX_PAGEEXEC
21130 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
21131 + ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
21132 +
21133 +#ifdef CONFIG_PAX_EMUTRAMP
21134 + switch (pax_handle_fetch_fault(regs)) {
21135 + case 2:
21136 + return;
21137 + }
21138 +#endif
21139 +
21140 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21141 + do_group_exit(SIGKILL);
21142 + }
21143 +#endif
21144 +
21145 +#ifdef CONFIG_PAX_SEGMEXEC
21146 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
21147 +
21148 +#ifdef CONFIG_PAX_EMUTRAMP
21149 + switch (pax_handle_fetch_fault(regs)) {
21150 + case 2:
21151 + return;
21152 + }
21153 +#endif
21154 +
21155 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
21156 + do_group_exit(SIGKILL);
21157 + }
21158 +#endif
21159 +
21160 + }
21161 +#endif
21162
21163 /* User mode accesses just cause a SIGSEGV */
21164 if (error_code & PF_USER) {
21165 @@ -857,6 +1008,99 @@ static int spurious_fault_check(unsigned
21166 return 1;
21167 }
21168
21169 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21170 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
21171 +{
21172 + pte_t *pte;
21173 + pmd_t *pmd;
21174 + spinlock_t *ptl;
21175 + unsigned char pte_mask;
21176 +
21177 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
21178 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
21179 + return 0;
21180 +
21181 + /* PaX: it's our fault, let's handle it if we can */
21182 +
21183 + /* PaX: take a look at read faults before acquiring any locks */
21184 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
21185 + /* instruction fetch attempt from a protected page in user mode */
21186 + up_read(&mm->mmap_sem);
21187 +
21188 +#ifdef CONFIG_PAX_EMUTRAMP
21189 + switch (pax_handle_fetch_fault(regs)) {
21190 + case 2:
21191 + return 1;
21192 + }
21193 +#endif
21194 +
21195 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
21196 + do_group_exit(SIGKILL);
21197 + }
21198 +
21199 + pmd = pax_get_pmd(mm, address);
21200 + if (unlikely(!pmd))
21201 + return 0;
21202 +
21203 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
21204 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
21205 + pte_unmap_unlock(pte, ptl);
21206 + return 0;
21207 + }
21208 +
21209 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
21210 + /* write attempt to a protected page in user mode */
21211 + pte_unmap_unlock(pte, ptl);
21212 + return 0;
21213 + }
21214 +
21215 +#ifdef CONFIG_SMP
21216 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
21217 +#else
21218 + if (likely(address > get_limit(regs->cs)))
21219 +#endif
21220 + {
21221 + set_pte(pte, pte_mkread(*pte));
21222 + __flush_tlb_one(address);
21223 + pte_unmap_unlock(pte, ptl);
21224 + up_read(&mm->mmap_sem);
21225 + return 1;
21226 + }
21227 +
21228 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
21229 +
21230 + /*
21231 + * PaX: fill DTLB with user rights and retry
21232 + */
21233 + __asm__ __volatile__ (
21234 + "orb %2,(%1)\n"
21235 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
21236 +/*
21237 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
21238 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
21239 + * page fault when examined during a TLB load attempt. this is true not only
21240 + * for PTEs holding a non-present entry but also present entries that will
21241 + * raise a page fault (such as those set up by PaX, or the copy-on-write
21242 + * mechanism). in effect it means that we do *not* need to flush the TLBs
21243 + * for our target pages since their PTEs are simply not in the TLBs at all.
21244 +
21245 + * the best thing in omitting it is that we gain around 15-20% speed in the
21246 + * fast path of the page fault handler and can get rid of tracing since we
21247 + * can no longer flush unintended entries.
21248 + */
21249 + "invlpg (%0)\n"
21250 +#endif
21251 + __copyuser_seg"testb $0,(%0)\n"
21252 + "xorb %3,(%1)\n"
21253 + :
21254 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
21255 + : "memory", "cc");
21256 + pte_unmap_unlock(pte, ptl);
21257 + up_read(&mm->mmap_sem);
21258 + return 1;
21259 +}
21260 +#endif
21261 +
21262 /*
21263 * Handle a spurious fault caused by a stale TLB entry.
21264 *
21265 @@ -923,6 +1167,9 @@ int show_unhandled_signals = 1;
21266 static inline int
21267 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
21268 {
21269 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
21270 + return 1;
21271 +
21272 if (write) {
21273 /* write, present and write, not present: */
21274 if (unlikely(!(vma->vm_flags & VM_WRITE)))
21275 @@ -956,17 +1203,31 @@ do_page_fault(struct pt_regs *regs, unsi
21276 {
21277 struct vm_area_struct *vma;
21278 struct task_struct *tsk;
21279 - unsigned long address;
21280 struct mm_struct *mm;
21281 int write;
21282 int fault;
21283
21284 + /* Get the faulting address: */
21285 + unsigned long address = read_cr2();
21286 +
21287 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21288 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
21289 + if (!search_exception_tables(regs->ip)) {
21290 + bad_area_nosemaphore(regs, error_code, address);
21291 + return;
21292 + }
21293 + if (address < PAX_USER_SHADOW_BASE) {
21294 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
21295 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
21296 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
21297 + } else
21298 + address -= PAX_USER_SHADOW_BASE;
21299 + }
21300 +#endif
21301 +
21302 tsk = current;
21303 mm = tsk->mm;
21304
21305 - /* Get the faulting address: */
21306 - address = read_cr2();
21307 -
21308 /*
21309 * Detect and handle instructions that would cause a page fault for
21310 * both a tracked kernel page and a userspace page.
21311 @@ -1026,7 +1287,7 @@ do_page_fault(struct pt_regs *regs, unsi
21312 * User-mode registers count as a user access even for any
21313 * potential system fault or CPU buglet:
21314 */
21315 - if (user_mode_vm(regs)) {
21316 + if (user_mode(regs)) {
21317 local_irq_enable();
21318 error_code |= PF_USER;
21319 } else {
21320 @@ -1080,6 +1341,11 @@ do_page_fault(struct pt_regs *regs, unsi
21321 might_sleep();
21322 }
21323
21324 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
21325 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
21326 + return;
21327 +#endif
21328 +
21329 vma = find_vma(mm, address);
21330 if (unlikely(!vma)) {
21331 bad_area(regs, error_code, address);
21332 @@ -1091,18 +1357,24 @@ do_page_fault(struct pt_regs *regs, unsi
21333 bad_area(regs, error_code, address);
21334 return;
21335 }
21336 - if (error_code & PF_USER) {
21337 - /*
21338 - * Accessing the stack below %sp is always a bug.
21339 - * The large cushion allows instructions like enter
21340 - * and pusha to work. ("enter $65535, $31" pushes
21341 - * 32 pointers and then decrements %sp by 65535.)
21342 - */
21343 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
21344 - bad_area(regs, error_code, address);
21345 - return;
21346 - }
21347 + /*
21348 + * Accessing the stack below %sp is always a bug.
21349 + * The large cushion allows instructions like enter
21350 + * and pusha to work. ("enter $65535, $31" pushes
21351 + * 32 pointers and then decrements %sp by 65535.)
21352 + */
21353 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
21354 + bad_area(regs, error_code, address);
21355 + return;
21356 }
21357 +
21358 +#ifdef CONFIG_PAX_SEGMEXEC
21359 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
21360 + bad_area(regs, error_code, address);
21361 + return;
21362 + }
21363 +#endif
21364 +
21365 if (unlikely(expand_stack(vma, address))) {
21366 bad_area(regs, error_code, address);
21367 return;
21368 @@ -1146,3 +1418,199 @@ good_area:
21369
21370 up_read(&mm->mmap_sem);
21371 }
21372 +
21373 +#ifdef CONFIG_PAX_EMUTRAMP
21374 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
21375 +{
21376 + int err;
21377 +
21378 + do { /* PaX: gcc trampoline emulation #1 */
21379 + unsigned char mov1, mov2;
21380 + unsigned short jmp;
21381 + unsigned int addr1, addr2;
21382 +
21383 +#ifdef CONFIG_X86_64
21384 + if ((regs->ip + 11) >> 32)
21385 + break;
21386 +#endif
21387 +
21388 + err = get_user(mov1, (unsigned char __user *)regs->ip);
21389 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21390 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
21391 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21392 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
21393 +
21394 + if (err)
21395 + break;
21396 +
21397 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
21398 + regs->cx = addr1;
21399 + regs->ax = addr2;
21400 + regs->ip = addr2;
21401 + return 2;
21402 + }
21403 + } while (0);
21404 +
21405 + do { /* PaX: gcc trampoline emulation #2 */
21406 + unsigned char mov, jmp;
21407 + unsigned int addr1, addr2;
21408 +
21409 +#ifdef CONFIG_X86_64
21410 + if ((regs->ip + 9) >> 32)
21411 + break;
21412 +#endif
21413 +
21414 + err = get_user(mov, (unsigned char __user *)regs->ip);
21415 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
21416 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
21417 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
21418 +
21419 + if (err)
21420 + break;
21421 +
21422 + if (mov == 0xB9 && jmp == 0xE9) {
21423 + regs->cx = addr1;
21424 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
21425 + return 2;
21426 + }
21427 + } while (0);
21428 +
21429 + return 1; /* PaX in action */
21430 +}
21431 +
21432 +#ifdef CONFIG_X86_64
21433 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
21434 +{
21435 + int err;
21436 +
21437 + do { /* PaX: gcc trampoline emulation #1 */
21438 + unsigned short mov1, mov2, jmp1;
21439 + unsigned char jmp2;
21440 + unsigned int addr1;
21441 + unsigned long addr2;
21442 +
21443 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21444 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
21445 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
21446 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
21447 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
21448 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
21449 +
21450 + if (err)
21451 + break;
21452 +
21453 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21454 + regs->r11 = addr1;
21455 + regs->r10 = addr2;
21456 + regs->ip = addr1;
21457 + return 2;
21458 + }
21459 + } while (0);
21460 +
21461 + do { /* PaX: gcc trampoline emulation #2 */
21462 + unsigned short mov1, mov2, jmp1;
21463 + unsigned char jmp2;
21464 + unsigned long addr1, addr2;
21465 +
21466 + err = get_user(mov1, (unsigned short __user *)regs->ip);
21467 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
21468 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
21469 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
21470 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
21471 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
21472 +
21473 + if (err)
21474 + break;
21475 +
21476 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
21477 + regs->r11 = addr1;
21478 + regs->r10 = addr2;
21479 + regs->ip = addr1;
21480 + return 2;
21481 + }
21482 + } while (0);
21483 +
21484 + return 1; /* PaX in action */
21485 +}
21486 +#endif
21487 +
21488 +/*
21489 + * PaX: decide what to do with offenders (regs->ip = fault address)
21490 + *
21491 + * returns 1 when task should be killed
21492 + * 2 when gcc trampoline was detected
21493 + */
21494 +static int pax_handle_fetch_fault(struct pt_regs *regs)
21495 +{
21496 + if (v8086_mode(regs))
21497 + return 1;
21498 +
21499 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
21500 + return 1;
21501 +
21502 +#ifdef CONFIG_X86_32
21503 + return pax_handle_fetch_fault_32(regs);
21504 +#else
21505 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
21506 + return pax_handle_fetch_fault_32(regs);
21507 + else
21508 + return pax_handle_fetch_fault_64(regs);
21509 +#endif
21510 +}
21511 +#endif
21512 +
21513 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21514 +void pax_report_insns(void *pc, void *sp)
21515 +{
21516 + long i;
21517 +
21518 + printk(KERN_ERR "PAX: bytes at PC: ");
21519 + for (i = 0; i < 20; i++) {
21520 + unsigned char c;
21521 + if (get_user(c, (__force unsigned char __user *)pc+i))
21522 + printk(KERN_CONT "?? ");
21523 + else
21524 + printk(KERN_CONT "%02x ", c);
21525 + }
21526 + printk("\n");
21527 +
21528 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
21529 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
21530 + unsigned long c;
21531 + if (get_user(c, (__force unsigned long __user *)sp+i))
21532 +#ifdef CONFIG_X86_32
21533 + printk(KERN_CONT "???????? ");
21534 +#else
21535 + printk(KERN_CONT "???????????????? ");
21536 +#endif
21537 + else
21538 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
21539 + }
21540 + printk("\n");
21541 +}
21542 +#endif
21543 +
21544 +/**
21545 + * probe_kernel_write(): safely attempt to write to a location
21546 + * @dst: address to write to
21547 + * @src: pointer to the data that shall be written
21548 + * @size: size of the data chunk
21549 + *
21550 + * Safely write to address @dst from the buffer at @src. If a kernel fault
21551 + * happens, handle that and return -EFAULT.
21552 + */
21553 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
21554 +{
21555 + long ret;
21556 + mm_segment_t old_fs = get_fs();
21557 +
21558 + set_fs(KERNEL_DS);
21559 + pagefault_disable();
21560 + pax_open_kernel();
21561 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
21562 + pax_close_kernel();
21563 + pagefault_enable();
21564 + set_fs(old_fs);
21565 +
21566 + return ret ? -EFAULT : 0;
21567 +}
21568 diff -urNp linux-2.6.32.46/arch/x86/mm/gup.c linux-2.6.32.46/arch/x86/mm/gup.c
21569 --- linux-2.6.32.46/arch/x86/mm/gup.c 2011-03-27 14:31:47.000000000 -0400
21570 +++ linux-2.6.32.46/arch/x86/mm/gup.c 2011-04-17 15:56:46.000000000 -0400
21571 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
21572 addr = start;
21573 len = (unsigned long) nr_pages << PAGE_SHIFT;
21574 end = start + len;
21575 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21576 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
21577 (void __user *)start, len)))
21578 return 0;
21579
21580 diff -urNp linux-2.6.32.46/arch/x86/mm/highmem_32.c linux-2.6.32.46/arch/x86/mm/highmem_32.c
21581 --- linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-03-27 14:31:47.000000000 -0400
21582 +++ linux-2.6.32.46/arch/x86/mm/highmem_32.c 2011-04-17 15:56:46.000000000 -0400
21583 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
21584 idx = type + KM_TYPE_NR*smp_processor_id();
21585 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21586 BUG_ON(!pte_none(*(kmap_pte-idx)));
21587 +
21588 + pax_open_kernel();
21589 set_pte(kmap_pte-idx, mk_pte(page, prot));
21590 + pax_close_kernel();
21591
21592 return (void *)vaddr;
21593 }
21594 diff -urNp linux-2.6.32.46/arch/x86/mm/hugetlbpage.c linux-2.6.32.46/arch/x86/mm/hugetlbpage.c
21595 --- linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
21596 +++ linux-2.6.32.46/arch/x86/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
21597 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
21598 struct hstate *h = hstate_file(file);
21599 struct mm_struct *mm = current->mm;
21600 struct vm_area_struct *vma;
21601 - unsigned long start_addr;
21602 + unsigned long start_addr, pax_task_size = TASK_SIZE;
21603 +
21604 +#ifdef CONFIG_PAX_SEGMEXEC
21605 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21606 + pax_task_size = SEGMEXEC_TASK_SIZE;
21607 +#endif
21608 +
21609 + pax_task_size -= PAGE_SIZE;
21610
21611 if (len > mm->cached_hole_size) {
21612 - start_addr = mm->free_area_cache;
21613 + start_addr = mm->free_area_cache;
21614 } else {
21615 - start_addr = TASK_UNMAPPED_BASE;
21616 - mm->cached_hole_size = 0;
21617 + start_addr = mm->mmap_base;
21618 + mm->cached_hole_size = 0;
21619 }
21620
21621 full_search:
21622 @@ -281,26 +288,27 @@ full_search:
21623
21624 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
21625 /* At this point: (!vma || addr < vma->vm_end). */
21626 - if (TASK_SIZE - len < addr) {
21627 + if (pax_task_size - len < addr) {
21628 /*
21629 * Start a new search - just in case we missed
21630 * some holes.
21631 */
21632 - if (start_addr != TASK_UNMAPPED_BASE) {
21633 - start_addr = TASK_UNMAPPED_BASE;
21634 + if (start_addr != mm->mmap_base) {
21635 + start_addr = mm->mmap_base;
21636 mm->cached_hole_size = 0;
21637 goto full_search;
21638 }
21639 return -ENOMEM;
21640 }
21641 - if (!vma || addr + len <= vma->vm_start) {
21642 - mm->free_area_cache = addr + len;
21643 - return addr;
21644 - }
21645 + if (check_heap_stack_gap(vma, addr, len))
21646 + break;
21647 if (addr + mm->cached_hole_size < vma->vm_start)
21648 mm->cached_hole_size = vma->vm_start - addr;
21649 addr = ALIGN(vma->vm_end, huge_page_size(h));
21650 }
21651 +
21652 + mm->free_area_cache = addr + len;
21653 + return addr;
21654 }
21655
21656 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
21657 @@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
21658 {
21659 struct hstate *h = hstate_file(file);
21660 struct mm_struct *mm = current->mm;
21661 - struct vm_area_struct *vma, *prev_vma;
21662 - unsigned long base = mm->mmap_base, addr = addr0;
21663 + struct vm_area_struct *vma;
21664 + unsigned long base = mm->mmap_base, addr;
21665 unsigned long largest_hole = mm->cached_hole_size;
21666 - int first_time = 1;
21667
21668 /* don't allow allocations above current base */
21669 if (mm->free_area_cache > base)
21670 @@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
21671 largest_hole = 0;
21672 mm->free_area_cache = base;
21673 }
21674 -try_again:
21675 +
21676 /* make sure it can fit in the remaining address space */
21677 if (mm->free_area_cache < len)
21678 goto fail;
21679
21680 /* either no address requested or cant fit in requested address hole */
21681 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
21682 + addr = (mm->free_area_cache - len);
21683 do {
21684 + addr &= huge_page_mask(h);
21685 + vma = find_vma(mm, addr);
21686 /*
21687 * Lookup failure means no vma is above this address,
21688 * i.e. return with success:
21689 - */
21690 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
21691 - return addr;
21692 -
21693 - /*
21694 * new region fits between prev_vma->vm_end and
21695 * vma->vm_start, use it:
21696 */
21697 - if (addr + len <= vma->vm_start &&
21698 - (!prev_vma || (addr >= prev_vma->vm_end))) {
21699 + if (check_heap_stack_gap(vma, addr, len)) {
21700 /* remember the address as a hint for next time */
21701 - mm->cached_hole_size = largest_hole;
21702 - return (mm->free_area_cache = addr);
21703 - } else {
21704 - /* pull free_area_cache down to the first hole */
21705 - if (mm->free_area_cache == vma->vm_end) {
21706 - mm->free_area_cache = vma->vm_start;
21707 - mm->cached_hole_size = largest_hole;
21708 - }
21709 + mm->cached_hole_size = largest_hole;
21710 + return (mm->free_area_cache = addr);
21711 + }
21712 + /* pull free_area_cache down to the first hole */
21713 + if (mm->free_area_cache == vma->vm_end) {
21714 + mm->free_area_cache = vma->vm_start;
21715 + mm->cached_hole_size = largest_hole;
21716 }
21717
21718 /* remember the largest hole we saw so far */
21719 if (addr + largest_hole < vma->vm_start)
21720 - largest_hole = vma->vm_start - addr;
21721 + largest_hole = vma->vm_start - addr;
21722
21723 /* try just below the current vma->vm_start */
21724 - addr = (vma->vm_start - len) & huge_page_mask(h);
21725 - } while (len <= vma->vm_start);
21726 + addr = skip_heap_stack_gap(vma, len);
21727 + } while (!IS_ERR_VALUE(addr));
21728
21729 fail:
21730 /*
21731 - * if hint left us with no space for the requested
21732 - * mapping then try again:
21733 - */
21734 - if (first_time) {
21735 - mm->free_area_cache = base;
21736 - largest_hole = 0;
21737 - first_time = 0;
21738 - goto try_again;
21739 - }
21740 - /*
21741 * A failed mmap() very likely causes application failure,
21742 * so fall back to the bottom-up function here. This scenario
21743 * can happen with large stack limits and large mmap()
21744 * allocations.
21745 */
21746 - mm->free_area_cache = TASK_UNMAPPED_BASE;
21747 +
21748 +#ifdef CONFIG_PAX_SEGMEXEC
21749 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21750 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
21751 + else
21752 +#endif
21753 +
21754 + mm->mmap_base = TASK_UNMAPPED_BASE;
21755 +
21756 +#ifdef CONFIG_PAX_RANDMMAP
21757 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21758 + mm->mmap_base += mm->delta_mmap;
21759 +#endif
21760 +
21761 + mm->free_area_cache = mm->mmap_base;
21762 mm->cached_hole_size = ~0UL;
21763 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
21764 len, pgoff, flags);
21765 @@ -387,6 +393,7 @@ fail:
21766 /*
21767 * Restore the topdown base:
21768 */
21769 + mm->mmap_base = base;
21770 mm->free_area_cache = base;
21771 mm->cached_hole_size = ~0UL;
21772
21773 @@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
21774 struct hstate *h = hstate_file(file);
21775 struct mm_struct *mm = current->mm;
21776 struct vm_area_struct *vma;
21777 + unsigned long pax_task_size = TASK_SIZE;
21778
21779 if (len & ~huge_page_mask(h))
21780 return -EINVAL;
21781 - if (len > TASK_SIZE)
21782 +
21783 +#ifdef CONFIG_PAX_SEGMEXEC
21784 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21785 + pax_task_size = SEGMEXEC_TASK_SIZE;
21786 +#endif
21787 +
21788 + pax_task_size -= PAGE_SIZE;
21789 +
21790 + if (len > pax_task_size)
21791 return -ENOMEM;
21792
21793 if (flags & MAP_FIXED) {
21794 @@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
21795 if (addr) {
21796 addr = ALIGN(addr, huge_page_size(h));
21797 vma = find_vma(mm, addr);
21798 - if (TASK_SIZE - len >= addr &&
21799 - (!vma || addr + len <= vma->vm_start))
21800 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
21801 return addr;
21802 }
21803 if (mm->get_unmapped_area == arch_get_unmapped_area)
21804 diff -urNp linux-2.6.32.46/arch/x86/mm/init_32.c linux-2.6.32.46/arch/x86/mm/init_32.c
21805 --- linux-2.6.32.46/arch/x86/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
21806 +++ linux-2.6.32.46/arch/x86/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
21807 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
21808 }
21809
21810 /*
21811 - * Creates a middle page table and puts a pointer to it in the
21812 - * given global directory entry. This only returns the gd entry
21813 - * in non-PAE compilation mode, since the middle layer is folded.
21814 - */
21815 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
21816 -{
21817 - pud_t *pud;
21818 - pmd_t *pmd_table;
21819 -
21820 -#ifdef CONFIG_X86_PAE
21821 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
21822 - if (after_bootmem)
21823 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
21824 - else
21825 - pmd_table = (pmd_t *)alloc_low_page();
21826 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
21827 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
21828 - pud = pud_offset(pgd, 0);
21829 - BUG_ON(pmd_table != pmd_offset(pud, 0));
21830 -
21831 - return pmd_table;
21832 - }
21833 -#endif
21834 - pud = pud_offset(pgd, 0);
21835 - pmd_table = pmd_offset(pud, 0);
21836 -
21837 - return pmd_table;
21838 -}
21839 -
21840 -/*
21841 * Create a page table and place a pointer to it in a middle page
21842 * directory entry:
21843 */
21844 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
21845 page_table = (pte_t *)alloc_low_page();
21846
21847 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
21848 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
21849 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
21850 +#else
21851 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
21852 +#endif
21853 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
21854 }
21855
21856 return pte_offset_kernel(pmd, 0);
21857 }
21858
21859 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
21860 +{
21861 + pud_t *pud;
21862 + pmd_t *pmd_table;
21863 +
21864 + pud = pud_offset(pgd, 0);
21865 + pmd_table = pmd_offset(pud, 0);
21866 +
21867 + return pmd_table;
21868 +}
21869 +
21870 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
21871 {
21872 int pgd_idx = pgd_index(vaddr);
21873 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
21874 int pgd_idx, pmd_idx;
21875 unsigned long vaddr;
21876 pgd_t *pgd;
21877 + pud_t *pud;
21878 pmd_t *pmd;
21879 pte_t *pte = NULL;
21880
21881 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
21882 pgd = pgd_base + pgd_idx;
21883
21884 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
21885 - pmd = one_md_table_init(pgd);
21886 - pmd = pmd + pmd_index(vaddr);
21887 + pud = pud_offset(pgd, vaddr);
21888 + pmd = pmd_offset(pud, vaddr);
21889 +
21890 +#ifdef CONFIG_X86_PAE
21891 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
21892 +#endif
21893 +
21894 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
21895 pmd++, pmd_idx++) {
21896 pte = page_table_kmap_check(one_page_table_init(pmd),
21897 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
21898 }
21899 }
21900
21901 -static inline int is_kernel_text(unsigned long addr)
21902 +static inline int is_kernel_text(unsigned long start, unsigned long end)
21903 {
21904 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
21905 - return 1;
21906 - return 0;
21907 + if ((start > ktla_ktva((unsigned long)_etext) ||
21908 + end <= ktla_ktva((unsigned long)_stext)) &&
21909 + (start > ktla_ktva((unsigned long)_einittext) ||
21910 + end <= ktla_ktva((unsigned long)_sinittext)) &&
21911 +
21912 +#ifdef CONFIG_ACPI_SLEEP
21913 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
21914 +#endif
21915 +
21916 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
21917 + return 0;
21918 + return 1;
21919 }
21920
21921 /*
21922 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
21923 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
21924 unsigned long start_pfn, end_pfn;
21925 pgd_t *pgd_base = swapper_pg_dir;
21926 - int pgd_idx, pmd_idx, pte_ofs;
21927 + unsigned int pgd_idx, pmd_idx, pte_ofs;
21928 unsigned long pfn;
21929 pgd_t *pgd;
21930 + pud_t *pud;
21931 pmd_t *pmd;
21932 pte_t *pte;
21933 unsigned pages_2m, pages_4k;
21934 @@ -278,8 +279,13 @@ repeat:
21935 pfn = start_pfn;
21936 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
21937 pgd = pgd_base + pgd_idx;
21938 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
21939 - pmd = one_md_table_init(pgd);
21940 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
21941 + pud = pud_offset(pgd, 0);
21942 + pmd = pmd_offset(pud, 0);
21943 +
21944 +#ifdef CONFIG_X86_PAE
21945 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
21946 +#endif
21947
21948 if (pfn >= end_pfn)
21949 continue;
21950 @@ -291,14 +297,13 @@ repeat:
21951 #endif
21952 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
21953 pmd++, pmd_idx++) {
21954 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
21955 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
21956
21957 /*
21958 * Map with big pages if possible, otherwise
21959 * create normal page tables:
21960 */
21961 if (use_pse) {
21962 - unsigned int addr2;
21963 pgprot_t prot = PAGE_KERNEL_LARGE;
21964 /*
21965 * first pass will use the same initial
21966 @@ -308,11 +313,7 @@ repeat:
21967 __pgprot(PTE_IDENT_ATTR |
21968 _PAGE_PSE);
21969
21970 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
21971 - PAGE_OFFSET + PAGE_SIZE-1;
21972 -
21973 - if (is_kernel_text(addr) ||
21974 - is_kernel_text(addr2))
21975 + if (is_kernel_text(address, address + PMD_SIZE))
21976 prot = PAGE_KERNEL_LARGE_EXEC;
21977
21978 pages_2m++;
21979 @@ -329,7 +330,7 @@ repeat:
21980 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
21981 pte += pte_ofs;
21982 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
21983 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
21984 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
21985 pgprot_t prot = PAGE_KERNEL;
21986 /*
21987 * first pass will use the same initial
21988 @@ -337,7 +338,7 @@ repeat:
21989 */
21990 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
21991
21992 - if (is_kernel_text(addr))
21993 + if (is_kernel_text(address, address + PAGE_SIZE))
21994 prot = PAGE_KERNEL_EXEC;
21995
21996 pages_4k++;
21997 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
21998
21999 pud = pud_offset(pgd, va);
22000 pmd = pmd_offset(pud, va);
22001 - if (!pmd_present(*pmd))
22002 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
22003 break;
22004
22005 pte = pte_offset_kernel(pmd, va);
22006 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
22007
22008 static void __init pagetable_init(void)
22009 {
22010 - pgd_t *pgd_base = swapper_pg_dir;
22011 -
22012 - permanent_kmaps_init(pgd_base);
22013 + permanent_kmaps_init(swapper_pg_dir);
22014 }
22015
22016 #ifdef CONFIG_ACPI_SLEEP
22017 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
22018 * ACPI suspend needs this for resume, because things like the intel-agp
22019 * driver might have split up a kernel 4MB mapping.
22020 */
22021 -char swsusp_pg_dir[PAGE_SIZE]
22022 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
22023 __attribute__ ((aligned(PAGE_SIZE)));
22024
22025 static inline void save_pg_dir(void)
22026 {
22027 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
22028 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
22029 }
22030 #else /* !CONFIG_ACPI_SLEEP */
22031 static inline void save_pg_dir(void)
22032 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
22033 flush_tlb_all();
22034 }
22035
22036 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22037 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
22038 EXPORT_SYMBOL_GPL(__supported_pte_mask);
22039
22040 /* user-defined highmem size */
22041 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
22042 * Initialize the boot-time allocator (with low memory only):
22043 */
22044 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
22045 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
22046 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
22047 PAGE_SIZE);
22048 if (bootmap == -1L)
22049 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
22050 @@ -864,6 +863,12 @@ void __init mem_init(void)
22051
22052 pci_iommu_alloc();
22053
22054 +#ifdef CONFIG_PAX_PER_CPU_PGD
22055 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22056 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22057 + KERNEL_PGD_PTRS);
22058 +#endif
22059 +
22060 #ifdef CONFIG_FLATMEM
22061 BUG_ON(!mem_map);
22062 #endif
22063 @@ -881,7 +886,7 @@ void __init mem_init(void)
22064 set_highmem_pages_init();
22065
22066 codesize = (unsigned long) &_etext - (unsigned long) &_text;
22067 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
22068 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
22069 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
22070
22071 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
22072 @@ -923,10 +928,10 @@ void __init mem_init(void)
22073 ((unsigned long)&__init_end -
22074 (unsigned long)&__init_begin) >> 10,
22075
22076 - (unsigned long)&_etext, (unsigned long)&_edata,
22077 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
22078 + (unsigned long)&_sdata, (unsigned long)&_edata,
22079 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
22080
22081 - (unsigned long)&_text, (unsigned long)&_etext,
22082 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
22083 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
22084
22085 /*
22086 @@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
22087 if (!kernel_set_to_readonly)
22088 return;
22089
22090 + start = ktla_ktva(start);
22091 pr_debug("Set kernel text: %lx - %lx for read write\n",
22092 start, start+size);
22093
22094 @@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
22095 if (!kernel_set_to_readonly)
22096 return;
22097
22098 + start = ktla_ktva(start);
22099 pr_debug("Set kernel text: %lx - %lx for read only\n",
22100 start, start+size);
22101
22102 @@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
22103 unsigned long start = PFN_ALIGN(_text);
22104 unsigned long size = PFN_ALIGN(_etext) - start;
22105
22106 + start = ktla_ktva(start);
22107 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
22108 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
22109 size >> 10);
22110 diff -urNp linux-2.6.32.46/arch/x86/mm/init_64.c linux-2.6.32.46/arch/x86/mm/init_64.c
22111 --- linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:00:52.000000000 -0400
22112 +++ linux-2.6.32.46/arch/x86/mm/init_64.c 2011-04-17 17:03:05.000000000 -0400
22113 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
22114 pmd = fill_pmd(pud, vaddr);
22115 pte = fill_pte(pmd, vaddr);
22116
22117 + pax_open_kernel();
22118 set_pte(pte, new_pte);
22119 + pax_close_kernel();
22120
22121 /*
22122 * It's enough to flush this one mapping.
22123 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
22124 pgd = pgd_offset_k((unsigned long)__va(phys));
22125 if (pgd_none(*pgd)) {
22126 pud = (pud_t *) spp_getpage();
22127 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
22128 - _PAGE_USER));
22129 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
22130 }
22131 pud = pud_offset(pgd, (unsigned long)__va(phys));
22132 if (pud_none(*pud)) {
22133 pmd = (pmd_t *) spp_getpage();
22134 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
22135 - _PAGE_USER));
22136 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
22137 }
22138 pmd = pmd_offset(pud, phys);
22139 BUG_ON(!pmd_none(*pmd));
22140 @@ -675,6 +675,12 @@ void __init mem_init(void)
22141
22142 pci_iommu_alloc();
22143
22144 +#ifdef CONFIG_PAX_PER_CPU_PGD
22145 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
22146 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
22147 + KERNEL_PGD_PTRS);
22148 +#endif
22149 +
22150 /* clear_bss() already clear the empty_zero_page */
22151
22152 reservedpages = 0;
22153 @@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
22154 static struct vm_area_struct gate_vma = {
22155 .vm_start = VSYSCALL_START,
22156 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
22157 - .vm_page_prot = PAGE_READONLY_EXEC,
22158 - .vm_flags = VM_READ | VM_EXEC
22159 + .vm_page_prot = PAGE_READONLY,
22160 + .vm_flags = VM_READ
22161 };
22162
22163 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
22164 @@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
22165
22166 const char *arch_vma_name(struct vm_area_struct *vma)
22167 {
22168 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22169 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22170 return "[vdso]";
22171 if (vma == &gate_vma)
22172 return "[vsyscall]";
22173 diff -urNp linux-2.6.32.46/arch/x86/mm/init.c linux-2.6.32.46/arch/x86/mm/init.c
22174 --- linux-2.6.32.46/arch/x86/mm/init.c 2011-04-17 17:00:52.000000000 -0400
22175 +++ linux-2.6.32.46/arch/x86/mm/init.c 2011-06-07 19:06:09.000000000 -0400
22176 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
22177 * cause a hotspot and fill up ZONE_DMA. The page tables
22178 * need roughly 0.5KB per GB.
22179 */
22180 -#ifdef CONFIG_X86_32
22181 - start = 0x7000;
22182 -#else
22183 - start = 0x8000;
22184 -#endif
22185 + start = 0x100000;
22186 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
22187 tables, PAGE_SIZE);
22188 if (e820_table_start == -1UL)
22189 @@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
22190 #endif
22191
22192 set_nx();
22193 - if (nx_enabled)
22194 + if (nx_enabled && cpu_has_nx)
22195 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
22196
22197 /* Enable PSE if available */
22198 @@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
22199 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
22200 * mmio resources as well as potential bios/acpi data regions.
22201 */
22202 +
22203 int devmem_is_allowed(unsigned long pagenr)
22204 {
22205 +#ifdef CONFIG_GRKERNSEC_KMEM
22206 + /* allow BDA */
22207 + if (!pagenr)
22208 + return 1;
22209 + /* allow EBDA */
22210 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
22211 + return 1;
22212 + /* allow ISA/video mem */
22213 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22214 + return 1;
22215 + /* throw out everything else below 1MB */
22216 + if (pagenr <= 256)
22217 + return 0;
22218 +#else
22219 if (pagenr <= 256)
22220 return 1;
22221 +#endif
22222 +
22223 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
22224 return 0;
22225 if (!page_is_ram(pagenr))
22226 @@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
22227
22228 void free_initmem(void)
22229 {
22230 +
22231 +#ifdef CONFIG_PAX_KERNEXEC
22232 +#ifdef CONFIG_X86_32
22233 + /* PaX: limit KERNEL_CS to actual size */
22234 + unsigned long addr, limit;
22235 + struct desc_struct d;
22236 + int cpu;
22237 +
22238 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
22239 + limit = (limit - 1UL) >> PAGE_SHIFT;
22240 +
22241 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
22242 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22243 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
22244 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
22245 + }
22246 +
22247 + /* PaX: make KERNEL_CS read-only */
22248 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
22249 + if (!paravirt_enabled())
22250 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
22251 +/*
22252 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
22253 + pgd = pgd_offset_k(addr);
22254 + pud = pud_offset(pgd, addr);
22255 + pmd = pmd_offset(pud, addr);
22256 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22257 + }
22258 +*/
22259 +#ifdef CONFIG_X86_PAE
22260 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
22261 +/*
22262 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
22263 + pgd = pgd_offset_k(addr);
22264 + pud = pud_offset(pgd, addr);
22265 + pmd = pmd_offset(pud, addr);
22266 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22267 + }
22268 +*/
22269 +#endif
22270 +
22271 +#ifdef CONFIG_MODULES
22272 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
22273 +#endif
22274 +
22275 +#else
22276 + pgd_t *pgd;
22277 + pud_t *pud;
22278 + pmd_t *pmd;
22279 + unsigned long addr, end;
22280 +
22281 + /* PaX: make kernel code/rodata read-only, rest non-executable */
22282 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
22283 + pgd = pgd_offset_k(addr);
22284 + pud = pud_offset(pgd, addr);
22285 + pmd = pmd_offset(pud, addr);
22286 + if (!pmd_present(*pmd))
22287 + continue;
22288 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
22289 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22290 + else
22291 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
22292 + }
22293 +
22294 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
22295 + end = addr + KERNEL_IMAGE_SIZE;
22296 + for (; addr < end; addr += PMD_SIZE) {
22297 + pgd = pgd_offset_k(addr);
22298 + pud = pud_offset(pgd, addr);
22299 + pmd = pmd_offset(pud, addr);
22300 + if (!pmd_present(*pmd))
22301 + continue;
22302 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
22303 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
22304 + }
22305 +#endif
22306 +
22307 + flush_tlb_all();
22308 +#endif
22309 +
22310 free_init_pages("unused kernel memory",
22311 (unsigned long)(&__init_begin),
22312 (unsigned long)(&__init_end));
22313 diff -urNp linux-2.6.32.46/arch/x86/mm/iomap_32.c linux-2.6.32.46/arch/x86/mm/iomap_32.c
22314 --- linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-03-27 14:31:47.000000000 -0400
22315 +++ linux-2.6.32.46/arch/x86/mm/iomap_32.c 2011-04-17 15:56:46.000000000 -0400
22316 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
22317 debug_kmap_atomic(type);
22318 idx = type + KM_TYPE_NR * smp_processor_id();
22319 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
22320 +
22321 + pax_open_kernel();
22322 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
22323 + pax_close_kernel();
22324 +
22325 arch_flush_lazy_mmu_mode();
22326
22327 return (void *)vaddr;
22328 diff -urNp linux-2.6.32.46/arch/x86/mm/ioremap.c linux-2.6.32.46/arch/x86/mm/ioremap.c
22329 --- linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-03-27 14:31:47.000000000 -0400
22330 +++ linux-2.6.32.46/arch/x86/mm/ioremap.c 2011-04-17 15:56:46.000000000 -0400
22331 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
22332 * Second special case: Some BIOSen report the PC BIOS
22333 * area (640->1Mb) as ram even though it is not.
22334 */
22335 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
22336 - pagenr < (BIOS_END >> PAGE_SHIFT))
22337 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
22338 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
22339 return 0;
22340
22341 for (i = 0; i < e820.nr_map; i++) {
22342 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
22343 /*
22344 * Don't allow anybody to remap normal RAM that we're using..
22345 */
22346 - for (pfn = phys_addr >> PAGE_SHIFT;
22347 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
22348 - pfn++) {
22349 -
22350 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
22351 int is_ram = page_is_ram(pfn);
22352
22353 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
22354 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
22355 return NULL;
22356 WARN_ON_ONCE(is_ram);
22357 }
22358 @@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
22359 early_param("early_ioremap_debug", early_ioremap_debug_setup);
22360
22361 static __initdata int after_paging_init;
22362 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
22363 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
22364
22365 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
22366 {
22367 @@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
22368 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
22369
22370 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
22371 - memset(bm_pte, 0, sizeof(bm_pte));
22372 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
22373 + pmd_populate_user(&init_mm, pmd, bm_pte);
22374
22375 /*
22376 * The boot-ioremap range spans multiple pmds, for which
22377 diff -urNp linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c
22378 --- linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-27 14:31:47.000000000 -0400
22379 +++ linux-2.6.32.46/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:56:46.000000000 -0400
22380 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
22381 * memory (e.g. tracked pages)? For now, we need this to avoid
22382 * invoking kmemcheck for PnP BIOS calls.
22383 */
22384 - if (regs->flags & X86_VM_MASK)
22385 + if (v8086_mode(regs))
22386 return false;
22387 - if (regs->cs != __KERNEL_CS)
22388 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
22389 return false;
22390
22391 pte = kmemcheck_pte_lookup(address);
22392 diff -urNp linux-2.6.32.46/arch/x86/mm/mmap.c linux-2.6.32.46/arch/x86/mm/mmap.c
22393 --- linux-2.6.32.46/arch/x86/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
22394 +++ linux-2.6.32.46/arch/x86/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
22395 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
22396 * Leave an at least ~128 MB hole with possible stack randomization.
22397 */
22398 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
22399 -#define MAX_GAP (TASK_SIZE/6*5)
22400 +#define MAX_GAP (pax_task_size/6*5)
22401
22402 /*
22403 * True on X86_32 or when emulating IA32 on X86_64
22404 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
22405 return rnd << PAGE_SHIFT;
22406 }
22407
22408 -static unsigned long mmap_base(void)
22409 +static unsigned long mmap_base(struct mm_struct *mm)
22410 {
22411 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
22412 + unsigned long pax_task_size = TASK_SIZE;
22413 +
22414 +#ifdef CONFIG_PAX_SEGMEXEC
22415 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22416 + pax_task_size = SEGMEXEC_TASK_SIZE;
22417 +#endif
22418
22419 if (gap < MIN_GAP)
22420 gap = MIN_GAP;
22421 else if (gap > MAX_GAP)
22422 gap = MAX_GAP;
22423
22424 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
22425 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
22426 }
22427
22428 /*
22429 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
22430 * does, but not when emulating X86_32
22431 */
22432 -static unsigned long mmap_legacy_base(void)
22433 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
22434 {
22435 - if (mmap_is_ia32())
22436 + if (mmap_is_ia32()) {
22437 +
22438 +#ifdef CONFIG_PAX_SEGMEXEC
22439 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
22440 + return SEGMEXEC_TASK_UNMAPPED_BASE;
22441 + else
22442 +#endif
22443 +
22444 return TASK_UNMAPPED_BASE;
22445 - else
22446 + } else
22447 return TASK_UNMAPPED_BASE + mmap_rnd();
22448 }
22449
22450 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
22451 void arch_pick_mmap_layout(struct mm_struct *mm)
22452 {
22453 if (mmap_is_legacy()) {
22454 - mm->mmap_base = mmap_legacy_base();
22455 + mm->mmap_base = mmap_legacy_base(mm);
22456 +
22457 +#ifdef CONFIG_PAX_RANDMMAP
22458 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22459 + mm->mmap_base += mm->delta_mmap;
22460 +#endif
22461 +
22462 mm->get_unmapped_area = arch_get_unmapped_area;
22463 mm->unmap_area = arch_unmap_area;
22464 } else {
22465 - mm->mmap_base = mmap_base();
22466 + mm->mmap_base = mmap_base(mm);
22467 +
22468 +#ifdef CONFIG_PAX_RANDMMAP
22469 + if (mm->pax_flags & MF_PAX_RANDMMAP)
22470 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
22471 +#endif
22472 +
22473 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
22474 mm->unmap_area = arch_unmap_area_topdown;
22475 }
22476 diff -urNp linux-2.6.32.46/arch/x86/mm/mmio-mod.c linux-2.6.32.46/arch/x86/mm/mmio-mod.c
22477 --- linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-03-27 14:31:47.000000000 -0400
22478 +++ linux-2.6.32.46/arch/x86/mm/mmio-mod.c 2011-07-06 19:53:33.000000000 -0400
22479 @@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
22480 break;
22481 default:
22482 {
22483 - unsigned char *ip = (unsigned char *)instptr;
22484 + unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
22485 my_trace->opcode = MMIO_UNKNOWN_OP;
22486 my_trace->width = 0;
22487 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
22488 @@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
22489 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
22490 void __iomem *addr)
22491 {
22492 - static atomic_t next_id;
22493 + static atomic_unchecked_t next_id;
22494 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
22495 /* These are page-unaligned. */
22496 struct mmiotrace_map map = {
22497 @@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
22498 .private = trace
22499 },
22500 .phys = offset,
22501 - .id = atomic_inc_return(&next_id)
22502 + .id = atomic_inc_return_unchecked(&next_id)
22503 };
22504 map.map_id = trace->id;
22505
22506 diff -urNp linux-2.6.32.46/arch/x86/mm/numa_32.c linux-2.6.32.46/arch/x86/mm/numa_32.c
22507 --- linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-03-27 14:31:47.000000000 -0400
22508 +++ linux-2.6.32.46/arch/x86/mm/numa_32.c 2011-04-17 15:56:46.000000000 -0400
22509 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
22510 }
22511 #endif
22512
22513 -extern unsigned long find_max_low_pfn(void);
22514 extern unsigned long highend_pfn, highstart_pfn;
22515
22516 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
22517 diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr.c linux-2.6.32.46/arch/x86/mm/pageattr.c
22518 --- linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-03-27 14:31:47.000000000 -0400
22519 +++ linux-2.6.32.46/arch/x86/mm/pageattr.c 2011-04-17 15:56:46.000000000 -0400
22520 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
22521 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
22522 */
22523 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
22524 - pgprot_val(forbidden) |= _PAGE_NX;
22525 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22526
22527 /*
22528 * The kernel text needs to be executable for obvious reasons
22529 * Does not cover __inittext since that is gone later on. On
22530 * 64bit we do not enforce !NX on the low mapping
22531 */
22532 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
22533 - pgprot_val(forbidden) |= _PAGE_NX;
22534 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
22535 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22536
22537 +#ifdef CONFIG_DEBUG_RODATA
22538 /*
22539 * The .rodata section needs to be read-only. Using the pfn
22540 * catches all aliases.
22541 @@ -278,6 +279,14 @@ static inline pgprot_t static_protection
22542 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
22543 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
22544 pgprot_val(forbidden) |= _PAGE_RW;
22545 +#endif
22546 +
22547 +#ifdef CONFIG_PAX_KERNEXEC
22548 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
22549 + pgprot_val(forbidden) |= _PAGE_RW;
22550 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
22551 + }
22552 +#endif
22553
22554 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
22555
22556 @@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
22557 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
22558 {
22559 /* change init_mm */
22560 + pax_open_kernel();
22561 set_pte_atomic(kpte, pte);
22562 +
22563 #ifdef CONFIG_X86_32
22564 if (!SHARED_KERNEL_PMD) {
22565 +
22566 +#ifdef CONFIG_PAX_PER_CPU_PGD
22567 + unsigned long cpu;
22568 +#else
22569 struct page *page;
22570 +#endif
22571
22572 +#ifdef CONFIG_PAX_PER_CPU_PGD
22573 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22574 + pgd_t *pgd = get_cpu_pgd(cpu);
22575 +#else
22576 list_for_each_entry(page, &pgd_list, lru) {
22577 - pgd_t *pgd;
22578 + pgd_t *pgd = (pgd_t *)page_address(page);
22579 +#endif
22580 +
22581 pud_t *pud;
22582 pmd_t *pmd;
22583
22584 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
22585 + pgd += pgd_index(address);
22586 pud = pud_offset(pgd, address);
22587 pmd = pmd_offset(pud, address);
22588 set_pte_atomic((pte_t *)pmd, pte);
22589 }
22590 }
22591 #endif
22592 + pax_close_kernel();
22593 }
22594
22595 static int
22596 diff -urNp linux-2.6.32.46/arch/x86/mm/pageattr-test.c linux-2.6.32.46/arch/x86/mm/pageattr-test.c
22597 --- linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-03-27 14:31:47.000000000 -0400
22598 +++ linux-2.6.32.46/arch/x86/mm/pageattr-test.c 2011-04-17 15:56:46.000000000 -0400
22599 @@ -36,7 +36,7 @@ enum {
22600
22601 static int pte_testbit(pte_t pte)
22602 {
22603 - return pte_flags(pte) & _PAGE_UNUSED1;
22604 + return pte_flags(pte) & _PAGE_CPA_TEST;
22605 }
22606
22607 struct split_state {
22608 diff -urNp linux-2.6.32.46/arch/x86/mm/pat.c linux-2.6.32.46/arch/x86/mm/pat.c
22609 --- linux-2.6.32.46/arch/x86/mm/pat.c 2011-03-27 14:31:47.000000000 -0400
22610 +++ linux-2.6.32.46/arch/x86/mm/pat.c 2011-04-17 15:56:46.000000000 -0400
22611 @@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
22612
22613 conflict:
22614 printk(KERN_INFO "%s:%d conflicting memory types "
22615 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
22616 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
22617 new->end, cattr_name(new->type), cattr_name(entry->type));
22618 return -EBUSY;
22619 }
22620 @@ -559,7 +559,7 @@ unlock_ret:
22621
22622 if (err) {
22623 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
22624 - current->comm, current->pid, start, end);
22625 + current->comm, task_pid_nr(current), start, end);
22626 }
22627
22628 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
22629 @@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
22630 while (cursor < to) {
22631 if (!devmem_is_allowed(pfn)) {
22632 printk(KERN_INFO
22633 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
22634 - current->comm, from, to);
22635 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
22636 + current->comm, from, to, cursor);
22637 return 0;
22638 }
22639 cursor += PAGE_SIZE;
22640 @@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
22641 printk(KERN_INFO
22642 "%s:%d ioremap_change_attr failed %s "
22643 "for %Lx-%Lx\n",
22644 - current->comm, current->pid,
22645 + current->comm, task_pid_nr(current),
22646 cattr_name(flags),
22647 base, (unsigned long long)(base + size));
22648 return -EINVAL;
22649 @@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
22650 free_memtype(paddr, paddr + size);
22651 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
22652 " for %Lx-%Lx, got %s\n",
22653 - current->comm, current->pid,
22654 + current->comm, task_pid_nr(current),
22655 cattr_name(want_flags),
22656 (unsigned long long)paddr,
22657 (unsigned long long)(paddr + size),
22658 diff -urNp linux-2.6.32.46/arch/x86/mm/pf_in.c linux-2.6.32.46/arch/x86/mm/pf_in.c
22659 --- linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-03-27 14:31:47.000000000 -0400
22660 +++ linux-2.6.32.46/arch/x86/mm/pf_in.c 2011-07-06 19:53:33.000000000 -0400
22661 @@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
22662 int i;
22663 enum reason_type rv = OTHERS;
22664
22665 - p = (unsigned char *)ins_addr;
22666 + p = (unsigned char *)ktla_ktva(ins_addr);
22667 p += skip_prefix(p, &prf);
22668 p += get_opcode(p, &opcode);
22669
22670 @@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
22671 struct prefix_bits prf;
22672 int i;
22673
22674 - p = (unsigned char *)ins_addr;
22675 + p = (unsigned char *)ktla_ktva(ins_addr);
22676 p += skip_prefix(p, &prf);
22677 p += get_opcode(p, &opcode);
22678
22679 @@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
22680 struct prefix_bits prf;
22681 int i;
22682
22683 - p = (unsigned char *)ins_addr;
22684 + p = (unsigned char *)ktla_ktva(ins_addr);
22685 p += skip_prefix(p, &prf);
22686 p += get_opcode(p, &opcode);
22687
22688 @@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
22689 int i;
22690 unsigned long rv;
22691
22692 - p = (unsigned char *)ins_addr;
22693 + p = (unsigned char *)ktla_ktva(ins_addr);
22694 p += skip_prefix(p, &prf);
22695 p += get_opcode(p, &opcode);
22696 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
22697 @@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
22698 int i;
22699 unsigned long rv;
22700
22701 - p = (unsigned char *)ins_addr;
22702 + p = (unsigned char *)ktla_ktva(ins_addr);
22703 p += skip_prefix(p, &prf);
22704 p += get_opcode(p, &opcode);
22705 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
22706 diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable_32.c linux-2.6.32.46/arch/x86/mm/pgtable_32.c
22707 --- linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-03-27 14:31:47.000000000 -0400
22708 +++ linux-2.6.32.46/arch/x86/mm/pgtable_32.c 2011-04-17 15:56:46.000000000 -0400
22709 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
22710 return;
22711 }
22712 pte = pte_offset_kernel(pmd, vaddr);
22713 +
22714 + pax_open_kernel();
22715 if (pte_val(pteval))
22716 set_pte_at(&init_mm, vaddr, pte, pteval);
22717 else
22718 pte_clear(&init_mm, vaddr, pte);
22719 + pax_close_kernel();
22720
22721 /*
22722 * It's enough to flush this one mapping.
22723 diff -urNp linux-2.6.32.46/arch/x86/mm/pgtable.c linux-2.6.32.46/arch/x86/mm/pgtable.c
22724 --- linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-03-27 14:31:47.000000000 -0400
22725 +++ linux-2.6.32.46/arch/x86/mm/pgtable.c 2011-05-11 18:25:15.000000000 -0400
22726 @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
22727 list_del(&page->lru);
22728 }
22729
22730 -#define UNSHARED_PTRS_PER_PGD \
22731 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22732 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22733 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
22734
22735 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22736 +{
22737 + while (count--)
22738 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
22739 +}
22740 +#endif
22741 +
22742 +#ifdef CONFIG_PAX_PER_CPU_PGD
22743 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
22744 +{
22745 + while (count--)
22746 +
22747 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22748 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
22749 +#else
22750 + *dst++ = *src++;
22751 +#endif
22752 +
22753 +}
22754 +#endif
22755 +
22756 +#ifdef CONFIG_X86_64
22757 +#define pxd_t pud_t
22758 +#define pyd_t pgd_t
22759 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
22760 +#define pxd_free(mm, pud) pud_free((mm), (pud))
22761 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
22762 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
22763 +#define PYD_SIZE PGDIR_SIZE
22764 +#else
22765 +#define pxd_t pmd_t
22766 +#define pyd_t pud_t
22767 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
22768 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
22769 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
22770 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
22771 +#define PYD_SIZE PUD_SIZE
22772 +#endif
22773 +
22774 +#ifdef CONFIG_PAX_PER_CPU_PGD
22775 +static inline void pgd_ctor(pgd_t *pgd) {}
22776 +static inline void pgd_dtor(pgd_t *pgd) {}
22777 +#else
22778 static void pgd_ctor(pgd_t *pgd)
22779 {
22780 /* If the pgd points to a shared pagetable level (either the
22781 @@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
22782 pgd_list_del(pgd);
22783 spin_unlock_irqrestore(&pgd_lock, flags);
22784 }
22785 +#endif
22786
22787 /*
22788 * List of all pgd's needed for non-PAE so it can invalidate entries
22789 @@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
22790 * -- wli
22791 */
22792
22793 -#ifdef CONFIG_X86_PAE
22794 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
22795 /*
22796 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
22797 * updating the top-level pagetable entries to guarantee the
22798 @@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
22799 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
22800 * and initialize the kernel pmds here.
22801 */
22802 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
22803 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
22804
22805 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
22806 {
22807 @@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
22808 */
22809 flush_tlb_mm(mm);
22810 }
22811 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
22812 +#define PREALLOCATED_PXDS USER_PGD_PTRS
22813 #else /* !CONFIG_X86_PAE */
22814
22815 /* No need to prepopulate any pagetable entries in non-PAE modes. */
22816 -#define PREALLOCATED_PMDS 0
22817 +#define PREALLOCATED_PXDS 0
22818
22819 #endif /* CONFIG_X86_PAE */
22820
22821 -static void free_pmds(pmd_t *pmds[])
22822 +static void free_pxds(pxd_t *pxds[])
22823 {
22824 int i;
22825
22826 - for(i = 0; i < PREALLOCATED_PMDS; i++)
22827 - if (pmds[i])
22828 - free_page((unsigned long)pmds[i]);
22829 + for(i = 0; i < PREALLOCATED_PXDS; i++)
22830 + if (pxds[i])
22831 + free_page((unsigned long)pxds[i]);
22832 }
22833
22834 -static int preallocate_pmds(pmd_t *pmds[])
22835 +static int preallocate_pxds(pxd_t *pxds[])
22836 {
22837 int i;
22838 bool failed = false;
22839
22840 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22841 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
22842 - if (pmd == NULL)
22843 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22844 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
22845 + if (pxd == NULL)
22846 failed = true;
22847 - pmds[i] = pmd;
22848 + pxds[i] = pxd;
22849 }
22850
22851 if (failed) {
22852 - free_pmds(pmds);
22853 + free_pxds(pxds);
22854 return -ENOMEM;
22855 }
22856
22857 @@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
22858 * preallocate which never got a corresponding vma will need to be
22859 * freed manually.
22860 */
22861 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
22862 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
22863 {
22864 int i;
22865
22866 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
22867 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
22868 pgd_t pgd = pgdp[i];
22869
22870 if (pgd_val(pgd) != 0) {
22871 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
22872 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
22873
22874 - pgdp[i] = native_make_pgd(0);
22875 + set_pgd(pgdp + i, native_make_pgd(0));
22876
22877 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
22878 - pmd_free(mm, pmd);
22879 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
22880 + pxd_free(mm, pxd);
22881 }
22882 }
22883 }
22884
22885 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
22886 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
22887 {
22888 - pud_t *pud;
22889 + pyd_t *pyd;
22890 unsigned long addr;
22891 int i;
22892
22893 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
22894 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
22895 return;
22896
22897 - pud = pud_offset(pgd, 0);
22898 +#ifdef CONFIG_X86_64
22899 + pyd = pyd_offset(mm, 0L);
22900 +#else
22901 + pyd = pyd_offset(pgd, 0L);
22902 +#endif
22903
22904 - for (addr = i = 0; i < PREALLOCATED_PMDS;
22905 - i++, pud++, addr += PUD_SIZE) {
22906 - pmd_t *pmd = pmds[i];
22907 + for (addr = i = 0; i < PREALLOCATED_PXDS;
22908 + i++, pyd++, addr += PYD_SIZE) {
22909 + pxd_t *pxd = pxds[i];
22910
22911 if (i >= KERNEL_PGD_BOUNDARY)
22912 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22913 - sizeof(pmd_t) * PTRS_PER_PMD);
22914 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
22915 + sizeof(pxd_t) * PTRS_PER_PMD);
22916
22917 - pud_populate(mm, pud, pmd);
22918 + pyd_populate(mm, pyd, pxd);
22919 }
22920 }
22921
22922 pgd_t *pgd_alloc(struct mm_struct *mm)
22923 {
22924 pgd_t *pgd;
22925 - pmd_t *pmds[PREALLOCATED_PMDS];
22926 + pxd_t *pxds[PREALLOCATED_PXDS];
22927 +
22928 unsigned long flags;
22929
22930 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
22931 @@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22932
22933 mm->pgd = pgd;
22934
22935 - if (preallocate_pmds(pmds) != 0)
22936 + if (preallocate_pxds(pxds) != 0)
22937 goto out_free_pgd;
22938
22939 if (paravirt_pgd_alloc(mm) != 0)
22940 - goto out_free_pmds;
22941 + goto out_free_pxds;
22942
22943 /*
22944 * Make sure that pre-populating the pmds is atomic with
22945 @@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
22946 spin_lock_irqsave(&pgd_lock, flags);
22947
22948 pgd_ctor(pgd);
22949 - pgd_prepopulate_pmd(mm, pgd, pmds);
22950 + pgd_prepopulate_pxd(mm, pgd, pxds);
22951
22952 spin_unlock_irqrestore(&pgd_lock, flags);
22953
22954 return pgd;
22955
22956 -out_free_pmds:
22957 - free_pmds(pmds);
22958 +out_free_pxds:
22959 + free_pxds(pxds);
22960 out_free_pgd:
22961 free_page((unsigned long)pgd);
22962 out:
22963 @@ -287,7 +338,7 @@ out:
22964
22965 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
22966 {
22967 - pgd_mop_up_pmds(mm, pgd);
22968 + pgd_mop_up_pxds(mm, pgd);
22969 pgd_dtor(pgd);
22970 paravirt_pgd_free(mm, pgd);
22971 free_page((unsigned long)pgd);
22972 diff -urNp linux-2.6.32.46/arch/x86/mm/setup_nx.c linux-2.6.32.46/arch/x86/mm/setup_nx.c
22973 --- linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-03-27 14:31:47.000000000 -0400
22974 +++ linux-2.6.32.46/arch/x86/mm/setup_nx.c 2011-04-17 15:56:46.000000000 -0400
22975 @@ -4,11 +4,10 @@
22976
22977 #include <asm/pgtable.h>
22978
22979 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
22980 int nx_enabled;
22981
22982 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22983 -static int disable_nx __cpuinitdata;
22984 -
22985 +#ifndef CONFIG_PAX_PAGEEXEC
22986 /*
22987 * noexec = on|off
22988 *
22989 @@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
22990 if (!str)
22991 return -EINVAL;
22992 if (!strncmp(str, "on", 2)) {
22993 - __supported_pte_mask |= _PAGE_NX;
22994 - disable_nx = 0;
22995 + nx_enabled = 1;
22996 } else if (!strncmp(str, "off", 3)) {
22997 - disable_nx = 1;
22998 - __supported_pte_mask &= ~_PAGE_NX;
22999 + nx_enabled = 0;
23000 }
23001 return 0;
23002 }
23003 early_param("noexec", noexec_setup);
23004 #endif
23005 +#endif
23006
23007 #ifdef CONFIG_X86_PAE
23008 void __init set_nx(void)
23009 {
23010 - unsigned int v[4], l, h;
23011 + if (!nx_enabled && cpu_has_nx) {
23012 + unsigned l, h;
23013
23014 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
23015 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
23016 -
23017 - if ((v[3] & (1 << 20)) && !disable_nx) {
23018 - rdmsr(MSR_EFER, l, h);
23019 - l |= EFER_NX;
23020 - wrmsr(MSR_EFER, l, h);
23021 - nx_enabled = 1;
23022 - __supported_pte_mask |= _PAGE_NX;
23023 - }
23024 + __supported_pte_mask &= ~_PAGE_NX;
23025 + rdmsr(MSR_EFER, l, h);
23026 + l &= ~EFER_NX;
23027 + wrmsr(MSR_EFER, l, h);
23028 }
23029 }
23030 #else
23031 @@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
23032 unsigned long efer;
23033
23034 rdmsrl(MSR_EFER, efer);
23035 - if (!(efer & EFER_NX) || disable_nx)
23036 + if (!(efer & EFER_NX) || !nx_enabled)
23037 __supported_pte_mask &= ~_PAGE_NX;
23038 }
23039 #endif
23040 diff -urNp linux-2.6.32.46/arch/x86/mm/tlb.c linux-2.6.32.46/arch/x86/mm/tlb.c
23041 --- linux-2.6.32.46/arch/x86/mm/tlb.c 2011-03-27 14:31:47.000000000 -0400
23042 +++ linux-2.6.32.46/arch/x86/mm/tlb.c 2011-04-23 12:56:10.000000000 -0400
23043 @@ -61,7 +61,11 @@ void leave_mm(int cpu)
23044 BUG();
23045 cpumask_clear_cpu(cpu,
23046 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
23047 +
23048 +#ifndef CONFIG_PAX_PER_CPU_PGD
23049 load_cr3(swapper_pg_dir);
23050 +#endif
23051 +
23052 }
23053 EXPORT_SYMBOL_GPL(leave_mm);
23054
23055 diff -urNp linux-2.6.32.46/arch/x86/oprofile/backtrace.c linux-2.6.32.46/arch/x86/oprofile/backtrace.c
23056 --- linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-03-27 14:31:47.000000000 -0400
23057 +++ linux-2.6.32.46/arch/x86/oprofile/backtrace.c 2011-04-17 15:56:46.000000000 -0400
23058 @@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
23059 struct frame_head bufhead[2];
23060
23061 /* Also check accessibility of one struct frame_head beyond */
23062 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
23063 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
23064 return NULL;
23065 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
23066 return NULL;
23067 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
23068 {
23069 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
23070
23071 - if (!user_mode_vm(regs)) {
23072 + if (!user_mode(regs)) {
23073 unsigned long stack = kernel_stack_pointer(regs);
23074 if (depth)
23075 dump_trace(NULL, regs, (unsigned long *)stack, 0,
23076 diff -urNp linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c
23077 --- linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-03-27 14:31:47.000000000 -0400
23078 +++ linux-2.6.32.46/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:56:46.000000000 -0400
23079 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
23080 #endif
23081 }
23082
23083 -static int inline addr_increment(void)
23084 +static inline int addr_increment(void)
23085 {
23086 #ifdef CONFIG_SMP
23087 return smp_num_siblings == 2 ? 2 : 1;
23088 diff -urNp linux-2.6.32.46/arch/x86/pci/common.c linux-2.6.32.46/arch/x86/pci/common.c
23089 --- linux-2.6.32.46/arch/x86/pci/common.c 2011-03-27 14:31:47.000000000 -0400
23090 +++ linux-2.6.32.46/arch/x86/pci/common.c 2011-04-23 12:56:10.000000000 -0400
23091 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
23092 int pcibios_last_bus = -1;
23093 unsigned long pirq_table_addr;
23094 struct pci_bus *pci_root_bus;
23095 -struct pci_raw_ops *raw_pci_ops;
23096 -struct pci_raw_ops *raw_pci_ext_ops;
23097 +const struct pci_raw_ops *raw_pci_ops;
23098 +const struct pci_raw_ops *raw_pci_ext_ops;
23099
23100 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
23101 int reg, int len, u32 *val)
23102 diff -urNp linux-2.6.32.46/arch/x86/pci/direct.c linux-2.6.32.46/arch/x86/pci/direct.c
23103 --- linux-2.6.32.46/arch/x86/pci/direct.c 2011-03-27 14:31:47.000000000 -0400
23104 +++ linux-2.6.32.46/arch/x86/pci/direct.c 2011-04-17 15:56:46.000000000 -0400
23105 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
23106
23107 #undef PCI_CONF1_ADDRESS
23108
23109 -struct pci_raw_ops pci_direct_conf1 = {
23110 +const struct pci_raw_ops pci_direct_conf1 = {
23111 .read = pci_conf1_read,
23112 .write = pci_conf1_write,
23113 };
23114 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
23115
23116 #undef PCI_CONF2_ADDRESS
23117
23118 -struct pci_raw_ops pci_direct_conf2 = {
23119 +const struct pci_raw_ops pci_direct_conf2 = {
23120 .read = pci_conf2_read,
23121 .write = pci_conf2_write,
23122 };
23123 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
23124 * This should be close to trivial, but it isn't, because there are buggy
23125 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
23126 */
23127 -static int __init pci_sanity_check(struct pci_raw_ops *o)
23128 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
23129 {
23130 u32 x = 0;
23131 int year, devfn;
23132 diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_32.c linux-2.6.32.46/arch/x86/pci/mmconfig_32.c
23133 --- linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-03-27 14:31:47.000000000 -0400
23134 +++ linux-2.6.32.46/arch/x86/pci/mmconfig_32.c 2011-04-17 15:56:46.000000000 -0400
23135 @@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
23136 return 0;
23137 }
23138
23139 -static struct pci_raw_ops pci_mmcfg = {
23140 +static const struct pci_raw_ops pci_mmcfg = {
23141 .read = pci_mmcfg_read,
23142 .write = pci_mmcfg_write,
23143 };
23144 diff -urNp linux-2.6.32.46/arch/x86/pci/mmconfig_64.c linux-2.6.32.46/arch/x86/pci/mmconfig_64.c
23145 --- linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-03-27 14:31:47.000000000 -0400
23146 +++ linux-2.6.32.46/arch/x86/pci/mmconfig_64.c 2011-04-17 15:56:46.000000000 -0400
23147 @@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
23148 return 0;
23149 }
23150
23151 -static struct pci_raw_ops pci_mmcfg = {
23152 +static const struct pci_raw_ops pci_mmcfg = {
23153 .read = pci_mmcfg_read,
23154 .write = pci_mmcfg_write,
23155 };
23156 diff -urNp linux-2.6.32.46/arch/x86/pci/numaq_32.c linux-2.6.32.46/arch/x86/pci/numaq_32.c
23157 --- linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-03-27 14:31:47.000000000 -0400
23158 +++ linux-2.6.32.46/arch/x86/pci/numaq_32.c 2011-04-17 15:56:46.000000000 -0400
23159 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
23160
23161 #undef PCI_CONF1_MQ_ADDRESS
23162
23163 -static struct pci_raw_ops pci_direct_conf1_mq = {
23164 +static const struct pci_raw_ops pci_direct_conf1_mq = {
23165 .read = pci_conf1_mq_read,
23166 .write = pci_conf1_mq_write
23167 };
23168 diff -urNp linux-2.6.32.46/arch/x86/pci/olpc.c linux-2.6.32.46/arch/x86/pci/olpc.c
23169 --- linux-2.6.32.46/arch/x86/pci/olpc.c 2011-03-27 14:31:47.000000000 -0400
23170 +++ linux-2.6.32.46/arch/x86/pci/olpc.c 2011-04-17 15:56:46.000000000 -0400
23171 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
23172 return 0;
23173 }
23174
23175 -static struct pci_raw_ops pci_olpc_conf = {
23176 +static const struct pci_raw_ops pci_olpc_conf = {
23177 .read = pci_olpc_read,
23178 .write = pci_olpc_write,
23179 };
23180 diff -urNp linux-2.6.32.46/arch/x86/pci/pcbios.c linux-2.6.32.46/arch/x86/pci/pcbios.c
23181 --- linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-03-27 14:31:47.000000000 -0400
23182 +++ linux-2.6.32.46/arch/x86/pci/pcbios.c 2011-04-17 15:56:46.000000000 -0400
23183 @@ -56,50 +56,93 @@ union bios32 {
23184 static struct {
23185 unsigned long address;
23186 unsigned short segment;
23187 -} bios32_indirect = { 0, __KERNEL_CS };
23188 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
23189
23190 /*
23191 * Returns the entry point for the given service, NULL on error
23192 */
23193
23194 -static unsigned long bios32_service(unsigned long service)
23195 +static unsigned long __devinit bios32_service(unsigned long service)
23196 {
23197 unsigned char return_code; /* %al */
23198 unsigned long address; /* %ebx */
23199 unsigned long length; /* %ecx */
23200 unsigned long entry; /* %edx */
23201 unsigned long flags;
23202 + struct desc_struct d, *gdt;
23203
23204 local_irq_save(flags);
23205 - __asm__("lcall *(%%edi); cld"
23206 +
23207 + gdt = get_cpu_gdt_table(smp_processor_id());
23208 +
23209 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
23210 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23211 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
23212 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23213 +
23214 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
23215 : "=a" (return_code),
23216 "=b" (address),
23217 "=c" (length),
23218 "=d" (entry)
23219 : "0" (service),
23220 "1" (0),
23221 - "D" (&bios32_indirect));
23222 + "D" (&bios32_indirect),
23223 + "r"(__PCIBIOS_DS)
23224 + : "memory");
23225 +
23226 + pax_open_kernel();
23227 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
23228 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
23229 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
23230 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
23231 + pax_close_kernel();
23232 +
23233 local_irq_restore(flags);
23234
23235 switch (return_code) {
23236 - case 0:
23237 - return address + entry;
23238 - case 0x80: /* Not present */
23239 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23240 - return 0;
23241 - default: /* Shouldn't happen */
23242 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23243 - service, return_code);
23244 + case 0: {
23245 + int cpu;
23246 + unsigned char flags;
23247 +
23248 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
23249 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
23250 + printk(KERN_WARNING "bios32_service: not valid\n");
23251 return 0;
23252 + }
23253 + address = address + PAGE_OFFSET;
23254 + length += 16UL; /* some BIOSs underreport this... */
23255 + flags = 4;
23256 + if (length >= 64*1024*1024) {
23257 + length >>= PAGE_SHIFT;
23258 + flags |= 8;
23259 + }
23260 +
23261 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
23262 + gdt = get_cpu_gdt_table(cpu);
23263 + pack_descriptor(&d, address, length, 0x9b, flags);
23264 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
23265 + pack_descriptor(&d, address, length, 0x93, flags);
23266 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
23267 + }
23268 + return entry;
23269 + }
23270 + case 0x80: /* Not present */
23271 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
23272 + return 0;
23273 + default: /* Shouldn't happen */
23274 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
23275 + service, return_code);
23276 + return 0;
23277 }
23278 }
23279
23280 static struct {
23281 unsigned long address;
23282 unsigned short segment;
23283 -} pci_indirect = { 0, __KERNEL_CS };
23284 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
23285
23286 -static int pci_bios_present;
23287 +static int pci_bios_present __read_only;
23288
23289 static int __devinit check_pcibios(void)
23290 {
23291 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
23292 unsigned long flags, pcibios_entry;
23293
23294 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
23295 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
23296 + pci_indirect.address = pcibios_entry;
23297
23298 local_irq_save(flags);
23299 - __asm__(
23300 - "lcall *(%%edi); cld\n\t"
23301 + __asm__("movw %w6, %%ds\n\t"
23302 + "lcall *%%ss:(%%edi); cld\n\t"
23303 + "push %%ss\n\t"
23304 + "pop %%ds\n\t"
23305 "jc 1f\n\t"
23306 "xor %%ah, %%ah\n"
23307 "1:"
23308 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
23309 "=b" (ebx),
23310 "=c" (ecx)
23311 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
23312 - "D" (&pci_indirect)
23313 + "D" (&pci_indirect),
23314 + "r" (__PCIBIOS_DS)
23315 : "memory");
23316 local_irq_restore(flags);
23317
23318 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
23319
23320 switch (len) {
23321 case 1:
23322 - __asm__("lcall *(%%esi); cld\n\t"
23323 + __asm__("movw %w6, %%ds\n\t"
23324 + "lcall *%%ss:(%%esi); cld\n\t"
23325 + "push %%ss\n\t"
23326 + "pop %%ds\n\t"
23327 "jc 1f\n\t"
23328 "xor %%ah, %%ah\n"
23329 "1:"
23330 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
23331 : "1" (PCIBIOS_READ_CONFIG_BYTE),
23332 "b" (bx),
23333 "D" ((long)reg),
23334 - "S" (&pci_indirect));
23335 + "S" (&pci_indirect),
23336 + "r" (__PCIBIOS_DS));
23337 /*
23338 * Zero-extend the result beyond 8 bits, do not trust the
23339 * BIOS having done it:
23340 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
23341 *value &= 0xff;
23342 break;
23343 case 2:
23344 - __asm__("lcall *(%%esi); cld\n\t"
23345 + __asm__("movw %w6, %%ds\n\t"
23346 + "lcall *%%ss:(%%esi); cld\n\t"
23347 + "push %%ss\n\t"
23348 + "pop %%ds\n\t"
23349 "jc 1f\n\t"
23350 "xor %%ah, %%ah\n"
23351 "1:"
23352 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
23353 : "1" (PCIBIOS_READ_CONFIG_WORD),
23354 "b" (bx),
23355 "D" ((long)reg),
23356 - "S" (&pci_indirect));
23357 + "S" (&pci_indirect),
23358 + "r" (__PCIBIOS_DS));
23359 /*
23360 * Zero-extend the result beyond 16 bits, do not trust the
23361 * BIOS having done it:
23362 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
23363 *value &= 0xffff;
23364 break;
23365 case 4:
23366 - __asm__("lcall *(%%esi); cld\n\t"
23367 + __asm__("movw %w6, %%ds\n\t"
23368 + "lcall *%%ss:(%%esi); cld\n\t"
23369 + "push %%ss\n\t"
23370 + "pop %%ds\n\t"
23371 "jc 1f\n\t"
23372 "xor %%ah, %%ah\n"
23373 "1:"
23374 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
23375 : "1" (PCIBIOS_READ_CONFIG_DWORD),
23376 "b" (bx),
23377 "D" ((long)reg),
23378 - "S" (&pci_indirect));
23379 + "S" (&pci_indirect),
23380 + "r" (__PCIBIOS_DS));
23381 break;
23382 }
23383
23384 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
23385
23386 switch (len) {
23387 case 1:
23388 - __asm__("lcall *(%%esi); cld\n\t"
23389 + __asm__("movw %w6, %%ds\n\t"
23390 + "lcall *%%ss:(%%esi); cld\n\t"
23391 + "push %%ss\n\t"
23392 + "pop %%ds\n\t"
23393 "jc 1f\n\t"
23394 "xor %%ah, %%ah\n"
23395 "1:"
23396 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
23397 "c" (value),
23398 "b" (bx),
23399 "D" ((long)reg),
23400 - "S" (&pci_indirect));
23401 + "S" (&pci_indirect),
23402 + "r" (__PCIBIOS_DS));
23403 break;
23404 case 2:
23405 - __asm__("lcall *(%%esi); cld\n\t"
23406 + __asm__("movw %w6, %%ds\n\t"
23407 + "lcall *%%ss:(%%esi); cld\n\t"
23408 + "push %%ss\n\t"
23409 + "pop %%ds\n\t"
23410 "jc 1f\n\t"
23411 "xor %%ah, %%ah\n"
23412 "1:"
23413 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
23414 "c" (value),
23415 "b" (bx),
23416 "D" ((long)reg),
23417 - "S" (&pci_indirect));
23418 + "S" (&pci_indirect),
23419 + "r" (__PCIBIOS_DS));
23420 break;
23421 case 4:
23422 - __asm__("lcall *(%%esi); cld\n\t"
23423 + __asm__("movw %w6, %%ds\n\t"
23424 + "lcall *%%ss:(%%esi); cld\n\t"
23425 + "push %%ss\n\t"
23426 + "pop %%ds\n\t"
23427 "jc 1f\n\t"
23428 "xor %%ah, %%ah\n"
23429 "1:"
23430 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
23431 "c" (value),
23432 "b" (bx),
23433 "D" ((long)reg),
23434 - "S" (&pci_indirect));
23435 + "S" (&pci_indirect),
23436 + "r" (__PCIBIOS_DS));
23437 break;
23438 }
23439
23440 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
23441 * Function table for BIOS32 access
23442 */
23443
23444 -static struct pci_raw_ops pci_bios_access = {
23445 +static const struct pci_raw_ops pci_bios_access = {
23446 .read = pci_bios_read,
23447 .write = pci_bios_write
23448 };
23449 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
23450 * Try to find PCI BIOS.
23451 */
23452
23453 -static struct pci_raw_ops * __devinit pci_find_bios(void)
23454 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
23455 {
23456 union bios32 *check;
23457 unsigned char sum;
23458 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
23459
23460 DBG("PCI: Fetching IRQ routing table... ");
23461 __asm__("push %%es\n\t"
23462 + "movw %w8, %%ds\n\t"
23463 "push %%ds\n\t"
23464 "pop %%es\n\t"
23465 - "lcall *(%%esi); cld\n\t"
23466 + "lcall *%%ss:(%%esi); cld\n\t"
23467 "pop %%es\n\t"
23468 + "push %%ss\n\t"
23469 + "pop %%ds\n"
23470 "jc 1f\n\t"
23471 "xor %%ah, %%ah\n"
23472 "1:"
23473 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
23474 "1" (0),
23475 "D" ((long) &opt),
23476 "S" (&pci_indirect),
23477 - "m" (opt)
23478 + "m" (opt),
23479 + "r" (__PCIBIOS_DS)
23480 : "memory");
23481 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
23482 if (ret & 0xff00)
23483 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
23484 {
23485 int ret;
23486
23487 - __asm__("lcall *(%%esi); cld\n\t"
23488 + __asm__("movw %w5, %%ds\n\t"
23489 + "lcall *%%ss:(%%esi); cld\n\t"
23490 + "push %%ss\n\t"
23491 + "pop %%ds\n"
23492 "jc 1f\n\t"
23493 "xor %%ah, %%ah\n"
23494 "1:"
23495 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
23496 : "0" (PCIBIOS_SET_PCI_HW_INT),
23497 "b" ((dev->bus->number << 8) | dev->devfn),
23498 "c" ((irq << 8) | (pin + 10)),
23499 - "S" (&pci_indirect));
23500 + "S" (&pci_indirect),
23501 + "r" (__PCIBIOS_DS));
23502 return !(ret & 0xff00);
23503 }
23504 EXPORT_SYMBOL(pcibios_set_irq_routing);
23505 diff -urNp linux-2.6.32.46/arch/x86/power/cpu.c linux-2.6.32.46/arch/x86/power/cpu.c
23506 --- linux-2.6.32.46/arch/x86/power/cpu.c 2011-03-27 14:31:47.000000000 -0400
23507 +++ linux-2.6.32.46/arch/x86/power/cpu.c 2011-04-17 15:56:46.000000000 -0400
23508 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
23509 static void fix_processor_context(void)
23510 {
23511 int cpu = smp_processor_id();
23512 - struct tss_struct *t = &per_cpu(init_tss, cpu);
23513 + struct tss_struct *t = init_tss + cpu;
23514
23515 set_tss_desc(cpu, t); /*
23516 * This just modifies memory; should not be
23517 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
23518 */
23519
23520 #ifdef CONFIG_X86_64
23521 + pax_open_kernel();
23522 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
23523 + pax_close_kernel();
23524
23525 syscall_init(); /* This sets MSR_*STAR and related */
23526 #endif
23527 diff -urNp linux-2.6.32.46/arch/x86/vdso/Makefile linux-2.6.32.46/arch/x86/vdso/Makefile
23528 --- linux-2.6.32.46/arch/x86/vdso/Makefile 2011-03-27 14:31:47.000000000 -0400
23529 +++ linux-2.6.32.46/arch/x86/vdso/Makefile 2011-04-17 15:56:46.000000000 -0400
23530 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
23531 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
23532 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
23533
23534 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23535 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
23536 GCOV_PROFILE := n
23537
23538 #
23539 diff -urNp linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c
23540 --- linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-03-27 14:31:47.000000000 -0400
23541 +++ linux-2.6.32.46/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:56:46.000000000 -0400
23542 @@ -22,24 +22,48 @@
23543 #include <asm/hpet.h>
23544 #include <asm/unistd.h>
23545 #include <asm/io.h>
23546 +#include <asm/fixmap.h>
23547 #include "vextern.h"
23548
23549 #define gtod vdso_vsyscall_gtod_data
23550
23551 +notrace noinline long __vdso_fallback_time(long *t)
23552 +{
23553 + long secs;
23554 + asm volatile("syscall"
23555 + : "=a" (secs)
23556 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
23557 + return secs;
23558 +}
23559 +
23560 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
23561 {
23562 long ret;
23563 asm("syscall" : "=a" (ret) :
23564 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
23565 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
23566 return ret;
23567 }
23568
23569 +notrace static inline cycle_t __vdso_vread_hpet(void)
23570 +{
23571 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
23572 +}
23573 +
23574 +notrace static inline cycle_t __vdso_vread_tsc(void)
23575 +{
23576 + cycle_t ret = (cycle_t)vget_cycles();
23577 +
23578 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
23579 +}
23580 +
23581 notrace static inline long vgetns(void)
23582 {
23583 long v;
23584 - cycles_t (*vread)(void);
23585 - vread = gtod->clock.vread;
23586 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
23587 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
23588 + v = __vdso_vread_tsc();
23589 + else
23590 + v = __vdso_vread_hpet();
23591 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
23592 return (v * gtod->clock.mult) >> gtod->clock.shift;
23593 }
23594
23595 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
23596
23597 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
23598 {
23599 - if (likely(gtod->sysctl_enabled))
23600 + if (likely(gtod->sysctl_enabled &&
23601 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23602 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23603 switch (clock) {
23604 case CLOCK_REALTIME:
23605 if (likely(gtod->clock.vread))
23606 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
23607 int clock_gettime(clockid_t, struct timespec *)
23608 __attribute__((weak, alias("__vdso_clock_gettime")));
23609
23610 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23611 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
23612 {
23613 long ret;
23614 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
23615 + asm("syscall" : "=a" (ret) :
23616 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
23617 + return ret;
23618 +}
23619 +
23620 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
23621 +{
23622 + if (likely(gtod->sysctl_enabled &&
23623 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
23624 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
23625 + {
23626 if (likely(tv != NULL)) {
23627 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
23628 offsetof(struct timespec, tv_nsec) ||
23629 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
23630 }
23631 return 0;
23632 }
23633 - asm("syscall" : "=a" (ret) :
23634 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
23635 - return ret;
23636 + return __vdso_fallback_gettimeofday(tv, tz);
23637 }
23638 int gettimeofday(struct timeval *, struct timezone *)
23639 __attribute__((weak, alias("__vdso_gettimeofday")));
23640 diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c
23641 --- linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-03-27 14:31:47.000000000 -0400
23642 +++ linux-2.6.32.46/arch/x86/vdso/vdso32-setup.c 2011-04-23 12:56:10.000000000 -0400
23643 @@ -25,6 +25,7 @@
23644 #include <asm/tlbflush.h>
23645 #include <asm/vdso.h>
23646 #include <asm/proto.h>
23647 +#include <asm/mman.h>
23648
23649 enum {
23650 VDSO_DISABLED = 0,
23651 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
23652 void enable_sep_cpu(void)
23653 {
23654 int cpu = get_cpu();
23655 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
23656 + struct tss_struct *tss = init_tss + cpu;
23657
23658 if (!boot_cpu_has(X86_FEATURE_SEP)) {
23659 put_cpu();
23660 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
23661 gate_vma.vm_start = FIXADDR_USER_START;
23662 gate_vma.vm_end = FIXADDR_USER_END;
23663 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
23664 - gate_vma.vm_page_prot = __P101;
23665 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
23666 /*
23667 * Make sure the vDSO gets into every core dump.
23668 * Dumping its contents makes post-mortem fully interpretable later
23669 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
23670 if (compat)
23671 addr = VDSO_HIGH_BASE;
23672 else {
23673 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
23674 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
23675 if (IS_ERR_VALUE(addr)) {
23676 ret = addr;
23677 goto up_fail;
23678 }
23679 }
23680
23681 - current->mm->context.vdso = (void *)addr;
23682 + current->mm->context.vdso = addr;
23683
23684 if (compat_uses_vma || !compat) {
23685 /*
23686 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
23687 }
23688
23689 current_thread_info()->sysenter_return =
23690 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23691 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
23692
23693 up_fail:
23694 if (ret)
23695 - current->mm->context.vdso = NULL;
23696 + current->mm->context.vdso = 0;
23697
23698 up_write(&mm->mmap_sem);
23699
23700 @@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
23701
23702 const char *arch_vma_name(struct vm_area_struct *vma)
23703 {
23704 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23705 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23706 return "[vdso]";
23707 +
23708 +#ifdef CONFIG_PAX_SEGMEXEC
23709 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
23710 + return "[vdso]";
23711 +#endif
23712 +
23713 return NULL;
23714 }
23715
23716 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
23717 struct mm_struct *mm = tsk->mm;
23718
23719 /* Check to see if this task was created in compat vdso mode */
23720 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
23721 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
23722 return &gate_vma;
23723 return NULL;
23724 }
23725 diff -urNp linux-2.6.32.46/arch/x86/vdso/vdso.lds.S linux-2.6.32.46/arch/x86/vdso/vdso.lds.S
23726 --- linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-03-27 14:31:47.000000000 -0400
23727 +++ linux-2.6.32.46/arch/x86/vdso/vdso.lds.S 2011-06-06 17:35:35.000000000 -0400
23728 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
23729 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
23730 #include "vextern.h"
23731 #undef VEXTERN
23732 +
23733 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
23734 +VEXTERN(fallback_gettimeofday)
23735 +VEXTERN(fallback_time)
23736 +VEXTERN(getcpu)
23737 +#undef VEXTERN
23738 diff -urNp linux-2.6.32.46/arch/x86/vdso/vextern.h linux-2.6.32.46/arch/x86/vdso/vextern.h
23739 --- linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-03-27 14:31:47.000000000 -0400
23740 +++ linux-2.6.32.46/arch/x86/vdso/vextern.h 2011-04-17 15:56:46.000000000 -0400
23741 @@ -11,6 +11,5 @@
23742 put into vextern.h and be referenced as a pointer with vdso prefix.
23743 The main kernel later fills in the values. */
23744
23745 -VEXTERN(jiffies)
23746 VEXTERN(vgetcpu_mode)
23747 VEXTERN(vsyscall_gtod_data)
23748 diff -urNp linux-2.6.32.46/arch/x86/vdso/vma.c linux-2.6.32.46/arch/x86/vdso/vma.c
23749 --- linux-2.6.32.46/arch/x86/vdso/vma.c 2011-03-27 14:31:47.000000000 -0400
23750 +++ linux-2.6.32.46/arch/x86/vdso/vma.c 2011-08-23 20:24:19.000000000 -0400
23751 @@ -17,8 +17,6 @@
23752 #include "vextern.h" /* Just for VMAGIC. */
23753 #undef VEXTERN
23754
23755 -unsigned int __read_mostly vdso_enabled = 1;
23756 -
23757 extern char vdso_start[], vdso_end[];
23758 extern unsigned short vdso_sync_cpuid;
23759
23760 @@ -27,10 +25,8 @@ static unsigned vdso_size;
23761
23762 static inline void *var_ref(void *p, char *name)
23763 {
23764 - if (*(void **)p != (void *)VMAGIC) {
23765 - printk("VDSO: variable %s broken\n", name);
23766 - vdso_enabled = 0;
23767 - }
23768 + if (*(void **)p != (void *)VMAGIC)
23769 + panic("VDSO: variable %s broken\n", name);
23770 return p;
23771 }
23772
23773 @@ -57,21 +53,18 @@ static int __init init_vdso_vars(void)
23774 if (!vbase)
23775 goto oom;
23776
23777 - if (memcmp(vbase, "\177ELF", 4)) {
23778 - printk("VDSO: I'm broken; not ELF\n");
23779 - vdso_enabled = 0;
23780 - }
23781 + if (memcmp(vbase, ELFMAG, SELFMAG))
23782 + panic("VDSO: I'm broken; not ELF\n");
23783
23784 #define VEXTERN(x) \
23785 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
23786 #include "vextern.h"
23787 #undef VEXTERN
23788 + vunmap(vbase);
23789 return 0;
23790
23791 oom:
23792 - printk("Cannot allocate vdso\n");
23793 - vdso_enabled = 0;
23794 - return -ENOMEM;
23795 + panic("Cannot allocate vdso\n");
23796 }
23797 __initcall(init_vdso_vars);
23798
23799 @@ -105,9 +98,6 @@ int arch_setup_additional_pages(struct l
23800 unsigned long addr;
23801 int ret;
23802
23803 - if (!vdso_enabled)
23804 - return 0;
23805 -
23806 down_write(&mm->mmap_sem);
23807 addr = vdso_addr(mm->start_stack, vdso_size);
23808 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
23809 @@ -116,7 +106,7 @@ int arch_setup_additional_pages(struct l
23810 goto up_fail;
23811 }
23812
23813 - current->mm->context.vdso = (void *)addr;
23814 + current->mm->context.vdso = addr;
23815
23816 ret = install_special_mapping(mm, addr, vdso_size,
23817 VM_READ|VM_EXEC|
23818 @@ -124,7 +114,7 @@ int arch_setup_additional_pages(struct l
23819 VM_ALWAYSDUMP,
23820 vdso_pages);
23821 if (ret) {
23822 - current->mm->context.vdso = NULL;
23823 + current->mm->context.vdso = 0;
23824 goto up_fail;
23825 }
23826
23827 @@ -132,10 +122,3 @@ up_fail:
23828 up_write(&mm->mmap_sem);
23829 return ret;
23830 }
23831 -
23832 -static __init int vdso_setup(char *s)
23833 -{
23834 - vdso_enabled = simple_strtoul(s, NULL, 0);
23835 - return 0;
23836 -}
23837 -__setup("vdso=", vdso_setup);
23838 diff -urNp linux-2.6.32.46/arch/x86/xen/enlighten.c linux-2.6.32.46/arch/x86/xen/enlighten.c
23839 --- linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-03-27 14:31:47.000000000 -0400
23840 +++ linux-2.6.32.46/arch/x86/xen/enlighten.c 2011-05-22 23:02:03.000000000 -0400
23841 @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
23842
23843 struct shared_info xen_dummy_shared_info;
23844
23845 -void *xen_initial_gdt;
23846 -
23847 /*
23848 * Point at some empty memory to start with. We map the real shared_info
23849 * page as soon as fixmap is up and running.
23850 @@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
23851
23852 preempt_disable();
23853
23854 - start = __get_cpu_var(idt_desc).address;
23855 + start = (unsigned long)__get_cpu_var(idt_desc).address;
23856 end = start + __get_cpu_var(idt_desc).size + 1;
23857
23858 xen_mc_flush();
23859 @@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
23860 #endif
23861 };
23862
23863 -static void xen_reboot(int reason)
23864 +static __noreturn void xen_reboot(int reason)
23865 {
23866 struct sched_shutdown r = { .reason = reason };
23867
23868 @@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
23869 BUG();
23870 }
23871
23872 -static void xen_restart(char *msg)
23873 +static __noreturn void xen_restart(char *msg)
23874 {
23875 xen_reboot(SHUTDOWN_reboot);
23876 }
23877
23878 -static void xen_emergency_restart(void)
23879 +static __noreturn void xen_emergency_restart(void)
23880 {
23881 xen_reboot(SHUTDOWN_reboot);
23882 }
23883
23884 -static void xen_machine_halt(void)
23885 +static __noreturn void xen_machine_halt(void)
23886 {
23887 xen_reboot(SHUTDOWN_poweroff);
23888 }
23889 @@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
23890 */
23891 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
23892
23893 -#ifdef CONFIG_X86_64
23894 /* Work out if we support NX */
23895 - check_efer();
23896 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
23897 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
23898 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
23899 + unsigned l, h;
23900 +
23901 +#ifdef CONFIG_X86_PAE
23902 + nx_enabled = 1;
23903 +#endif
23904 + __supported_pte_mask |= _PAGE_NX;
23905 + rdmsr(MSR_EFER, l, h);
23906 + l |= EFER_NX;
23907 + wrmsr(MSR_EFER, l, h);
23908 + }
23909 #endif
23910
23911 xen_setup_features();
23912 @@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
23913
23914 machine_ops = xen_machine_ops;
23915
23916 - /*
23917 - * The only reliable way to retain the initial address of the
23918 - * percpu gdt_page is to remember it here, so we can go and
23919 - * mark it RW later, when the initial percpu area is freed.
23920 - */
23921 - xen_initial_gdt = &per_cpu(gdt_page, 0);
23922 -
23923 xen_smp_init();
23924
23925 pgd = (pgd_t *)xen_start_info->pt_base;
23926 diff -urNp linux-2.6.32.46/arch/x86/xen/mmu.c linux-2.6.32.46/arch/x86/xen/mmu.c
23927 --- linux-2.6.32.46/arch/x86/xen/mmu.c 2011-07-13 17:23:04.000000000 -0400
23928 +++ linux-2.6.32.46/arch/x86/xen/mmu.c 2011-08-24 18:35:52.000000000 -0400
23929 @@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
23930 convert_pfn_mfn(init_level4_pgt);
23931 convert_pfn_mfn(level3_ident_pgt);
23932 convert_pfn_mfn(level3_kernel_pgt);
23933 + convert_pfn_mfn(level3_vmalloc_pgt);
23934 + convert_pfn_mfn(level3_vmemmap_pgt);
23935
23936 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
23937 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
23938 @@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
23939 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
23940 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
23941 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
23942 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
23943 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
23944 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
23945 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
23946 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
23947 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
23948
23949 @@ -1860,6 +1865,7 @@ static __init void xen_post_allocator_in
23950 pv_mmu_ops.set_pud = xen_set_pud;
23951 #if PAGETABLE_LEVELS == 4
23952 pv_mmu_ops.set_pgd = xen_set_pgd;
23953 + pv_mmu_ops.set_pgd_batched = xen_set_pgd;
23954 #endif
23955
23956 /* This will work as long as patching hasn't happened yet
23957 @@ -1946,6 +1952,7 @@ static const struct pv_mmu_ops xen_mmu_o
23958 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
23959 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
23960 .set_pgd = xen_set_pgd_hyper,
23961 + .set_pgd_batched = xen_set_pgd_hyper,
23962
23963 .alloc_pud = xen_alloc_pmd_init,
23964 .release_pud = xen_release_pmd_init,
23965 diff -urNp linux-2.6.32.46/arch/x86/xen/smp.c linux-2.6.32.46/arch/x86/xen/smp.c
23966 --- linux-2.6.32.46/arch/x86/xen/smp.c 2011-03-27 14:31:47.000000000 -0400
23967 +++ linux-2.6.32.46/arch/x86/xen/smp.c 2011-05-11 18:25:15.000000000 -0400
23968 @@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
23969 {
23970 BUG_ON(smp_processor_id() != 0);
23971 native_smp_prepare_boot_cpu();
23972 -
23973 - /* We've switched to the "real" per-cpu gdt, so make sure the
23974 - old memory can be recycled */
23975 - make_lowmem_page_readwrite(xen_initial_gdt);
23976 -
23977 xen_setup_vcpu_info_placement();
23978 }
23979
23980 @@ -231,12 +226,12 @@ cpu_initialize_context(unsigned int cpu,
23981 gdt = get_cpu_gdt_table(cpu);
23982
23983 ctxt->flags = VGCF_IN_KERNEL;
23984 - ctxt->user_regs.ds = __USER_DS;
23985 - ctxt->user_regs.es = __USER_DS;
23986 + ctxt->user_regs.ds = __KERNEL_DS;
23987 + ctxt->user_regs.es = __KERNEL_DS;
23988 ctxt->user_regs.ss = __KERNEL_DS;
23989 #ifdef CONFIG_X86_32
23990 ctxt->user_regs.fs = __KERNEL_PERCPU;
23991 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
23992 + savesegment(gs, ctxt->user_regs.gs);
23993 #else
23994 ctxt->gs_base_kernel = per_cpu_offset(cpu);
23995 #endif
23996 @@ -287,13 +282,12 @@ static int __cpuinit xen_cpu_up(unsigned
23997 int rc;
23998
23999 per_cpu(current_task, cpu) = idle;
24000 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
24001 #ifdef CONFIG_X86_32
24002 irq_ctx_init(cpu);
24003 #else
24004 clear_tsk_thread_flag(idle, TIF_FORK);
24005 - per_cpu(kernel_stack, cpu) =
24006 - (unsigned long)task_stack_page(idle) -
24007 - KERNEL_STACK_OFFSET + THREAD_SIZE;
24008 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
24009 #endif
24010 xen_setup_runstate_info(cpu);
24011 xen_setup_timer(cpu);
24012 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-asm_32.S linux-2.6.32.46/arch/x86/xen/xen-asm_32.S
24013 --- linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-03-27 14:31:47.000000000 -0400
24014 +++ linux-2.6.32.46/arch/x86/xen/xen-asm_32.S 2011-04-22 19:13:13.000000000 -0400
24015 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
24016 ESP_OFFSET=4 # bytes pushed onto stack
24017
24018 /*
24019 - * Store vcpu_info pointer for easy access. Do it this way to
24020 - * avoid having to reload %fs
24021 + * Store vcpu_info pointer for easy access.
24022 */
24023 #ifdef CONFIG_SMP
24024 - GET_THREAD_INFO(%eax)
24025 - movl TI_cpu(%eax), %eax
24026 - movl __per_cpu_offset(,%eax,4), %eax
24027 - mov per_cpu__xen_vcpu(%eax), %eax
24028 + push %fs
24029 + mov $(__KERNEL_PERCPU), %eax
24030 + mov %eax, %fs
24031 + mov PER_CPU_VAR(xen_vcpu), %eax
24032 + pop %fs
24033 #else
24034 movl per_cpu__xen_vcpu, %eax
24035 #endif
24036 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-head.S linux-2.6.32.46/arch/x86/xen/xen-head.S
24037 --- linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-03-27 14:31:47.000000000 -0400
24038 +++ linux-2.6.32.46/arch/x86/xen/xen-head.S 2011-04-17 15:56:46.000000000 -0400
24039 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
24040 #ifdef CONFIG_X86_32
24041 mov %esi,xen_start_info
24042 mov $init_thread_union+THREAD_SIZE,%esp
24043 +#ifdef CONFIG_SMP
24044 + movl $cpu_gdt_table,%edi
24045 + movl $__per_cpu_load,%eax
24046 + movw %ax,__KERNEL_PERCPU + 2(%edi)
24047 + rorl $16,%eax
24048 + movb %al,__KERNEL_PERCPU + 4(%edi)
24049 + movb %ah,__KERNEL_PERCPU + 7(%edi)
24050 + movl $__per_cpu_end - 1,%eax
24051 + subl $__per_cpu_start,%eax
24052 + movw %ax,__KERNEL_PERCPU + 0(%edi)
24053 +#endif
24054 #else
24055 mov %rsi,xen_start_info
24056 mov $init_thread_union+THREAD_SIZE,%rsp
24057 diff -urNp linux-2.6.32.46/arch/x86/xen/xen-ops.h linux-2.6.32.46/arch/x86/xen/xen-ops.h
24058 --- linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-03-27 14:31:47.000000000 -0400
24059 +++ linux-2.6.32.46/arch/x86/xen/xen-ops.h 2011-04-17 15:56:46.000000000 -0400
24060 @@ -10,8 +10,6 @@
24061 extern const char xen_hypervisor_callback[];
24062 extern const char xen_failsafe_callback[];
24063
24064 -extern void *xen_initial_gdt;
24065 -
24066 struct trap_info;
24067 void xen_copy_trap_info(struct trap_info *traps);
24068
24069 diff -urNp linux-2.6.32.46/block/blk-integrity.c linux-2.6.32.46/block/blk-integrity.c
24070 --- linux-2.6.32.46/block/blk-integrity.c 2011-03-27 14:31:47.000000000 -0400
24071 +++ linux-2.6.32.46/block/blk-integrity.c 2011-04-17 15:56:46.000000000 -0400
24072 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
24073 NULL,
24074 };
24075
24076 -static struct sysfs_ops integrity_ops = {
24077 +static const struct sysfs_ops integrity_ops = {
24078 .show = &integrity_attr_show,
24079 .store = &integrity_attr_store,
24080 };
24081 diff -urNp linux-2.6.32.46/block/blk-iopoll.c linux-2.6.32.46/block/blk-iopoll.c
24082 --- linux-2.6.32.46/block/blk-iopoll.c 2011-03-27 14:31:47.000000000 -0400
24083 +++ linux-2.6.32.46/block/blk-iopoll.c 2011-04-17 15:56:46.000000000 -0400
24084 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
24085 }
24086 EXPORT_SYMBOL(blk_iopoll_complete);
24087
24088 -static void blk_iopoll_softirq(struct softirq_action *h)
24089 +static void blk_iopoll_softirq(void)
24090 {
24091 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
24092 int rearm = 0, budget = blk_iopoll_budget;
24093 diff -urNp linux-2.6.32.46/block/blk-map.c linux-2.6.32.46/block/blk-map.c
24094 --- linux-2.6.32.46/block/blk-map.c 2011-03-27 14:31:47.000000000 -0400
24095 +++ linux-2.6.32.46/block/blk-map.c 2011-04-18 16:57:33.000000000 -0400
24096 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
24097 * direct dma. else, set up kernel bounce buffers
24098 */
24099 uaddr = (unsigned long) ubuf;
24100 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
24101 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
24102 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
24103 else
24104 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
24105 @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
24106 for (i = 0; i < iov_count; i++) {
24107 unsigned long uaddr = (unsigned long)iov[i].iov_base;
24108
24109 + if (!iov[i].iov_len)
24110 + return -EINVAL;
24111 +
24112 if (uaddr & queue_dma_alignment(q)) {
24113 unaligned = 1;
24114 break;
24115 }
24116 - if (!iov[i].iov_len)
24117 - return -EINVAL;
24118 }
24119
24120 if (unaligned || (q->dma_pad_mask & len) || map_data)
24121 @@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
24122 if (!len || !kbuf)
24123 return -EINVAL;
24124
24125 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
24126 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
24127 if (do_copy)
24128 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
24129 else
24130 diff -urNp linux-2.6.32.46/block/blk-softirq.c linux-2.6.32.46/block/blk-softirq.c
24131 --- linux-2.6.32.46/block/blk-softirq.c 2011-03-27 14:31:47.000000000 -0400
24132 +++ linux-2.6.32.46/block/blk-softirq.c 2011-04-17 15:56:46.000000000 -0400
24133 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
24134 * Softirq action handler - move entries to local list and loop over them
24135 * while passing them to the queue registered handler.
24136 */
24137 -static void blk_done_softirq(struct softirq_action *h)
24138 +static void blk_done_softirq(void)
24139 {
24140 struct list_head *cpu_list, local_list;
24141
24142 diff -urNp linux-2.6.32.46/block/blk-sysfs.c linux-2.6.32.46/block/blk-sysfs.c
24143 --- linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:01.000000000 -0400
24144 +++ linux-2.6.32.46/block/blk-sysfs.c 2011-05-10 22:12:26.000000000 -0400
24145 @@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
24146 kmem_cache_free(blk_requestq_cachep, q);
24147 }
24148
24149 -static struct sysfs_ops queue_sysfs_ops = {
24150 +static const struct sysfs_ops queue_sysfs_ops = {
24151 .show = queue_attr_show,
24152 .store = queue_attr_store,
24153 };
24154 diff -urNp linux-2.6.32.46/block/bsg.c linux-2.6.32.46/block/bsg.c
24155 --- linux-2.6.32.46/block/bsg.c 2011-03-27 14:31:47.000000000 -0400
24156 +++ linux-2.6.32.46/block/bsg.c 2011-04-17 15:56:46.000000000 -0400
24157 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
24158 struct sg_io_v4 *hdr, struct bsg_device *bd,
24159 fmode_t has_write_perm)
24160 {
24161 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24162 + unsigned char *cmdptr;
24163 +
24164 if (hdr->request_len > BLK_MAX_CDB) {
24165 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
24166 if (!rq->cmd)
24167 return -ENOMEM;
24168 - }
24169 + cmdptr = rq->cmd;
24170 + } else
24171 + cmdptr = tmpcmd;
24172
24173 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
24174 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
24175 hdr->request_len))
24176 return -EFAULT;
24177
24178 + if (cmdptr != rq->cmd)
24179 + memcpy(rq->cmd, cmdptr, hdr->request_len);
24180 +
24181 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
24182 if (blk_verify_command(rq->cmd, has_write_perm))
24183 return -EPERM;
24184 diff -urNp linux-2.6.32.46/block/elevator.c linux-2.6.32.46/block/elevator.c
24185 --- linux-2.6.32.46/block/elevator.c 2011-03-27 14:31:47.000000000 -0400
24186 +++ linux-2.6.32.46/block/elevator.c 2011-04-17 15:56:46.000000000 -0400
24187 @@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
24188 return error;
24189 }
24190
24191 -static struct sysfs_ops elv_sysfs_ops = {
24192 +static const struct sysfs_ops elv_sysfs_ops = {
24193 .show = elv_attr_show,
24194 .store = elv_attr_store,
24195 };
24196 diff -urNp linux-2.6.32.46/block/scsi_ioctl.c linux-2.6.32.46/block/scsi_ioctl.c
24197 --- linux-2.6.32.46/block/scsi_ioctl.c 2011-03-27 14:31:47.000000000 -0400
24198 +++ linux-2.6.32.46/block/scsi_ioctl.c 2011-04-23 13:28:22.000000000 -0400
24199 @@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
24200 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
24201 struct sg_io_hdr *hdr, fmode_t mode)
24202 {
24203 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
24204 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24205 + unsigned char *cmdptr;
24206 +
24207 + if (rq->cmd != rq->__cmd)
24208 + cmdptr = rq->cmd;
24209 + else
24210 + cmdptr = tmpcmd;
24211 +
24212 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
24213 return -EFAULT;
24214 +
24215 + if (cmdptr != rq->cmd)
24216 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
24217 +
24218 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
24219 return -EPERM;
24220
24221 @@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
24222 int err;
24223 unsigned int in_len, out_len, bytes, opcode, cmdlen;
24224 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
24225 + unsigned char tmpcmd[sizeof(rq->__cmd)];
24226 + unsigned char *cmdptr;
24227
24228 if (!sic)
24229 return -EINVAL;
24230 @@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
24231 */
24232 err = -EFAULT;
24233 rq->cmd_len = cmdlen;
24234 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
24235 +
24236 + if (rq->cmd != rq->__cmd)
24237 + cmdptr = rq->cmd;
24238 + else
24239 + cmdptr = tmpcmd;
24240 +
24241 + if (copy_from_user(cmdptr, sic->data, cmdlen))
24242 goto error;
24243
24244 + if (rq->cmd != cmdptr)
24245 + memcpy(rq->cmd, cmdptr, cmdlen);
24246 +
24247 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
24248 goto error;
24249
24250 diff -urNp linux-2.6.32.46/crypto/cryptd.c linux-2.6.32.46/crypto/cryptd.c
24251 --- linux-2.6.32.46/crypto/cryptd.c 2011-03-27 14:31:47.000000000 -0400
24252 +++ linux-2.6.32.46/crypto/cryptd.c 2011-08-23 21:22:32.000000000 -0400
24253 @@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx {
24254
24255 struct cryptd_blkcipher_request_ctx {
24256 crypto_completion_t complete;
24257 -};
24258 +} __no_const;
24259
24260 struct cryptd_hash_ctx {
24261 struct crypto_shash *child;
24262 diff -urNp linux-2.6.32.46/crypto/gf128mul.c linux-2.6.32.46/crypto/gf128mul.c
24263 --- linux-2.6.32.46/crypto/gf128mul.c 2011-03-27 14:31:47.000000000 -0400
24264 +++ linux-2.6.32.46/crypto/gf128mul.c 2011-07-06 19:53:33.000000000 -0400
24265 @@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
24266 for (i = 0; i < 7; ++i)
24267 gf128mul_x_lle(&p[i + 1], &p[i]);
24268
24269 - memset(r, 0, sizeof(r));
24270 + memset(r, 0, sizeof(*r));
24271 for (i = 0;;) {
24272 u8 ch = ((u8 *)b)[15 - i];
24273
24274 @@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
24275 for (i = 0; i < 7; ++i)
24276 gf128mul_x_bbe(&p[i + 1], &p[i]);
24277
24278 - memset(r, 0, sizeof(r));
24279 + memset(r, 0, sizeof(*r));
24280 for (i = 0;;) {
24281 u8 ch = ((u8 *)b)[i];
24282
24283 diff -urNp linux-2.6.32.46/crypto/serpent.c linux-2.6.32.46/crypto/serpent.c
24284 --- linux-2.6.32.46/crypto/serpent.c 2011-03-27 14:31:47.000000000 -0400
24285 +++ linux-2.6.32.46/crypto/serpent.c 2011-08-18 23:59:56.000000000 -0400
24286 @@ -21,6 +21,7 @@
24287 #include <asm/byteorder.h>
24288 #include <linux/crypto.h>
24289 #include <linux/types.h>
24290 +#include <linux/sched.h>
24291
24292 /* Key is padded to the maximum of 256 bits before round key generation.
24293 * Any key length <= 256 bits (32 bytes) is allowed by the algorithm.
24294 @@ -224,6 +225,8 @@ static int serpent_setkey(struct crypto_
24295 u32 r0,r1,r2,r3,r4;
24296 int i;
24297
24298 + pax_track_stack();
24299 +
24300 /* Copy key, add padding */
24301
24302 for (i = 0; i < keylen; ++i)
24303 diff -urNp linux-2.6.32.46/Documentation/dontdiff linux-2.6.32.46/Documentation/dontdiff
24304 --- linux-2.6.32.46/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400
24305 +++ linux-2.6.32.46/Documentation/dontdiff 2011-08-21 18:59:02.000000000 -0400
24306 @@ -1,13 +1,16 @@
24307 *.a
24308 *.aux
24309 *.bin
24310 +*.cis
24311 *.cpio
24312 *.csp
24313 +*.dbg
24314 *.dsp
24315 *.dvi
24316 *.elf
24317 *.eps
24318 *.fw
24319 +*.gcno
24320 *.gen.S
24321 *.gif
24322 *.grep
24323 @@ -38,8 +41,10 @@
24324 *.tab.h
24325 *.tex
24326 *.ver
24327 +*.vim
24328 *.xml
24329 *_MODULES
24330 +*_reg_safe.h
24331 *_vga16.c
24332 *~
24333 *.9
24334 @@ -49,11 +54,16 @@
24335 53c700_d.h
24336 CVS
24337 ChangeSet
24338 +GPATH
24339 +GRTAGS
24340 +GSYMS
24341 +GTAGS
24342 Image
24343 Kerntypes
24344 Module.markers
24345 Module.symvers
24346 PENDING
24347 +PERF*
24348 SCCS
24349 System.map*
24350 TAGS
24351 @@ -76,7 +86,11 @@ btfixupprep
24352 build
24353 bvmlinux
24354 bzImage*
24355 +capability_names.h
24356 +capflags.c
24357 classlist.h*
24358 +clut_vga16.c
24359 +common-cmds.h
24360 comp*.log
24361 compile.h*
24362 conf
24363 @@ -97,19 +111,21 @@ elfconfig.h*
24364 fixdep
24365 fore200e_mkfirm
24366 fore200e_pca_fw.c*
24367 +gate.lds
24368 gconf
24369 gen-devlist
24370 gen_crc32table
24371 gen_init_cpio
24372 genksyms
24373 *_gray256.c
24374 +hash
24375 ihex2fw
24376 ikconfig.h*
24377 initramfs_data.cpio
24378 +initramfs_data.cpio.bz2
24379 initramfs_data.cpio.gz
24380 initramfs_list
24381 kallsyms
24382 -kconfig
24383 keywords.c
24384 ksym.c*
24385 ksym.h*
24386 @@ -133,7 +149,9 @@ mkboot
24387 mkbugboot
24388 mkcpustr
24389 mkdep
24390 +mkpiggy
24391 mkprep
24392 +mkregtable
24393 mktables
24394 mktree
24395 modpost
24396 @@ -149,6 +167,7 @@ patches*
24397 pca200e.bin
24398 pca200e_ecd.bin2
24399 piggy.gz
24400 +piggy.S
24401 piggyback
24402 pnmtologo
24403 ppc_defs.h*
24404 @@ -157,12 +176,15 @@ qconf
24405 raid6altivec*.c
24406 raid6int*.c
24407 raid6tables.c
24408 +regdb.c
24409 relocs
24410 +rlim_names.h
24411 series
24412 setup
24413 setup.bin
24414 setup.elf
24415 sImage
24416 +slabinfo
24417 sm_tbl*
24418 split-include
24419 syscalltab.h
24420 @@ -186,14 +208,20 @@ version.h*
24421 vmlinux
24422 vmlinux-*
24423 vmlinux.aout
24424 +vmlinux.bin.all
24425 +vmlinux.bin.bz2
24426 vmlinux.lds
24427 +vmlinux.relocs
24428 +voffset.h
24429 vsyscall.lds
24430 vsyscall_32.lds
24431 wanxlfw.inc
24432 uImage
24433 unifdef
24434 +utsrelease.h
24435 wakeup.bin
24436 wakeup.elf
24437 wakeup.lds
24438 zImage*
24439 zconf.hash.c
24440 +zoffset.h
24441 diff -urNp linux-2.6.32.46/Documentation/kernel-parameters.txt linux-2.6.32.46/Documentation/kernel-parameters.txt
24442 --- linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-03-27 14:31:47.000000000 -0400
24443 +++ linux-2.6.32.46/Documentation/kernel-parameters.txt 2011-04-17 15:56:45.000000000 -0400
24444 @@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
24445 the specified number of seconds. This is to be used if
24446 your oopses keep scrolling off the screen.
24447
24448 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
24449 + virtualization environments that don't cope well with the
24450 + expand down segment used by UDEREF on X86-32 or the frequent
24451 + page table updates on X86-64.
24452 +
24453 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
24454 +
24455 pcbit= [HW,ISDN]
24456
24457 pcd. [PARIDE]
24458 diff -urNp linux-2.6.32.46/drivers/acpi/acpi_pad.c linux-2.6.32.46/drivers/acpi/acpi_pad.c
24459 --- linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-03-27 14:31:47.000000000 -0400
24460 +++ linux-2.6.32.46/drivers/acpi/acpi_pad.c 2011-04-17 15:56:46.000000000 -0400
24461 @@ -30,7 +30,7 @@
24462 #include <acpi/acpi_bus.h>
24463 #include <acpi/acpi_drivers.h>
24464
24465 -#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
24466 +#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
24467 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
24468 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
24469 static DEFINE_MUTEX(isolated_cpus_lock);
24470 diff -urNp linux-2.6.32.46/drivers/acpi/battery.c linux-2.6.32.46/drivers/acpi/battery.c
24471 --- linux-2.6.32.46/drivers/acpi/battery.c 2011-03-27 14:31:47.000000000 -0400
24472 +++ linux-2.6.32.46/drivers/acpi/battery.c 2011-04-17 15:56:46.000000000 -0400
24473 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
24474 }
24475
24476 static struct battery_file {
24477 - struct file_operations ops;
24478 + const struct file_operations ops;
24479 mode_t mode;
24480 const char *name;
24481 } acpi_battery_file[] = {
24482 diff -urNp linux-2.6.32.46/drivers/acpi/dock.c linux-2.6.32.46/drivers/acpi/dock.c
24483 --- linux-2.6.32.46/drivers/acpi/dock.c 2011-03-27 14:31:47.000000000 -0400
24484 +++ linux-2.6.32.46/drivers/acpi/dock.c 2011-04-17 15:56:46.000000000 -0400
24485 @@ -77,7 +77,7 @@ struct dock_dependent_device {
24486 struct list_head list;
24487 struct list_head hotplug_list;
24488 acpi_handle handle;
24489 - struct acpi_dock_ops *ops;
24490 + const struct acpi_dock_ops *ops;
24491 void *context;
24492 };
24493
24494 @@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
24495 * the dock driver after _DCK is executed.
24496 */
24497 int
24498 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
24499 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
24500 void *context)
24501 {
24502 struct dock_dependent_device *dd;
24503 diff -urNp linux-2.6.32.46/drivers/acpi/osl.c linux-2.6.32.46/drivers/acpi/osl.c
24504 --- linux-2.6.32.46/drivers/acpi/osl.c 2011-03-27 14:31:47.000000000 -0400
24505 +++ linux-2.6.32.46/drivers/acpi/osl.c 2011-04-17 15:56:46.000000000 -0400
24506 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
24507 void __iomem *virt_addr;
24508
24509 virt_addr = ioremap(phys_addr, width);
24510 + if (!virt_addr)
24511 + return AE_NO_MEMORY;
24512 if (!value)
24513 value = &dummy;
24514
24515 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
24516 void __iomem *virt_addr;
24517
24518 virt_addr = ioremap(phys_addr, width);
24519 + if (!virt_addr)
24520 + return AE_NO_MEMORY;
24521
24522 switch (width) {
24523 case 8:
24524 diff -urNp linux-2.6.32.46/drivers/acpi/power_meter.c linux-2.6.32.46/drivers/acpi/power_meter.c
24525 --- linux-2.6.32.46/drivers/acpi/power_meter.c 2011-03-27 14:31:47.000000000 -0400
24526 +++ linux-2.6.32.46/drivers/acpi/power_meter.c 2011-04-17 15:56:46.000000000 -0400
24527 @@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
24528 return res;
24529
24530 temp /= 1000;
24531 - if (temp < 0)
24532 - return -EINVAL;
24533
24534 mutex_lock(&resource->lock);
24535 resource->trip[attr->index - 7] = temp;
24536 diff -urNp linux-2.6.32.46/drivers/acpi/proc.c linux-2.6.32.46/drivers/acpi/proc.c
24537 --- linux-2.6.32.46/drivers/acpi/proc.c 2011-03-27 14:31:47.000000000 -0400
24538 +++ linux-2.6.32.46/drivers/acpi/proc.c 2011-04-17 15:56:46.000000000 -0400
24539 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
24540 size_t count, loff_t * ppos)
24541 {
24542 struct list_head *node, *next;
24543 - char strbuf[5];
24544 - char str[5] = "";
24545 - unsigned int len = count;
24546 + char strbuf[5] = {0};
24547 struct acpi_device *found_dev = NULL;
24548
24549 - if (len > 4)
24550 - len = 4;
24551 - if (len < 0)
24552 - return -EFAULT;
24553 + if (count > 4)
24554 + count = 4;
24555
24556 - if (copy_from_user(strbuf, buffer, len))
24557 + if (copy_from_user(strbuf, buffer, count))
24558 return -EFAULT;
24559 - strbuf[len] = '\0';
24560 - sscanf(strbuf, "%s", str);
24561 + strbuf[count] = '\0';
24562
24563 mutex_lock(&acpi_device_lock);
24564 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
24565 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
24566 if (!dev->wakeup.flags.valid)
24567 continue;
24568
24569 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
24570 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
24571 dev->wakeup.state.enabled =
24572 dev->wakeup.state.enabled ? 0 : 1;
24573 found_dev = dev;
24574 diff -urNp linux-2.6.32.46/drivers/acpi/processor_core.c linux-2.6.32.46/drivers/acpi/processor_core.c
24575 --- linux-2.6.32.46/drivers/acpi/processor_core.c 2011-03-27 14:31:47.000000000 -0400
24576 +++ linux-2.6.32.46/drivers/acpi/processor_core.c 2011-04-17 15:56:46.000000000 -0400
24577 @@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
24578 return 0;
24579 }
24580
24581 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
24582 + BUG_ON(pr->id >= nr_cpu_ids);
24583
24584 /*
24585 * Buggy BIOS check
24586 diff -urNp linux-2.6.32.46/drivers/acpi/sbshc.c linux-2.6.32.46/drivers/acpi/sbshc.c
24587 --- linux-2.6.32.46/drivers/acpi/sbshc.c 2011-03-27 14:31:47.000000000 -0400
24588 +++ linux-2.6.32.46/drivers/acpi/sbshc.c 2011-04-17 15:56:46.000000000 -0400
24589 @@ -17,7 +17,7 @@
24590
24591 #define PREFIX "ACPI: "
24592
24593 -#define ACPI_SMB_HC_CLASS "smbus_host_controller"
24594 +#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
24595 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
24596
24597 struct acpi_smb_hc {
24598 diff -urNp linux-2.6.32.46/drivers/acpi/sleep.c linux-2.6.32.46/drivers/acpi/sleep.c
24599 --- linux-2.6.32.46/drivers/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
24600 +++ linux-2.6.32.46/drivers/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
24601 @@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
24602 }
24603 }
24604
24605 -static struct platform_suspend_ops acpi_suspend_ops = {
24606 +static const struct platform_suspend_ops acpi_suspend_ops = {
24607 .valid = acpi_suspend_state_valid,
24608 .begin = acpi_suspend_begin,
24609 .prepare_late = acpi_pm_prepare,
24610 @@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
24611 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
24612 * been requested.
24613 */
24614 -static struct platform_suspend_ops acpi_suspend_ops_old = {
24615 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
24616 .valid = acpi_suspend_state_valid,
24617 .begin = acpi_suspend_begin_old,
24618 .prepare_late = acpi_pm_disable_gpes,
24619 @@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
24620 acpi_enable_all_runtime_gpes();
24621 }
24622
24623 -static struct platform_hibernation_ops acpi_hibernation_ops = {
24624 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
24625 .begin = acpi_hibernation_begin,
24626 .end = acpi_pm_end,
24627 .pre_snapshot = acpi_hibernation_pre_snapshot,
24628 @@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
24629 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
24630 * been requested.
24631 */
24632 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
24633 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
24634 .begin = acpi_hibernation_begin_old,
24635 .end = acpi_pm_end,
24636 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
24637 diff -urNp linux-2.6.32.46/drivers/acpi/video.c linux-2.6.32.46/drivers/acpi/video.c
24638 --- linux-2.6.32.46/drivers/acpi/video.c 2011-03-27 14:31:47.000000000 -0400
24639 +++ linux-2.6.32.46/drivers/acpi/video.c 2011-04-17 15:56:46.000000000 -0400
24640 @@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
24641 vd->brightness->levels[request_level]);
24642 }
24643
24644 -static struct backlight_ops acpi_backlight_ops = {
24645 +static const struct backlight_ops acpi_backlight_ops = {
24646 .get_brightness = acpi_video_get_brightness,
24647 .update_status = acpi_video_set_brightness,
24648 };
24649 diff -urNp linux-2.6.32.46/drivers/ata/ahci.c linux-2.6.32.46/drivers/ata/ahci.c
24650 --- linux-2.6.32.46/drivers/ata/ahci.c 2011-03-27 14:31:47.000000000 -0400
24651 +++ linux-2.6.32.46/drivers/ata/ahci.c 2011-04-23 12:56:10.000000000 -0400
24652 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
24653 .sdev_attrs = ahci_sdev_attrs,
24654 };
24655
24656 -static struct ata_port_operations ahci_ops = {
24657 +static const struct ata_port_operations ahci_ops = {
24658 .inherits = &sata_pmp_port_ops,
24659
24660 .qc_defer = sata_pmp_qc_defer_cmd_switch,
24661 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
24662 .port_stop = ahci_port_stop,
24663 };
24664
24665 -static struct ata_port_operations ahci_vt8251_ops = {
24666 +static const struct ata_port_operations ahci_vt8251_ops = {
24667 .inherits = &ahci_ops,
24668 .hardreset = ahci_vt8251_hardreset,
24669 };
24670
24671 -static struct ata_port_operations ahci_p5wdh_ops = {
24672 +static const struct ata_port_operations ahci_p5wdh_ops = {
24673 .inherits = &ahci_ops,
24674 .hardreset = ahci_p5wdh_hardreset,
24675 };
24676
24677 -static struct ata_port_operations ahci_sb600_ops = {
24678 +static const struct ata_port_operations ahci_sb600_ops = {
24679 .inherits = &ahci_ops,
24680 .softreset = ahci_sb600_softreset,
24681 .pmp_softreset = ahci_sb600_softreset,
24682 diff -urNp linux-2.6.32.46/drivers/ata/ata_generic.c linux-2.6.32.46/drivers/ata/ata_generic.c
24683 --- linux-2.6.32.46/drivers/ata/ata_generic.c 2011-03-27 14:31:47.000000000 -0400
24684 +++ linux-2.6.32.46/drivers/ata/ata_generic.c 2011-04-17 15:56:46.000000000 -0400
24685 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
24686 ATA_BMDMA_SHT(DRV_NAME),
24687 };
24688
24689 -static struct ata_port_operations generic_port_ops = {
24690 +static const struct ata_port_operations generic_port_ops = {
24691 .inherits = &ata_bmdma_port_ops,
24692 .cable_detect = ata_cable_unknown,
24693 .set_mode = generic_set_mode,
24694 diff -urNp linux-2.6.32.46/drivers/ata/ata_piix.c linux-2.6.32.46/drivers/ata/ata_piix.c
24695 --- linux-2.6.32.46/drivers/ata/ata_piix.c 2011-03-27 14:31:47.000000000 -0400
24696 +++ linux-2.6.32.46/drivers/ata/ata_piix.c 2011-04-23 12:56:10.000000000 -0400
24697 @@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
24698 ATA_BMDMA_SHT(DRV_NAME),
24699 };
24700
24701 -static struct ata_port_operations piix_pata_ops = {
24702 +static const struct ata_port_operations piix_pata_ops = {
24703 .inherits = &ata_bmdma32_port_ops,
24704 .cable_detect = ata_cable_40wire,
24705 .set_piomode = piix_set_piomode,
24706 @@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
24707 .prereset = piix_pata_prereset,
24708 };
24709
24710 -static struct ata_port_operations piix_vmw_ops = {
24711 +static const struct ata_port_operations piix_vmw_ops = {
24712 .inherits = &piix_pata_ops,
24713 .bmdma_status = piix_vmw_bmdma_status,
24714 };
24715
24716 -static struct ata_port_operations ich_pata_ops = {
24717 +static const struct ata_port_operations ich_pata_ops = {
24718 .inherits = &piix_pata_ops,
24719 .cable_detect = ich_pata_cable_detect,
24720 .set_dmamode = ich_set_dmamode,
24721 };
24722
24723 -static struct ata_port_operations piix_sata_ops = {
24724 +static const struct ata_port_operations piix_sata_ops = {
24725 .inherits = &ata_bmdma_port_ops,
24726 };
24727
24728 -static struct ata_port_operations piix_sidpr_sata_ops = {
24729 +static const struct ata_port_operations piix_sidpr_sata_ops = {
24730 .inherits = &piix_sata_ops,
24731 .hardreset = sata_std_hardreset,
24732 .scr_read = piix_sidpr_scr_read,
24733 diff -urNp linux-2.6.32.46/drivers/ata/libata-acpi.c linux-2.6.32.46/drivers/ata/libata-acpi.c
24734 --- linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-03-27 14:31:47.000000000 -0400
24735 +++ linux-2.6.32.46/drivers/ata/libata-acpi.c 2011-04-17 15:56:46.000000000 -0400
24736 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
24737 ata_acpi_uevent(dev->link->ap, dev, event);
24738 }
24739
24740 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24741 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
24742 .handler = ata_acpi_dev_notify_dock,
24743 .uevent = ata_acpi_dev_uevent,
24744 };
24745
24746 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24747 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
24748 .handler = ata_acpi_ap_notify_dock,
24749 .uevent = ata_acpi_ap_uevent,
24750 };
24751 diff -urNp linux-2.6.32.46/drivers/ata/libata-core.c linux-2.6.32.46/drivers/ata/libata-core.c
24752 --- linux-2.6.32.46/drivers/ata/libata-core.c 2011-03-27 14:31:47.000000000 -0400
24753 +++ linux-2.6.32.46/drivers/ata/libata-core.c 2011-08-05 20:33:55.000000000 -0400
24754 @@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
24755 struct ata_port *ap;
24756 unsigned int tag;
24757
24758 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24759 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24760 ap = qc->ap;
24761
24762 qc->flags = 0;
24763 @@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
24764 struct ata_port *ap;
24765 struct ata_link *link;
24766
24767 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24768 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
24769 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
24770 ap = qc->ap;
24771 link = qc->dev->link;
24772 @@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
24773 * LOCKING:
24774 * None.
24775 */
24776 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
24777 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
24778 {
24779 static DEFINE_SPINLOCK(lock);
24780 const struct ata_port_operations *cur;
24781 @@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
24782 return;
24783
24784 spin_lock(&lock);
24785 + pax_open_kernel();
24786
24787 for (cur = ops->inherits; cur; cur = cur->inherits) {
24788 void **inherit = (void **)cur;
24789 @@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
24790 if (IS_ERR(*pp))
24791 *pp = NULL;
24792
24793 - ops->inherits = NULL;
24794 + *(struct ata_port_operations **)&ops->inherits = NULL;
24795
24796 + pax_close_kernel();
24797 spin_unlock(&lock);
24798 }
24799
24800 @@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
24801 */
24802 /* KILLME - the only user left is ipr */
24803 void ata_host_init(struct ata_host *host, struct device *dev,
24804 - unsigned long flags, struct ata_port_operations *ops)
24805 + unsigned long flags, const struct ata_port_operations *ops)
24806 {
24807 spin_lock_init(&host->lock);
24808 host->dev = dev;
24809 @@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
24810 /* truly dummy */
24811 }
24812
24813 -struct ata_port_operations ata_dummy_port_ops = {
24814 +const struct ata_port_operations ata_dummy_port_ops = {
24815 .qc_prep = ata_noop_qc_prep,
24816 .qc_issue = ata_dummy_qc_issue,
24817 .error_handler = ata_dummy_error_handler,
24818 diff -urNp linux-2.6.32.46/drivers/ata/libata-eh.c linux-2.6.32.46/drivers/ata/libata-eh.c
24819 --- linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:35:28.000000000 -0400
24820 +++ linux-2.6.32.46/drivers/ata/libata-eh.c 2011-08-09 18:33:59.000000000 -0400
24821 @@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
24822 {
24823 struct ata_link *link;
24824
24825 + pax_track_stack();
24826 +
24827 ata_for_each_link(link, ap, HOST_FIRST)
24828 ata_eh_link_report(link);
24829 }
24830 @@ -3594,7 +3596,7 @@ void ata_do_eh(struct ata_port *ap, ata_
24831 */
24832 void ata_std_error_handler(struct ata_port *ap)
24833 {
24834 - struct ata_port_operations *ops = ap->ops;
24835 + const struct ata_port_operations *ops = ap->ops;
24836 ata_reset_fn_t hardreset = ops->hardreset;
24837
24838 /* ignore built-in hardreset if SCR access is not available */
24839 diff -urNp linux-2.6.32.46/drivers/ata/libata-pmp.c linux-2.6.32.46/drivers/ata/libata-pmp.c
24840 --- linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-03-27 14:31:47.000000000 -0400
24841 +++ linux-2.6.32.46/drivers/ata/libata-pmp.c 2011-04-17 15:56:46.000000000 -0400
24842 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
24843 */
24844 static int sata_pmp_eh_recover(struct ata_port *ap)
24845 {
24846 - struct ata_port_operations *ops = ap->ops;
24847 + const struct ata_port_operations *ops = ap->ops;
24848 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
24849 struct ata_link *pmp_link = &ap->link;
24850 struct ata_device *pmp_dev = pmp_link->device;
24851 diff -urNp linux-2.6.32.46/drivers/ata/pata_acpi.c linux-2.6.32.46/drivers/ata/pata_acpi.c
24852 --- linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-03-27 14:31:47.000000000 -0400
24853 +++ linux-2.6.32.46/drivers/ata/pata_acpi.c 2011-04-17 15:56:46.000000000 -0400
24854 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
24855 ATA_BMDMA_SHT(DRV_NAME),
24856 };
24857
24858 -static struct ata_port_operations pacpi_ops = {
24859 +static const struct ata_port_operations pacpi_ops = {
24860 .inherits = &ata_bmdma_port_ops,
24861 .qc_issue = pacpi_qc_issue,
24862 .cable_detect = pacpi_cable_detect,
24863 diff -urNp linux-2.6.32.46/drivers/ata/pata_ali.c linux-2.6.32.46/drivers/ata/pata_ali.c
24864 --- linux-2.6.32.46/drivers/ata/pata_ali.c 2011-03-27 14:31:47.000000000 -0400
24865 +++ linux-2.6.32.46/drivers/ata/pata_ali.c 2011-04-17 15:56:46.000000000 -0400
24866 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
24867 * Port operations for PIO only ALi
24868 */
24869
24870 -static struct ata_port_operations ali_early_port_ops = {
24871 +static const struct ata_port_operations ali_early_port_ops = {
24872 .inherits = &ata_sff_port_ops,
24873 .cable_detect = ata_cable_40wire,
24874 .set_piomode = ali_set_piomode,
24875 @@ -382,7 +382,7 @@ static const struct ata_port_operations
24876 * Port operations for DMA capable ALi without cable
24877 * detect
24878 */
24879 -static struct ata_port_operations ali_20_port_ops = {
24880 +static const struct ata_port_operations ali_20_port_ops = {
24881 .inherits = &ali_dma_base_ops,
24882 .cable_detect = ata_cable_40wire,
24883 .mode_filter = ali_20_filter,
24884 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
24885 /*
24886 * Port operations for DMA capable ALi with cable detect
24887 */
24888 -static struct ata_port_operations ali_c2_port_ops = {
24889 +static const struct ata_port_operations ali_c2_port_ops = {
24890 .inherits = &ali_dma_base_ops,
24891 .check_atapi_dma = ali_check_atapi_dma,
24892 .cable_detect = ali_c2_cable_detect,
24893 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
24894 /*
24895 * Port operations for DMA capable ALi with cable detect
24896 */
24897 -static struct ata_port_operations ali_c4_port_ops = {
24898 +static const struct ata_port_operations ali_c4_port_ops = {
24899 .inherits = &ali_dma_base_ops,
24900 .check_atapi_dma = ali_check_atapi_dma,
24901 .cable_detect = ali_c2_cable_detect,
24902 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
24903 /*
24904 * Port operations for DMA capable ALi with cable detect and LBA48
24905 */
24906 -static struct ata_port_operations ali_c5_port_ops = {
24907 +static const struct ata_port_operations ali_c5_port_ops = {
24908 .inherits = &ali_dma_base_ops,
24909 .check_atapi_dma = ali_check_atapi_dma,
24910 .dev_config = ali_warn_atapi_dma,
24911 diff -urNp linux-2.6.32.46/drivers/ata/pata_amd.c linux-2.6.32.46/drivers/ata/pata_amd.c
24912 --- linux-2.6.32.46/drivers/ata/pata_amd.c 2011-03-27 14:31:47.000000000 -0400
24913 +++ linux-2.6.32.46/drivers/ata/pata_amd.c 2011-04-17 15:56:46.000000000 -0400
24914 @@ -397,28 +397,28 @@ static const struct ata_port_operations
24915 .prereset = amd_pre_reset,
24916 };
24917
24918 -static struct ata_port_operations amd33_port_ops = {
24919 +static const struct ata_port_operations amd33_port_ops = {
24920 .inherits = &amd_base_port_ops,
24921 .cable_detect = ata_cable_40wire,
24922 .set_piomode = amd33_set_piomode,
24923 .set_dmamode = amd33_set_dmamode,
24924 };
24925
24926 -static struct ata_port_operations amd66_port_ops = {
24927 +static const struct ata_port_operations amd66_port_ops = {
24928 .inherits = &amd_base_port_ops,
24929 .cable_detect = ata_cable_unknown,
24930 .set_piomode = amd66_set_piomode,
24931 .set_dmamode = amd66_set_dmamode,
24932 };
24933
24934 -static struct ata_port_operations amd100_port_ops = {
24935 +static const struct ata_port_operations amd100_port_ops = {
24936 .inherits = &amd_base_port_ops,
24937 .cable_detect = ata_cable_unknown,
24938 .set_piomode = amd100_set_piomode,
24939 .set_dmamode = amd100_set_dmamode,
24940 };
24941
24942 -static struct ata_port_operations amd133_port_ops = {
24943 +static const struct ata_port_operations amd133_port_ops = {
24944 .inherits = &amd_base_port_ops,
24945 .cable_detect = amd_cable_detect,
24946 .set_piomode = amd133_set_piomode,
24947 @@ -433,13 +433,13 @@ static const struct ata_port_operations
24948 .host_stop = nv_host_stop,
24949 };
24950
24951 -static struct ata_port_operations nv100_port_ops = {
24952 +static const struct ata_port_operations nv100_port_ops = {
24953 .inherits = &nv_base_port_ops,
24954 .set_piomode = nv100_set_piomode,
24955 .set_dmamode = nv100_set_dmamode,
24956 };
24957
24958 -static struct ata_port_operations nv133_port_ops = {
24959 +static const struct ata_port_operations nv133_port_ops = {
24960 .inherits = &nv_base_port_ops,
24961 .set_piomode = nv133_set_piomode,
24962 .set_dmamode = nv133_set_dmamode,
24963 diff -urNp linux-2.6.32.46/drivers/ata/pata_artop.c linux-2.6.32.46/drivers/ata/pata_artop.c
24964 --- linux-2.6.32.46/drivers/ata/pata_artop.c 2011-03-27 14:31:47.000000000 -0400
24965 +++ linux-2.6.32.46/drivers/ata/pata_artop.c 2011-04-17 15:56:46.000000000 -0400
24966 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
24967 ATA_BMDMA_SHT(DRV_NAME),
24968 };
24969
24970 -static struct ata_port_operations artop6210_ops = {
24971 +static const struct ata_port_operations artop6210_ops = {
24972 .inherits = &ata_bmdma_port_ops,
24973 .cable_detect = ata_cable_40wire,
24974 .set_piomode = artop6210_set_piomode,
24975 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
24976 .qc_defer = artop6210_qc_defer,
24977 };
24978
24979 -static struct ata_port_operations artop6260_ops = {
24980 +static const struct ata_port_operations artop6260_ops = {
24981 .inherits = &ata_bmdma_port_ops,
24982 .cable_detect = artop6260_cable_detect,
24983 .set_piomode = artop6260_set_piomode,
24984 diff -urNp linux-2.6.32.46/drivers/ata/pata_at32.c linux-2.6.32.46/drivers/ata/pata_at32.c
24985 --- linux-2.6.32.46/drivers/ata/pata_at32.c 2011-03-27 14:31:47.000000000 -0400
24986 +++ linux-2.6.32.46/drivers/ata/pata_at32.c 2011-04-17 15:56:46.000000000 -0400
24987 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
24988 ATA_PIO_SHT(DRV_NAME),
24989 };
24990
24991 -static struct ata_port_operations at32_port_ops = {
24992 +static const struct ata_port_operations at32_port_ops = {
24993 .inherits = &ata_sff_port_ops,
24994 .cable_detect = ata_cable_40wire,
24995 .set_piomode = pata_at32_set_piomode,
24996 diff -urNp linux-2.6.32.46/drivers/ata/pata_at91.c linux-2.6.32.46/drivers/ata/pata_at91.c
24997 --- linux-2.6.32.46/drivers/ata/pata_at91.c 2011-03-27 14:31:47.000000000 -0400
24998 +++ linux-2.6.32.46/drivers/ata/pata_at91.c 2011-04-17 15:56:46.000000000 -0400
24999 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
25000 ATA_PIO_SHT(DRV_NAME),
25001 };
25002
25003 -static struct ata_port_operations pata_at91_port_ops = {
25004 +static const struct ata_port_operations pata_at91_port_ops = {
25005 .inherits = &ata_sff_port_ops,
25006
25007 .sff_data_xfer = pata_at91_data_xfer_noirq,
25008 diff -urNp linux-2.6.32.46/drivers/ata/pata_atiixp.c linux-2.6.32.46/drivers/ata/pata_atiixp.c
25009 --- linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-03-27 14:31:47.000000000 -0400
25010 +++ linux-2.6.32.46/drivers/ata/pata_atiixp.c 2011-04-17 15:56:46.000000000 -0400
25011 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
25012 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25013 };
25014
25015 -static struct ata_port_operations atiixp_port_ops = {
25016 +static const struct ata_port_operations atiixp_port_ops = {
25017 .inherits = &ata_bmdma_port_ops,
25018
25019 .qc_prep = ata_sff_dumb_qc_prep,
25020 diff -urNp linux-2.6.32.46/drivers/ata/pata_atp867x.c linux-2.6.32.46/drivers/ata/pata_atp867x.c
25021 --- linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-03-27 14:31:47.000000000 -0400
25022 +++ linux-2.6.32.46/drivers/ata/pata_atp867x.c 2011-04-17 15:56:46.000000000 -0400
25023 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
25024 ATA_BMDMA_SHT(DRV_NAME),
25025 };
25026
25027 -static struct ata_port_operations atp867x_ops = {
25028 +static const struct ata_port_operations atp867x_ops = {
25029 .inherits = &ata_bmdma_port_ops,
25030 .cable_detect = atp867x_cable_detect,
25031 .set_piomode = atp867x_set_piomode,
25032 diff -urNp linux-2.6.32.46/drivers/ata/pata_bf54x.c linux-2.6.32.46/drivers/ata/pata_bf54x.c
25033 --- linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-03-27 14:31:47.000000000 -0400
25034 +++ linux-2.6.32.46/drivers/ata/pata_bf54x.c 2011-04-17 15:56:46.000000000 -0400
25035 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
25036 .dma_boundary = ATA_DMA_BOUNDARY,
25037 };
25038
25039 -static struct ata_port_operations bfin_pata_ops = {
25040 +static const struct ata_port_operations bfin_pata_ops = {
25041 .inherits = &ata_sff_port_ops,
25042
25043 .set_piomode = bfin_set_piomode,
25044 diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd640.c linux-2.6.32.46/drivers/ata/pata_cmd640.c
25045 --- linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-03-27 14:31:47.000000000 -0400
25046 +++ linux-2.6.32.46/drivers/ata/pata_cmd640.c 2011-04-17 15:56:46.000000000 -0400
25047 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
25048 ATA_BMDMA_SHT(DRV_NAME),
25049 };
25050
25051 -static struct ata_port_operations cmd640_port_ops = {
25052 +static const struct ata_port_operations cmd640_port_ops = {
25053 .inherits = &ata_bmdma_port_ops,
25054 /* In theory xfer_noirq is not needed once we kill the prefetcher */
25055 .sff_data_xfer = ata_sff_data_xfer_noirq,
25056 diff -urNp linux-2.6.32.46/drivers/ata/pata_cmd64x.c linux-2.6.32.46/drivers/ata/pata_cmd64x.c
25057 --- linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:55:34.000000000 -0400
25058 +++ linux-2.6.32.46/drivers/ata/pata_cmd64x.c 2011-06-25 12:56:37.000000000 -0400
25059 @@ -271,18 +271,18 @@ static const struct ata_port_operations
25060 .set_dmamode = cmd64x_set_dmamode,
25061 };
25062
25063 -static struct ata_port_operations cmd64x_port_ops = {
25064 +static const struct ata_port_operations cmd64x_port_ops = {
25065 .inherits = &cmd64x_base_ops,
25066 .cable_detect = ata_cable_40wire,
25067 };
25068
25069 -static struct ata_port_operations cmd646r1_port_ops = {
25070 +static const struct ata_port_operations cmd646r1_port_ops = {
25071 .inherits = &cmd64x_base_ops,
25072 .bmdma_stop = cmd646r1_bmdma_stop,
25073 .cable_detect = ata_cable_40wire,
25074 };
25075
25076 -static struct ata_port_operations cmd648_port_ops = {
25077 +static const struct ata_port_operations cmd648_port_ops = {
25078 .inherits = &cmd64x_base_ops,
25079 .bmdma_stop = cmd648_bmdma_stop,
25080 .cable_detect = cmd648_cable_detect,
25081 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5520.c linux-2.6.32.46/drivers/ata/pata_cs5520.c
25082 --- linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-03-27 14:31:47.000000000 -0400
25083 +++ linux-2.6.32.46/drivers/ata/pata_cs5520.c 2011-04-17 15:56:46.000000000 -0400
25084 @@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
25085 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25086 };
25087
25088 -static struct ata_port_operations cs5520_port_ops = {
25089 +static const struct ata_port_operations cs5520_port_ops = {
25090 .inherits = &ata_bmdma_port_ops,
25091 .qc_prep = ata_sff_dumb_qc_prep,
25092 .cable_detect = ata_cable_40wire,
25093 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5530.c linux-2.6.32.46/drivers/ata/pata_cs5530.c
25094 --- linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-03-27 14:31:47.000000000 -0400
25095 +++ linux-2.6.32.46/drivers/ata/pata_cs5530.c 2011-04-17 15:56:46.000000000 -0400
25096 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
25097 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25098 };
25099
25100 -static struct ata_port_operations cs5530_port_ops = {
25101 +static const struct ata_port_operations cs5530_port_ops = {
25102 .inherits = &ata_bmdma_port_ops,
25103
25104 .qc_prep = ata_sff_dumb_qc_prep,
25105 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5535.c linux-2.6.32.46/drivers/ata/pata_cs5535.c
25106 --- linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-03-27 14:31:47.000000000 -0400
25107 +++ linux-2.6.32.46/drivers/ata/pata_cs5535.c 2011-04-17 15:56:46.000000000 -0400
25108 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
25109 ATA_BMDMA_SHT(DRV_NAME),
25110 };
25111
25112 -static struct ata_port_operations cs5535_port_ops = {
25113 +static const struct ata_port_operations cs5535_port_ops = {
25114 .inherits = &ata_bmdma_port_ops,
25115 .cable_detect = cs5535_cable_detect,
25116 .set_piomode = cs5535_set_piomode,
25117 diff -urNp linux-2.6.32.46/drivers/ata/pata_cs5536.c linux-2.6.32.46/drivers/ata/pata_cs5536.c
25118 --- linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-03-27 14:31:47.000000000 -0400
25119 +++ linux-2.6.32.46/drivers/ata/pata_cs5536.c 2011-04-17 15:56:46.000000000 -0400
25120 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
25121 ATA_BMDMA_SHT(DRV_NAME),
25122 };
25123
25124 -static struct ata_port_operations cs5536_port_ops = {
25125 +static const struct ata_port_operations cs5536_port_ops = {
25126 .inherits = &ata_bmdma_port_ops,
25127 .cable_detect = cs5536_cable_detect,
25128 .set_piomode = cs5536_set_piomode,
25129 diff -urNp linux-2.6.32.46/drivers/ata/pata_cypress.c linux-2.6.32.46/drivers/ata/pata_cypress.c
25130 --- linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-03-27 14:31:47.000000000 -0400
25131 +++ linux-2.6.32.46/drivers/ata/pata_cypress.c 2011-04-17 15:56:46.000000000 -0400
25132 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
25133 ATA_BMDMA_SHT(DRV_NAME),
25134 };
25135
25136 -static struct ata_port_operations cy82c693_port_ops = {
25137 +static const struct ata_port_operations cy82c693_port_ops = {
25138 .inherits = &ata_bmdma_port_ops,
25139 .cable_detect = ata_cable_40wire,
25140 .set_piomode = cy82c693_set_piomode,
25141 diff -urNp linux-2.6.32.46/drivers/ata/pata_efar.c linux-2.6.32.46/drivers/ata/pata_efar.c
25142 --- linux-2.6.32.46/drivers/ata/pata_efar.c 2011-03-27 14:31:47.000000000 -0400
25143 +++ linux-2.6.32.46/drivers/ata/pata_efar.c 2011-04-17 15:56:46.000000000 -0400
25144 @@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
25145 ATA_BMDMA_SHT(DRV_NAME),
25146 };
25147
25148 -static struct ata_port_operations efar_ops = {
25149 +static const struct ata_port_operations efar_ops = {
25150 .inherits = &ata_bmdma_port_ops,
25151 .cable_detect = efar_cable_detect,
25152 .set_piomode = efar_set_piomode,
25153 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt366.c linux-2.6.32.46/drivers/ata/pata_hpt366.c
25154 --- linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:55:34.000000000 -0400
25155 +++ linux-2.6.32.46/drivers/ata/pata_hpt366.c 2011-06-25 12:56:37.000000000 -0400
25156 @@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
25157 * Configuration for HPT366/68
25158 */
25159
25160 -static struct ata_port_operations hpt366_port_ops = {
25161 +static const struct ata_port_operations hpt366_port_ops = {
25162 .inherits = &ata_bmdma_port_ops,
25163 .cable_detect = hpt36x_cable_detect,
25164 .mode_filter = hpt366_filter,
25165 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt37x.c linux-2.6.32.46/drivers/ata/pata_hpt37x.c
25166 --- linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:55:34.000000000 -0400
25167 +++ linux-2.6.32.46/drivers/ata/pata_hpt37x.c 2011-06-25 12:56:37.000000000 -0400
25168 @@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
25169 * Configuration for HPT370
25170 */
25171
25172 -static struct ata_port_operations hpt370_port_ops = {
25173 +static const struct ata_port_operations hpt370_port_ops = {
25174 .inherits = &ata_bmdma_port_ops,
25175
25176 .bmdma_stop = hpt370_bmdma_stop,
25177 @@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
25178 * Configuration for HPT370A. Close to 370 but less filters
25179 */
25180
25181 -static struct ata_port_operations hpt370a_port_ops = {
25182 +static const struct ata_port_operations hpt370a_port_ops = {
25183 .inherits = &hpt370_port_ops,
25184 .mode_filter = hpt370a_filter,
25185 };
25186 @@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
25187 * and DMA mode setting functionality.
25188 */
25189
25190 -static struct ata_port_operations hpt372_port_ops = {
25191 +static const struct ata_port_operations hpt372_port_ops = {
25192 .inherits = &ata_bmdma_port_ops,
25193
25194 .bmdma_stop = hpt37x_bmdma_stop,
25195 @@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
25196 * but we have a different cable detection procedure for function 1.
25197 */
25198
25199 -static struct ata_port_operations hpt374_fn1_port_ops = {
25200 +static const struct ata_port_operations hpt374_fn1_port_ops = {
25201 .inherits = &hpt372_port_ops,
25202 .prereset = hpt374_fn1_pre_reset,
25203 };
25204 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c
25205 --- linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:55:34.000000000 -0400
25206 +++ linux-2.6.32.46/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:56:37.000000000 -0400
25207 @@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
25208 * Configuration for HPT3x2n.
25209 */
25210
25211 -static struct ata_port_operations hpt3x2n_port_ops = {
25212 +static const struct ata_port_operations hpt3x2n_port_ops = {
25213 .inherits = &ata_bmdma_port_ops,
25214
25215 .bmdma_stop = hpt3x2n_bmdma_stop,
25216 diff -urNp linux-2.6.32.46/drivers/ata/pata_hpt3x3.c linux-2.6.32.46/drivers/ata/pata_hpt3x3.c
25217 --- linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-03-27 14:31:47.000000000 -0400
25218 +++ linux-2.6.32.46/drivers/ata/pata_hpt3x3.c 2011-04-17 15:56:46.000000000 -0400
25219 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
25220 ATA_BMDMA_SHT(DRV_NAME),
25221 };
25222
25223 -static struct ata_port_operations hpt3x3_port_ops = {
25224 +static const struct ata_port_operations hpt3x3_port_ops = {
25225 .inherits = &ata_bmdma_port_ops,
25226 .cable_detect = ata_cable_40wire,
25227 .set_piomode = hpt3x3_set_piomode,
25228 diff -urNp linux-2.6.32.46/drivers/ata/pata_icside.c linux-2.6.32.46/drivers/ata/pata_icside.c
25229 --- linux-2.6.32.46/drivers/ata/pata_icside.c 2011-03-27 14:31:47.000000000 -0400
25230 +++ linux-2.6.32.46/drivers/ata/pata_icside.c 2011-04-17 15:56:46.000000000 -0400
25231 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
25232 }
25233 }
25234
25235 -static struct ata_port_operations pata_icside_port_ops = {
25236 +static const struct ata_port_operations pata_icside_port_ops = {
25237 .inherits = &ata_sff_port_ops,
25238 /* no need to build any PRD tables for DMA */
25239 .qc_prep = ata_noop_qc_prep,
25240 diff -urNp linux-2.6.32.46/drivers/ata/pata_isapnp.c linux-2.6.32.46/drivers/ata/pata_isapnp.c
25241 --- linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-03-27 14:31:47.000000000 -0400
25242 +++ linux-2.6.32.46/drivers/ata/pata_isapnp.c 2011-04-17 15:56:46.000000000 -0400
25243 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
25244 ATA_PIO_SHT(DRV_NAME),
25245 };
25246
25247 -static struct ata_port_operations isapnp_port_ops = {
25248 +static const struct ata_port_operations isapnp_port_ops = {
25249 .inherits = &ata_sff_port_ops,
25250 .cable_detect = ata_cable_40wire,
25251 };
25252
25253 -static struct ata_port_operations isapnp_noalt_port_ops = {
25254 +static const struct ata_port_operations isapnp_noalt_port_ops = {
25255 .inherits = &ata_sff_port_ops,
25256 .cable_detect = ata_cable_40wire,
25257 /* No altstatus so we don't want to use the lost interrupt poll */
25258 diff -urNp linux-2.6.32.46/drivers/ata/pata_it8213.c linux-2.6.32.46/drivers/ata/pata_it8213.c
25259 --- linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-03-27 14:31:47.000000000 -0400
25260 +++ linux-2.6.32.46/drivers/ata/pata_it8213.c 2011-04-17 15:56:46.000000000 -0400
25261 @@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
25262 };
25263
25264
25265 -static struct ata_port_operations it8213_ops = {
25266 +static const struct ata_port_operations it8213_ops = {
25267 .inherits = &ata_bmdma_port_ops,
25268 .cable_detect = it8213_cable_detect,
25269 .set_piomode = it8213_set_piomode,
25270 diff -urNp linux-2.6.32.46/drivers/ata/pata_it821x.c linux-2.6.32.46/drivers/ata/pata_it821x.c
25271 --- linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-03-27 14:31:47.000000000 -0400
25272 +++ linux-2.6.32.46/drivers/ata/pata_it821x.c 2011-04-17 15:56:46.000000000 -0400
25273 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
25274 ATA_BMDMA_SHT(DRV_NAME),
25275 };
25276
25277 -static struct ata_port_operations it821x_smart_port_ops = {
25278 +static const struct ata_port_operations it821x_smart_port_ops = {
25279 .inherits = &ata_bmdma_port_ops,
25280
25281 .check_atapi_dma= it821x_check_atapi_dma,
25282 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
25283 .port_start = it821x_port_start,
25284 };
25285
25286 -static struct ata_port_operations it821x_passthru_port_ops = {
25287 +static const struct ata_port_operations it821x_passthru_port_ops = {
25288 .inherits = &ata_bmdma_port_ops,
25289
25290 .check_atapi_dma= it821x_check_atapi_dma,
25291 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
25292 .port_start = it821x_port_start,
25293 };
25294
25295 -static struct ata_port_operations it821x_rdc_port_ops = {
25296 +static const struct ata_port_operations it821x_rdc_port_ops = {
25297 .inherits = &ata_bmdma_port_ops,
25298
25299 .check_atapi_dma= it821x_check_atapi_dma,
25300 diff -urNp linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c
25301 --- linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-03-27 14:31:47.000000000 -0400
25302 +++ linux-2.6.32.46/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:56:46.000000000 -0400
25303 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
25304 ATA_PIO_SHT(DRV_NAME),
25305 };
25306
25307 -static struct ata_port_operations ixp4xx_port_ops = {
25308 +static const struct ata_port_operations ixp4xx_port_ops = {
25309 .inherits = &ata_sff_port_ops,
25310 .sff_data_xfer = ixp4xx_mmio_data_xfer,
25311 .cable_detect = ata_cable_40wire,
25312 diff -urNp linux-2.6.32.46/drivers/ata/pata_jmicron.c linux-2.6.32.46/drivers/ata/pata_jmicron.c
25313 --- linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-03-27 14:31:47.000000000 -0400
25314 +++ linux-2.6.32.46/drivers/ata/pata_jmicron.c 2011-04-17 15:56:46.000000000 -0400
25315 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
25316 ATA_BMDMA_SHT(DRV_NAME),
25317 };
25318
25319 -static struct ata_port_operations jmicron_ops = {
25320 +static const struct ata_port_operations jmicron_ops = {
25321 .inherits = &ata_bmdma_port_ops,
25322 .prereset = jmicron_pre_reset,
25323 };
25324 diff -urNp linux-2.6.32.46/drivers/ata/pata_legacy.c linux-2.6.32.46/drivers/ata/pata_legacy.c
25325 --- linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-03-27 14:31:47.000000000 -0400
25326 +++ linux-2.6.32.46/drivers/ata/pata_legacy.c 2011-04-17 15:56:46.000000000 -0400
25327 @@ -106,7 +106,7 @@ struct legacy_probe {
25328
25329 struct legacy_controller {
25330 const char *name;
25331 - struct ata_port_operations *ops;
25332 + const struct ata_port_operations *ops;
25333 unsigned int pio_mask;
25334 unsigned int flags;
25335 unsigned int pflags;
25336 @@ -223,12 +223,12 @@ static const struct ata_port_operations
25337 * pio_mask as well.
25338 */
25339
25340 -static struct ata_port_operations simple_port_ops = {
25341 +static const struct ata_port_operations simple_port_ops = {
25342 .inherits = &legacy_base_port_ops,
25343 .sff_data_xfer = ata_sff_data_xfer_noirq,
25344 };
25345
25346 -static struct ata_port_operations legacy_port_ops = {
25347 +static const struct ata_port_operations legacy_port_ops = {
25348 .inherits = &legacy_base_port_ops,
25349 .sff_data_xfer = ata_sff_data_xfer_noirq,
25350 .set_mode = legacy_set_mode,
25351 @@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
25352 return buflen;
25353 }
25354
25355 -static struct ata_port_operations pdc20230_port_ops = {
25356 +static const struct ata_port_operations pdc20230_port_ops = {
25357 .inherits = &legacy_base_port_ops,
25358 .set_piomode = pdc20230_set_piomode,
25359 .sff_data_xfer = pdc_data_xfer_vlb,
25360 @@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
25361 ioread8(ap->ioaddr.status_addr);
25362 }
25363
25364 -static struct ata_port_operations ht6560a_port_ops = {
25365 +static const struct ata_port_operations ht6560a_port_ops = {
25366 .inherits = &legacy_base_port_ops,
25367 .set_piomode = ht6560a_set_piomode,
25368 };
25369 @@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
25370 ioread8(ap->ioaddr.status_addr);
25371 }
25372
25373 -static struct ata_port_operations ht6560b_port_ops = {
25374 +static const struct ata_port_operations ht6560b_port_ops = {
25375 .inherits = &legacy_base_port_ops,
25376 .set_piomode = ht6560b_set_piomode,
25377 };
25378 @@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
25379 }
25380
25381
25382 -static struct ata_port_operations opti82c611a_port_ops = {
25383 +static const struct ata_port_operations opti82c611a_port_ops = {
25384 .inherits = &legacy_base_port_ops,
25385 .set_piomode = opti82c611a_set_piomode,
25386 };
25387 @@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
25388 return ata_sff_qc_issue(qc);
25389 }
25390
25391 -static struct ata_port_operations opti82c46x_port_ops = {
25392 +static const struct ata_port_operations opti82c46x_port_ops = {
25393 .inherits = &legacy_base_port_ops,
25394 .set_piomode = opti82c46x_set_piomode,
25395 .qc_issue = opti82c46x_qc_issue,
25396 @@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
25397 return 0;
25398 }
25399
25400 -static struct ata_port_operations qdi6500_port_ops = {
25401 +static const struct ata_port_operations qdi6500_port_ops = {
25402 .inherits = &legacy_base_port_ops,
25403 .set_piomode = qdi6500_set_piomode,
25404 .qc_issue = qdi_qc_issue,
25405 .sff_data_xfer = vlb32_data_xfer,
25406 };
25407
25408 -static struct ata_port_operations qdi6580_port_ops = {
25409 +static const struct ata_port_operations qdi6580_port_ops = {
25410 .inherits = &legacy_base_port_ops,
25411 .set_piomode = qdi6580_set_piomode,
25412 .sff_data_xfer = vlb32_data_xfer,
25413 };
25414
25415 -static struct ata_port_operations qdi6580dp_port_ops = {
25416 +static const struct ata_port_operations qdi6580dp_port_ops = {
25417 .inherits = &legacy_base_port_ops,
25418 .set_piomode = qdi6580dp_set_piomode,
25419 .sff_data_xfer = vlb32_data_xfer,
25420 @@ -855,7 +855,7 @@ static int winbond_port(struct platform_
25421 return 0;
25422 }
25423
25424 -static struct ata_port_operations winbond_port_ops = {
25425 +static const struct ata_port_operations winbond_port_ops = {
25426 .inherits = &legacy_base_port_ops,
25427 .set_piomode = winbond_set_piomode,
25428 .sff_data_xfer = vlb32_data_xfer,
25429 @@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
25430 int pio_modes = controller->pio_mask;
25431 unsigned long io = probe->port;
25432 u32 mask = (1 << probe->slot);
25433 - struct ata_port_operations *ops = controller->ops;
25434 + const struct ata_port_operations *ops = controller->ops;
25435 struct legacy_data *ld = &legacy_data[probe->slot];
25436 struct ata_host *host = NULL;
25437 struct ata_port *ap;
25438 diff -urNp linux-2.6.32.46/drivers/ata/pata_marvell.c linux-2.6.32.46/drivers/ata/pata_marvell.c
25439 --- linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-03-27 14:31:47.000000000 -0400
25440 +++ linux-2.6.32.46/drivers/ata/pata_marvell.c 2011-04-17 15:56:46.000000000 -0400
25441 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
25442 ATA_BMDMA_SHT(DRV_NAME),
25443 };
25444
25445 -static struct ata_port_operations marvell_ops = {
25446 +static const struct ata_port_operations marvell_ops = {
25447 .inherits = &ata_bmdma_port_ops,
25448 .cable_detect = marvell_cable_detect,
25449 .prereset = marvell_pre_reset,
25450 diff -urNp linux-2.6.32.46/drivers/ata/pata_mpc52xx.c linux-2.6.32.46/drivers/ata/pata_mpc52xx.c
25451 --- linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-03-27 14:31:47.000000000 -0400
25452 +++ linux-2.6.32.46/drivers/ata/pata_mpc52xx.c 2011-04-17 15:56:46.000000000 -0400
25453 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
25454 ATA_PIO_SHT(DRV_NAME),
25455 };
25456
25457 -static struct ata_port_operations mpc52xx_ata_port_ops = {
25458 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
25459 .inherits = &ata_bmdma_port_ops,
25460 .sff_dev_select = mpc52xx_ata_dev_select,
25461 .set_piomode = mpc52xx_ata_set_piomode,
25462 diff -urNp linux-2.6.32.46/drivers/ata/pata_mpiix.c linux-2.6.32.46/drivers/ata/pata_mpiix.c
25463 --- linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-03-27 14:31:47.000000000 -0400
25464 +++ linux-2.6.32.46/drivers/ata/pata_mpiix.c 2011-04-17 15:56:46.000000000 -0400
25465 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
25466 ATA_PIO_SHT(DRV_NAME),
25467 };
25468
25469 -static struct ata_port_operations mpiix_port_ops = {
25470 +static const struct ata_port_operations mpiix_port_ops = {
25471 .inherits = &ata_sff_port_ops,
25472 .qc_issue = mpiix_qc_issue,
25473 .cable_detect = ata_cable_40wire,
25474 diff -urNp linux-2.6.32.46/drivers/ata/pata_netcell.c linux-2.6.32.46/drivers/ata/pata_netcell.c
25475 --- linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-03-27 14:31:47.000000000 -0400
25476 +++ linux-2.6.32.46/drivers/ata/pata_netcell.c 2011-04-17 15:56:46.000000000 -0400
25477 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
25478 ATA_BMDMA_SHT(DRV_NAME),
25479 };
25480
25481 -static struct ata_port_operations netcell_ops = {
25482 +static const struct ata_port_operations netcell_ops = {
25483 .inherits = &ata_bmdma_port_ops,
25484 .cable_detect = ata_cable_80wire,
25485 .read_id = netcell_read_id,
25486 diff -urNp linux-2.6.32.46/drivers/ata/pata_ninja32.c linux-2.6.32.46/drivers/ata/pata_ninja32.c
25487 --- linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-03-27 14:31:47.000000000 -0400
25488 +++ linux-2.6.32.46/drivers/ata/pata_ninja32.c 2011-04-17 15:56:46.000000000 -0400
25489 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
25490 ATA_BMDMA_SHT(DRV_NAME),
25491 };
25492
25493 -static struct ata_port_operations ninja32_port_ops = {
25494 +static const struct ata_port_operations ninja32_port_ops = {
25495 .inherits = &ata_bmdma_port_ops,
25496 .sff_dev_select = ninja32_dev_select,
25497 .cable_detect = ata_cable_40wire,
25498 diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87410.c linux-2.6.32.46/drivers/ata/pata_ns87410.c
25499 --- linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-03-27 14:31:47.000000000 -0400
25500 +++ linux-2.6.32.46/drivers/ata/pata_ns87410.c 2011-04-17 15:56:46.000000000 -0400
25501 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
25502 ATA_PIO_SHT(DRV_NAME),
25503 };
25504
25505 -static struct ata_port_operations ns87410_port_ops = {
25506 +static const struct ata_port_operations ns87410_port_ops = {
25507 .inherits = &ata_sff_port_ops,
25508 .qc_issue = ns87410_qc_issue,
25509 .cable_detect = ata_cable_40wire,
25510 diff -urNp linux-2.6.32.46/drivers/ata/pata_ns87415.c linux-2.6.32.46/drivers/ata/pata_ns87415.c
25511 --- linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-03-27 14:31:47.000000000 -0400
25512 +++ linux-2.6.32.46/drivers/ata/pata_ns87415.c 2011-04-17 15:56:46.000000000 -0400
25513 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
25514 }
25515 #endif /* 87560 SuperIO Support */
25516
25517 -static struct ata_port_operations ns87415_pata_ops = {
25518 +static const struct ata_port_operations ns87415_pata_ops = {
25519 .inherits = &ata_bmdma_port_ops,
25520
25521 .check_atapi_dma = ns87415_check_atapi_dma,
25522 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
25523 };
25524
25525 #if defined(CONFIG_SUPERIO)
25526 -static struct ata_port_operations ns87560_pata_ops = {
25527 +static const struct ata_port_operations ns87560_pata_ops = {
25528 .inherits = &ns87415_pata_ops,
25529 .sff_tf_read = ns87560_tf_read,
25530 .sff_check_status = ns87560_check_status,
25531 diff -urNp linux-2.6.32.46/drivers/ata/pata_octeon_cf.c linux-2.6.32.46/drivers/ata/pata_octeon_cf.c
25532 --- linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-03-27 14:31:47.000000000 -0400
25533 +++ linux-2.6.32.46/drivers/ata/pata_octeon_cf.c 2011-04-17 15:56:46.000000000 -0400
25534 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
25535 return 0;
25536 }
25537
25538 +/* cannot be const */
25539 static struct ata_port_operations octeon_cf_ops = {
25540 .inherits = &ata_sff_port_ops,
25541 .check_atapi_dma = octeon_cf_check_atapi_dma,
25542 diff -urNp linux-2.6.32.46/drivers/ata/pata_oldpiix.c linux-2.6.32.46/drivers/ata/pata_oldpiix.c
25543 --- linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-03-27 14:31:47.000000000 -0400
25544 +++ linux-2.6.32.46/drivers/ata/pata_oldpiix.c 2011-04-17 15:56:46.000000000 -0400
25545 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
25546 ATA_BMDMA_SHT(DRV_NAME),
25547 };
25548
25549 -static struct ata_port_operations oldpiix_pata_ops = {
25550 +static const struct ata_port_operations oldpiix_pata_ops = {
25551 .inherits = &ata_bmdma_port_ops,
25552 .qc_issue = oldpiix_qc_issue,
25553 .cable_detect = ata_cable_40wire,
25554 diff -urNp linux-2.6.32.46/drivers/ata/pata_opti.c linux-2.6.32.46/drivers/ata/pata_opti.c
25555 --- linux-2.6.32.46/drivers/ata/pata_opti.c 2011-03-27 14:31:47.000000000 -0400
25556 +++ linux-2.6.32.46/drivers/ata/pata_opti.c 2011-04-17 15:56:46.000000000 -0400
25557 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
25558 ATA_PIO_SHT(DRV_NAME),
25559 };
25560
25561 -static struct ata_port_operations opti_port_ops = {
25562 +static const struct ata_port_operations opti_port_ops = {
25563 .inherits = &ata_sff_port_ops,
25564 .cable_detect = ata_cable_40wire,
25565 .set_piomode = opti_set_piomode,
25566 diff -urNp linux-2.6.32.46/drivers/ata/pata_optidma.c linux-2.6.32.46/drivers/ata/pata_optidma.c
25567 --- linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-03-27 14:31:47.000000000 -0400
25568 +++ linux-2.6.32.46/drivers/ata/pata_optidma.c 2011-04-17 15:56:46.000000000 -0400
25569 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
25570 ATA_BMDMA_SHT(DRV_NAME),
25571 };
25572
25573 -static struct ata_port_operations optidma_port_ops = {
25574 +static const struct ata_port_operations optidma_port_ops = {
25575 .inherits = &ata_bmdma_port_ops,
25576 .cable_detect = ata_cable_40wire,
25577 .set_piomode = optidma_set_pio_mode,
25578 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
25579 .prereset = optidma_pre_reset,
25580 };
25581
25582 -static struct ata_port_operations optiplus_port_ops = {
25583 +static const struct ata_port_operations optiplus_port_ops = {
25584 .inherits = &optidma_port_ops,
25585 .set_piomode = optiplus_set_pio_mode,
25586 .set_dmamode = optiplus_set_dma_mode,
25587 diff -urNp linux-2.6.32.46/drivers/ata/pata_palmld.c linux-2.6.32.46/drivers/ata/pata_palmld.c
25588 --- linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-03-27 14:31:47.000000000 -0400
25589 +++ linux-2.6.32.46/drivers/ata/pata_palmld.c 2011-04-17 15:56:46.000000000 -0400
25590 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
25591 ATA_PIO_SHT(DRV_NAME),
25592 };
25593
25594 -static struct ata_port_operations palmld_port_ops = {
25595 +static const struct ata_port_operations palmld_port_ops = {
25596 .inherits = &ata_sff_port_ops,
25597 .sff_data_xfer = ata_sff_data_xfer_noirq,
25598 .cable_detect = ata_cable_40wire,
25599 diff -urNp linux-2.6.32.46/drivers/ata/pata_pcmcia.c linux-2.6.32.46/drivers/ata/pata_pcmcia.c
25600 --- linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-03-27 14:31:47.000000000 -0400
25601 +++ linux-2.6.32.46/drivers/ata/pata_pcmcia.c 2011-04-17 15:56:46.000000000 -0400
25602 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
25603 ATA_PIO_SHT(DRV_NAME),
25604 };
25605
25606 -static struct ata_port_operations pcmcia_port_ops = {
25607 +static const struct ata_port_operations pcmcia_port_ops = {
25608 .inherits = &ata_sff_port_ops,
25609 .sff_data_xfer = ata_sff_data_xfer_noirq,
25610 .cable_detect = ata_cable_40wire,
25611 .set_mode = pcmcia_set_mode,
25612 };
25613
25614 -static struct ata_port_operations pcmcia_8bit_port_ops = {
25615 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
25616 .inherits = &ata_sff_port_ops,
25617 .sff_data_xfer = ata_data_xfer_8bit,
25618 .cable_detect = ata_cable_40wire,
25619 @@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
25620 unsigned long io_base, ctl_base;
25621 void __iomem *io_addr, *ctl_addr;
25622 int n_ports = 1;
25623 - struct ata_port_operations *ops = &pcmcia_port_ops;
25624 + const struct ata_port_operations *ops = &pcmcia_port_ops;
25625
25626 info = kzalloc(sizeof(*info), GFP_KERNEL);
25627 if (info == NULL)
25628 diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc2027x.c linux-2.6.32.46/drivers/ata/pata_pdc2027x.c
25629 --- linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-03-27 14:31:47.000000000 -0400
25630 +++ linux-2.6.32.46/drivers/ata/pata_pdc2027x.c 2011-04-17 15:56:46.000000000 -0400
25631 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
25632 ATA_BMDMA_SHT(DRV_NAME),
25633 };
25634
25635 -static struct ata_port_operations pdc2027x_pata100_ops = {
25636 +static const struct ata_port_operations pdc2027x_pata100_ops = {
25637 .inherits = &ata_bmdma_port_ops,
25638 .check_atapi_dma = pdc2027x_check_atapi_dma,
25639 .cable_detect = pdc2027x_cable_detect,
25640 .prereset = pdc2027x_prereset,
25641 };
25642
25643 -static struct ata_port_operations pdc2027x_pata133_ops = {
25644 +static const struct ata_port_operations pdc2027x_pata133_ops = {
25645 .inherits = &pdc2027x_pata100_ops,
25646 .mode_filter = pdc2027x_mode_filter,
25647 .set_piomode = pdc2027x_set_piomode,
25648 diff -urNp linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c
25649 --- linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-03-27 14:31:47.000000000 -0400
25650 +++ linux-2.6.32.46/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:56:46.000000000 -0400
25651 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
25652 ATA_BMDMA_SHT(DRV_NAME),
25653 };
25654
25655 -static struct ata_port_operations pdc2024x_port_ops = {
25656 +static const struct ata_port_operations pdc2024x_port_ops = {
25657 .inherits = &ata_bmdma_port_ops,
25658
25659 .cable_detect = ata_cable_40wire,
25660 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
25661 .sff_exec_command = pdc202xx_exec_command,
25662 };
25663
25664 -static struct ata_port_operations pdc2026x_port_ops = {
25665 +static const struct ata_port_operations pdc2026x_port_ops = {
25666 .inherits = &pdc2024x_port_ops,
25667
25668 .check_atapi_dma = pdc2026x_check_atapi_dma,
25669 diff -urNp linux-2.6.32.46/drivers/ata/pata_platform.c linux-2.6.32.46/drivers/ata/pata_platform.c
25670 --- linux-2.6.32.46/drivers/ata/pata_platform.c 2011-03-27 14:31:47.000000000 -0400
25671 +++ linux-2.6.32.46/drivers/ata/pata_platform.c 2011-04-17 15:56:46.000000000 -0400
25672 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
25673 ATA_PIO_SHT(DRV_NAME),
25674 };
25675
25676 -static struct ata_port_operations pata_platform_port_ops = {
25677 +static const struct ata_port_operations pata_platform_port_ops = {
25678 .inherits = &ata_sff_port_ops,
25679 .sff_data_xfer = ata_sff_data_xfer_noirq,
25680 .cable_detect = ata_cable_unknown,
25681 diff -urNp linux-2.6.32.46/drivers/ata/pata_qdi.c linux-2.6.32.46/drivers/ata/pata_qdi.c
25682 --- linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-03-27 14:31:47.000000000 -0400
25683 +++ linux-2.6.32.46/drivers/ata/pata_qdi.c 2011-04-17 15:56:46.000000000 -0400
25684 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
25685 ATA_PIO_SHT(DRV_NAME),
25686 };
25687
25688 -static struct ata_port_operations qdi6500_port_ops = {
25689 +static const struct ata_port_operations qdi6500_port_ops = {
25690 .inherits = &ata_sff_port_ops,
25691 .qc_issue = qdi_qc_issue,
25692 .sff_data_xfer = qdi_data_xfer,
25693 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
25694 .set_piomode = qdi6500_set_piomode,
25695 };
25696
25697 -static struct ata_port_operations qdi6580_port_ops = {
25698 +static const struct ata_port_operations qdi6580_port_ops = {
25699 .inherits = &qdi6500_port_ops,
25700 .set_piomode = qdi6580_set_piomode,
25701 };
25702 diff -urNp linux-2.6.32.46/drivers/ata/pata_radisys.c linux-2.6.32.46/drivers/ata/pata_radisys.c
25703 --- linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-03-27 14:31:47.000000000 -0400
25704 +++ linux-2.6.32.46/drivers/ata/pata_radisys.c 2011-04-17 15:56:46.000000000 -0400
25705 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
25706 ATA_BMDMA_SHT(DRV_NAME),
25707 };
25708
25709 -static struct ata_port_operations radisys_pata_ops = {
25710 +static const struct ata_port_operations radisys_pata_ops = {
25711 .inherits = &ata_bmdma_port_ops,
25712 .qc_issue = radisys_qc_issue,
25713 .cable_detect = ata_cable_unknown,
25714 diff -urNp linux-2.6.32.46/drivers/ata/pata_rb532_cf.c linux-2.6.32.46/drivers/ata/pata_rb532_cf.c
25715 --- linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-03-27 14:31:47.000000000 -0400
25716 +++ linux-2.6.32.46/drivers/ata/pata_rb532_cf.c 2011-04-17 15:56:46.000000000 -0400
25717 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
25718 return IRQ_HANDLED;
25719 }
25720
25721 -static struct ata_port_operations rb532_pata_port_ops = {
25722 +static const struct ata_port_operations rb532_pata_port_ops = {
25723 .inherits = &ata_sff_port_ops,
25724 .sff_data_xfer = ata_sff_data_xfer32,
25725 };
25726 diff -urNp linux-2.6.32.46/drivers/ata/pata_rdc.c linux-2.6.32.46/drivers/ata/pata_rdc.c
25727 --- linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-03-27 14:31:47.000000000 -0400
25728 +++ linux-2.6.32.46/drivers/ata/pata_rdc.c 2011-04-17 15:56:46.000000000 -0400
25729 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
25730 pci_write_config_byte(dev, 0x48, udma_enable);
25731 }
25732
25733 -static struct ata_port_operations rdc_pata_ops = {
25734 +static const struct ata_port_operations rdc_pata_ops = {
25735 .inherits = &ata_bmdma32_port_ops,
25736 .cable_detect = rdc_pata_cable_detect,
25737 .set_piomode = rdc_set_piomode,
25738 diff -urNp linux-2.6.32.46/drivers/ata/pata_rz1000.c linux-2.6.32.46/drivers/ata/pata_rz1000.c
25739 --- linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-03-27 14:31:47.000000000 -0400
25740 +++ linux-2.6.32.46/drivers/ata/pata_rz1000.c 2011-04-17 15:56:46.000000000 -0400
25741 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
25742 ATA_PIO_SHT(DRV_NAME),
25743 };
25744
25745 -static struct ata_port_operations rz1000_port_ops = {
25746 +static const struct ata_port_operations rz1000_port_ops = {
25747 .inherits = &ata_sff_port_ops,
25748 .cable_detect = ata_cable_40wire,
25749 .set_mode = rz1000_set_mode,
25750 diff -urNp linux-2.6.32.46/drivers/ata/pata_sc1200.c linux-2.6.32.46/drivers/ata/pata_sc1200.c
25751 --- linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-03-27 14:31:47.000000000 -0400
25752 +++ linux-2.6.32.46/drivers/ata/pata_sc1200.c 2011-04-17 15:56:46.000000000 -0400
25753 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
25754 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
25755 };
25756
25757 -static struct ata_port_operations sc1200_port_ops = {
25758 +static const struct ata_port_operations sc1200_port_ops = {
25759 .inherits = &ata_bmdma_port_ops,
25760 .qc_prep = ata_sff_dumb_qc_prep,
25761 .qc_issue = sc1200_qc_issue,
25762 diff -urNp linux-2.6.32.46/drivers/ata/pata_scc.c linux-2.6.32.46/drivers/ata/pata_scc.c
25763 --- linux-2.6.32.46/drivers/ata/pata_scc.c 2011-03-27 14:31:47.000000000 -0400
25764 +++ linux-2.6.32.46/drivers/ata/pata_scc.c 2011-04-17 15:56:46.000000000 -0400
25765 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
25766 ATA_BMDMA_SHT(DRV_NAME),
25767 };
25768
25769 -static struct ata_port_operations scc_pata_ops = {
25770 +static const struct ata_port_operations scc_pata_ops = {
25771 .inherits = &ata_bmdma_port_ops,
25772
25773 .set_piomode = scc_set_piomode,
25774 diff -urNp linux-2.6.32.46/drivers/ata/pata_sch.c linux-2.6.32.46/drivers/ata/pata_sch.c
25775 --- linux-2.6.32.46/drivers/ata/pata_sch.c 2011-03-27 14:31:47.000000000 -0400
25776 +++ linux-2.6.32.46/drivers/ata/pata_sch.c 2011-04-17 15:56:46.000000000 -0400
25777 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
25778 ATA_BMDMA_SHT(DRV_NAME),
25779 };
25780
25781 -static struct ata_port_operations sch_pata_ops = {
25782 +static const struct ata_port_operations sch_pata_ops = {
25783 .inherits = &ata_bmdma_port_ops,
25784 .cable_detect = ata_cable_unknown,
25785 .set_piomode = sch_set_piomode,
25786 diff -urNp linux-2.6.32.46/drivers/ata/pata_serverworks.c linux-2.6.32.46/drivers/ata/pata_serverworks.c
25787 --- linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-03-27 14:31:47.000000000 -0400
25788 +++ linux-2.6.32.46/drivers/ata/pata_serverworks.c 2011-04-17 15:56:46.000000000 -0400
25789 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
25790 ATA_BMDMA_SHT(DRV_NAME),
25791 };
25792
25793 -static struct ata_port_operations serverworks_osb4_port_ops = {
25794 +static const struct ata_port_operations serverworks_osb4_port_ops = {
25795 .inherits = &ata_bmdma_port_ops,
25796 .cable_detect = serverworks_cable_detect,
25797 .mode_filter = serverworks_osb4_filter,
25798 @@ -307,7 +307,7 @@ static struct ata_port_operations server
25799 .set_dmamode = serverworks_set_dmamode,
25800 };
25801
25802 -static struct ata_port_operations serverworks_csb_port_ops = {
25803 +static const struct ata_port_operations serverworks_csb_port_ops = {
25804 .inherits = &serverworks_osb4_port_ops,
25805 .mode_filter = serverworks_csb_filter,
25806 };
25807 diff -urNp linux-2.6.32.46/drivers/ata/pata_sil680.c linux-2.6.32.46/drivers/ata/pata_sil680.c
25808 --- linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:55:34.000000000 -0400
25809 +++ linux-2.6.32.46/drivers/ata/pata_sil680.c 2011-06-25 12:56:37.000000000 -0400
25810 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
25811 ATA_BMDMA_SHT(DRV_NAME),
25812 };
25813
25814 -static struct ata_port_operations sil680_port_ops = {
25815 +static const struct ata_port_operations sil680_port_ops = {
25816 .inherits = &ata_bmdma32_port_ops,
25817 .cable_detect = sil680_cable_detect,
25818 .set_piomode = sil680_set_piomode,
25819 diff -urNp linux-2.6.32.46/drivers/ata/pata_sis.c linux-2.6.32.46/drivers/ata/pata_sis.c
25820 --- linux-2.6.32.46/drivers/ata/pata_sis.c 2011-03-27 14:31:47.000000000 -0400
25821 +++ linux-2.6.32.46/drivers/ata/pata_sis.c 2011-04-17 15:56:46.000000000 -0400
25822 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
25823 ATA_BMDMA_SHT(DRV_NAME),
25824 };
25825
25826 -static struct ata_port_operations sis_133_for_sata_ops = {
25827 +static const struct ata_port_operations sis_133_for_sata_ops = {
25828 .inherits = &ata_bmdma_port_ops,
25829 .set_piomode = sis_133_set_piomode,
25830 .set_dmamode = sis_133_set_dmamode,
25831 .cable_detect = sis_133_cable_detect,
25832 };
25833
25834 -static struct ata_port_operations sis_base_ops = {
25835 +static const struct ata_port_operations sis_base_ops = {
25836 .inherits = &ata_bmdma_port_ops,
25837 .prereset = sis_pre_reset,
25838 };
25839
25840 -static struct ata_port_operations sis_133_ops = {
25841 +static const struct ata_port_operations sis_133_ops = {
25842 .inherits = &sis_base_ops,
25843 .set_piomode = sis_133_set_piomode,
25844 .set_dmamode = sis_133_set_dmamode,
25845 .cable_detect = sis_133_cable_detect,
25846 };
25847
25848 -static struct ata_port_operations sis_133_early_ops = {
25849 +static const struct ata_port_operations sis_133_early_ops = {
25850 .inherits = &sis_base_ops,
25851 .set_piomode = sis_100_set_piomode,
25852 .set_dmamode = sis_133_early_set_dmamode,
25853 .cable_detect = sis_66_cable_detect,
25854 };
25855
25856 -static struct ata_port_operations sis_100_ops = {
25857 +static const struct ata_port_operations sis_100_ops = {
25858 .inherits = &sis_base_ops,
25859 .set_piomode = sis_100_set_piomode,
25860 .set_dmamode = sis_100_set_dmamode,
25861 .cable_detect = sis_66_cable_detect,
25862 };
25863
25864 -static struct ata_port_operations sis_66_ops = {
25865 +static const struct ata_port_operations sis_66_ops = {
25866 .inherits = &sis_base_ops,
25867 .set_piomode = sis_old_set_piomode,
25868 .set_dmamode = sis_66_set_dmamode,
25869 .cable_detect = sis_66_cable_detect,
25870 };
25871
25872 -static struct ata_port_operations sis_old_ops = {
25873 +static const struct ata_port_operations sis_old_ops = {
25874 .inherits = &sis_base_ops,
25875 .set_piomode = sis_old_set_piomode,
25876 .set_dmamode = sis_old_set_dmamode,
25877 diff -urNp linux-2.6.32.46/drivers/ata/pata_sl82c105.c linux-2.6.32.46/drivers/ata/pata_sl82c105.c
25878 --- linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-03-27 14:31:47.000000000 -0400
25879 +++ linux-2.6.32.46/drivers/ata/pata_sl82c105.c 2011-04-17 15:56:46.000000000 -0400
25880 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
25881 ATA_BMDMA_SHT(DRV_NAME),
25882 };
25883
25884 -static struct ata_port_operations sl82c105_port_ops = {
25885 +static const struct ata_port_operations sl82c105_port_ops = {
25886 .inherits = &ata_bmdma_port_ops,
25887 .qc_defer = sl82c105_qc_defer,
25888 .bmdma_start = sl82c105_bmdma_start,
25889 diff -urNp linux-2.6.32.46/drivers/ata/pata_triflex.c linux-2.6.32.46/drivers/ata/pata_triflex.c
25890 --- linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-03-27 14:31:47.000000000 -0400
25891 +++ linux-2.6.32.46/drivers/ata/pata_triflex.c 2011-04-17 15:56:46.000000000 -0400
25892 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
25893 ATA_BMDMA_SHT(DRV_NAME),
25894 };
25895
25896 -static struct ata_port_operations triflex_port_ops = {
25897 +static const struct ata_port_operations triflex_port_ops = {
25898 .inherits = &ata_bmdma_port_ops,
25899 .bmdma_start = triflex_bmdma_start,
25900 .bmdma_stop = triflex_bmdma_stop,
25901 diff -urNp linux-2.6.32.46/drivers/ata/pata_via.c linux-2.6.32.46/drivers/ata/pata_via.c
25902 --- linux-2.6.32.46/drivers/ata/pata_via.c 2011-03-27 14:31:47.000000000 -0400
25903 +++ linux-2.6.32.46/drivers/ata/pata_via.c 2011-04-17 15:56:46.000000000 -0400
25904 @@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
25905 ATA_BMDMA_SHT(DRV_NAME),
25906 };
25907
25908 -static struct ata_port_operations via_port_ops = {
25909 +static const struct ata_port_operations via_port_ops = {
25910 .inherits = &ata_bmdma_port_ops,
25911 .cable_detect = via_cable_detect,
25912 .set_piomode = via_set_piomode,
25913 @@ -429,7 +429,7 @@ static struct ata_port_operations via_po
25914 .port_start = via_port_start,
25915 };
25916
25917 -static struct ata_port_operations via_port_ops_noirq = {
25918 +static const struct ata_port_operations via_port_ops_noirq = {
25919 .inherits = &via_port_ops,
25920 .sff_data_xfer = ata_sff_data_xfer_noirq,
25921 };
25922 diff -urNp linux-2.6.32.46/drivers/ata/pata_winbond.c linux-2.6.32.46/drivers/ata/pata_winbond.c
25923 --- linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-03-27 14:31:47.000000000 -0400
25924 +++ linux-2.6.32.46/drivers/ata/pata_winbond.c 2011-04-17 15:56:46.000000000 -0400
25925 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
25926 ATA_PIO_SHT(DRV_NAME),
25927 };
25928
25929 -static struct ata_port_operations winbond_port_ops = {
25930 +static const struct ata_port_operations winbond_port_ops = {
25931 .inherits = &ata_sff_port_ops,
25932 .sff_data_xfer = winbond_data_xfer,
25933 .cable_detect = ata_cable_40wire,
25934 diff -urNp linux-2.6.32.46/drivers/ata/pdc_adma.c linux-2.6.32.46/drivers/ata/pdc_adma.c
25935 --- linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-03-27 14:31:47.000000000 -0400
25936 +++ linux-2.6.32.46/drivers/ata/pdc_adma.c 2011-04-17 15:56:46.000000000 -0400
25937 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
25938 .dma_boundary = ADMA_DMA_BOUNDARY,
25939 };
25940
25941 -static struct ata_port_operations adma_ata_ops = {
25942 +static const struct ata_port_operations adma_ata_ops = {
25943 .inherits = &ata_sff_port_ops,
25944
25945 .lost_interrupt = ATA_OP_NULL,
25946 diff -urNp linux-2.6.32.46/drivers/ata/sata_fsl.c linux-2.6.32.46/drivers/ata/sata_fsl.c
25947 --- linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-03-27 14:31:47.000000000 -0400
25948 +++ linux-2.6.32.46/drivers/ata/sata_fsl.c 2011-04-17 15:56:46.000000000 -0400
25949 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
25950 .dma_boundary = ATA_DMA_BOUNDARY,
25951 };
25952
25953 -static struct ata_port_operations sata_fsl_ops = {
25954 +static const struct ata_port_operations sata_fsl_ops = {
25955 .inherits = &sata_pmp_port_ops,
25956
25957 .qc_defer = ata_std_qc_defer,
25958 diff -urNp linux-2.6.32.46/drivers/ata/sata_inic162x.c linux-2.6.32.46/drivers/ata/sata_inic162x.c
25959 --- linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-03-27 14:31:47.000000000 -0400
25960 +++ linux-2.6.32.46/drivers/ata/sata_inic162x.c 2011-04-17 15:56:46.000000000 -0400
25961 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
25962 return 0;
25963 }
25964
25965 -static struct ata_port_operations inic_port_ops = {
25966 +static const struct ata_port_operations inic_port_ops = {
25967 .inherits = &sata_port_ops,
25968
25969 .check_atapi_dma = inic_check_atapi_dma,
25970 diff -urNp linux-2.6.32.46/drivers/ata/sata_mv.c linux-2.6.32.46/drivers/ata/sata_mv.c
25971 --- linux-2.6.32.46/drivers/ata/sata_mv.c 2011-03-27 14:31:47.000000000 -0400
25972 +++ linux-2.6.32.46/drivers/ata/sata_mv.c 2011-04-17 15:56:46.000000000 -0400
25973 @@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
25974 .dma_boundary = MV_DMA_BOUNDARY,
25975 };
25976
25977 -static struct ata_port_operations mv5_ops = {
25978 +static const struct ata_port_operations mv5_ops = {
25979 .inherits = &ata_sff_port_ops,
25980
25981 .lost_interrupt = ATA_OP_NULL,
25982 @@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
25983 .port_stop = mv_port_stop,
25984 };
25985
25986 -static struct ata_port_operations mv6_ops = {
25987 +static const struct ata_port_operations mv6_ops = {
25988 .inherits = &mv5_ops,
25989 .dev_config = mv6_dev_config,
25990 .scr_read = mv_scr_read,
25991 @@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
25992 .bmdma_status = mv_bmdma_status,
25993 };
25994
25995 -static struct ata_port_operations mv_iie_ops = {
25996 +static const struct ata_port_operations mv_iie_ops = {
25997 .inherits = &mv6_ops,
25998 .dev_config = ATA_OP_NULL,
25999 .qc_prep = mv_qc_prep_iie,
26000 diff -urNp linux-2.6.32.46/drivers/ata/sata_nv.c linux-2.6.32.46/drivers/ata/sata_nv.c
26001 --- linux-2.6.32.46/drivers/ata/sata_nv.c 2011-03-27 14:31:47.000000000 -0400
26002 +++ linux-2.6.32.46/drivers/ata/sata_nv.c 2011-04-17 15:56:46.000000000 -0400
26003 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
26004 * cases. Define nv_hardreset() which only kicks in for post-boot
26005 * probing and use it for all variants.
26006 */
26007 -static struct ata_port_operations nv_generic_ops = {
26008 +static const struct ata_port_operations nv_generic_ops = {
26009 .inherits = &ata_bmdma_port_ops,
26010 .lost_interrupt = ATA_OP_NULL,
26011 .scr_read = nv_scr_read,
26012 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
26013 .hardreset = nv_hardreset,
26014 };
26015
26016 -static struct ata_port_operations nv_nf2_ops = {
26017 +static const struct ata_port_operations nv_nf2_ops = {
26018 .inherits = &nv_generic_ops,
26019 .freeze = nv_nf2_freeze,
26020 .thaw = nv_nf2_thaw,
26021 };
26022
26023 -static struct ata_port_operations nv_ck804_ops = {
26024 +static const struct ata_port_operations nv_ck804_ops = {
26025 .inherits = &nv_generic_ops,
26026 .freeze = nv_ck804_freeze,
26027 .thaw = nv_ck804_thaw,
26028 .host_stop = nv_ck804_host_stop,
26029 };
26030
26031 -static struct ata_port_operations nv_adma_ops = {
26032 +static const struct ata_port_operations nv_adma_ops = {
26033 .inherits = &nv_ck804_ops,
26034
26035 .check_atapi_dma = nv_adma_check_atapi_dma,
26036 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
26037 .host_stop = nv_adma_host_stop,
26038 };
26039
26040 -static struct ata_port_operations nv_swncq_ops = {
26041 +static const struct ata_port_operations nv_swncq_ops = {
26042 .inherits = &nv_generic_ops,
26043
26044 .qc_defer = ata_std_qc_defer,
26045 diff -urNp linux-2.6.32.46/drivers/ata/sata_promise.c linux-2.6.32.46/drivers/ata/sata_promise.c
26046 --- linux-2.6.32.46/drivers/ata/sata_promise.c 2011-03-27 14:31:47.000000000 -0400
26047 +++ linux-2.6.32.46/drivers/ata/sata_promise.c 2011-04-17 15:56:46.000000000 -0400
26048 @@ -195,7 +195,7 @@ static const struct ata_port_operations
26049 .error_handler = pdc_error_handler,
26050 };
26051
26052 -static struct ata_port_operations pdc_sata_ops = {
26053 +static const struct ata_port_operations pdc_sata_ops = {
26054 .inherits = &pdc_common_ops,
26055 .cable_detect = pdc_sata_cable_detect,
26056 .freeze = pdc_sata_freeze,
26057 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
26058
26059 /* First-generation chips need a more restrictive ->check_atapi_dma op,
26060 and ->freeze/thaw that ignore the hotplug controls. */
26061 -static struct ata_port_operations pdc_old_sata_ops = {
26062 +static const struct ata_port_operations pdc_old_sata_ops = {
26063 .inherits = &pdc_sata_ops,
26064 .freeze = pdc_freeze,
26065 .thaw = pdc_thaw,
26066 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
26067 };
26068
26069 -static struct ata_port_operations pdc_pata_ops = {
26070 +static const struct ata_port_operations pdc_pata_ops = {
26071 .inherits = &pdc_common_ops,
26072 .cable_detect = pdc_pata_cable_detect,
26073 .freeze = pdc_freeze,
26074 diff -urNp linux-2.6.32.46/drivers/ata/sata_qstor.c linux-2.6.32.46/drivers/ata/sata_qstor.c
26075 --- linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-03-27 14:31:47.000000000 -0400
26076 +++ linux-2.6.32.46/drivers/ata/sata_qstor.c 2011-04-17 15:56:46.000000000 -0400
26077 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
26078 .dma_boundary = QS_DMA_BOUNDARY,
26079 };
26080
26081 -static struct ata_port_operations qs_ata_ops = {
26082 +static const struct ata_port_operations qs_ata_ops = {
26083 .inherits = &ata_sff_port_ops,
26084
26085 .check_atapi_dma = qs_check_atapi_dma,
26086 diff -urNp linux-2.6.32.46/drivers/ata/sata_sil24.c linux-2.6.32.46/drivers/ata/sata_sil24.c
26087 --- linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-03-27 14:31:47.000000000 -0400
26088 +++ linux-2.6.32.46/drivers/ata/sata_sil24.c 2011-04-17 15:56:46.000000000 -0400
26089 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
26090 .dma_boundary = ATA_DMA_BOUNDARY,
26091 };
26092
26093 -static struct ata_port_operations sil24_ops = {
26094 +static const struct ata_port_operations sil24_ops = {
26095 .inherits = &sata_pmp_port_ops,
26096
26097 .qc_defer = sil24_qc_defer,
26098 diff -urNp linux-2.6.32.46/drivers/ata/sata_sil.c linux-2.6.32.46/drivers/ata/sata_sil.c
26099 --- linux-2.6.32.46/drivers/ata/sata_sil.c 2011-03-27 14:31:47.000000000 -0400
26100 +++ linux-2.6.32.46/drivers/ata/sata_sil.c 2011-04-17 15:56:46.000000000 -0400
26101 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
26102 .sg_tablesize = ATA_MAX_PRD
26103 };
26104
26105 -static struct ata_port_operations sil_ops = {
26106 +static const struct ata_port_operations sil_ops = {
26107 .inherits = &ata_bmdma32_port_ops,
26108 .dev_config = sil_dev_config,
26109 .set_mode = sil_set_mode,
26110 diff -urNp linux-2.6.32.46/drivers/ata/sata_sis.c linux-2.6.32.46/drivers/ata/sata_sis.c
26111 --- linux-2.6.32.46/drivers/ata/sata_sis.c 2011-03-27 14:31:47.000000000 -0400
26112 +++ linux-2.6.32.46/drivers/ata/sata_sis.c 2011-04-17 15:56:46.000000000 -0400
26113 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
26114 ATA_BMDMA_SHT(DRV_NAME),
26115 };
26116
26117 -static struct ata_port_operations sis_ops = {
26118 +static const struct ata_port_operations sis_ops = {
26119 .inherits = &ata_bmdma_port_ops,
26120 .scr_read = sis_scr_read,
26121 .scr_write = sis_scr_write,
26122 diff -urNp linux-2.6.32.46/drivers/ata/sata_svw.c linux-2.6.32.46/drivers/ata/sata_svw.c
26123 --- linux-2.6.32.46/drivers/ata/sata_svw.c 2011-03-27 14:31:47.000000000 -0400
26124 +++ linux-2.6.32.46/drivers/ata/sata_svw.c 2011-04-17 15:56:46.000000000 -0400
26125 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
26126 };
26127
26128
26129 -static struct ata_port_operations k2_sata_ops = {
26130 +static const struct ata_port_operations k2_sata_ops = {
26131 .inherits = &ata_bmdma_port_ops,
26132 .sff_tf_load = k2_sata_tf_load,
26133 .sff_tf_read = k2_sata_tf_read,
26134 diff -urNp linux-2.6.32.46/drivers/ata/sata_sx4.c linux-2.6.32.46/drivers/ata/sata_sx4.c
26135 --- linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-03-27 14:31:47.000000000 -0400
26136 +++ linux-2.6.32.46/drivers/ata/sata_sx4.c 2011-04-17 15:56:46.000000000 -0400
26137 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
26138 };
26139
26140 /* TODO: inherit from base port_ops after converting to new EH */
26141 -static struct ata_port_operations pdc_20621_ops = {
26142 +static const struct ata_port_operations pdc_20621_ops = {
26143 .inherits = &ata_sff_port_ops,
26144
26145 .check_atapi_dma = pdc_check_atapi_dma,
26146 diff -urNp linux-2.6.32.46/drivers/ata/sata_uli.c linux-2.6.32.46/drivers/ata/sata_uli.c
26147 --- linux-2.6.32.46/drivers/ata/sata_uli.c 2011-03-27 14:31:47.000000000 -0400
26148 +++ linux-2.6.32.46/drivers/ata/sata_uli.c 2011-04-17 15:56:46.000000000 -0400
26149 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
26150 ATA_BMDMA_SHT(DRV_NAME),
26151 };
26152
26153 -static struct ata_port_operations uli_ops = {
26154 +static const struct ata_port_operations uli_ops = {
26155 .inherits = &ata_bmdma_port_ops,
26156 .scr_read = uli_scr_read,
26157 .scr_write = uli_scr_write,
26158 diff -urNp linux-2.6.32.46/drivers/ata/sata_via.c linux-2.6.32.46/drivers/ata/sata_via.c
26159 --- linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:12:01.000000000 -0400
26160 +++ linux-2.6.32.46/drivers/ata/sata_via.c 2011-05-10 22:15:08.000000000 -0400
26161 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
26162 ATA_BMDMA_SHT(DRV_NAME),
26163 };
26164
26165 -static struct ata_port_operations svia_base_ops = {
26166 +static const struct ata_port_operations svia_base_ops = {
26167 .inherits = &ata_bmdma_port_ops,
26168 .sff_tf_load = svia_tf_load,
26169 };
26170
26171 -static struct ata_port_operations vt6420_sata_ops = {
26172 +static const struct ata_port_operations vt6420_sata_ops = {
26173 .inherits = &svia_base_ops,
26174 .freeze = svia_noop_freeze,
26175 .prereset = vt6420_prereset,
26176 .bmdma_start = vt6420_bmdma_start,
26177 };
26178
26179 -static struct ata_port_operations vt6421_pata_ops = {
26180 +static const struct ata_port_operations vt6421_pata_ops = {
26181 .inherits = &svia_base_ops,
26182 .cable_detect = vt6421_pata_cable_detect,
26183 .set_piomode = vt6421_set_pio_mode,
26184 .set_dmamode = vt6421_set_dma_mode,
26185 };
26186
26187 -static struct ata_port_operations vt6421_sata_ops = {
26188 +static const struct ata_port_operations vt6421_sata_ops = {
26189 .inherits = &svia_base_ops,
26190 .scr_read = svia_scr_read,
26191 .scr_write = svia_scr_write,
26192 };
26193
26194 -static struct ata_port_operations vt8251_ops = {
26195 +static const struct ata_port_operations vt8251_ops = {
26196 .inherits = &svia_base_ops,
26197 .hardreset = sata_std_hardreset,
26198 .scr_read = vt8251_scr_read,
26199 diff -urNp linux-2.6.32.46/drivers/ata/sata_vsc.c linux-2.6.32.46/drivers/ata/sata_vsc.c
26200 --- linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-03-27 14:31:47.000000000 -0400
26201 +++ linux-2.6.32.46/drivers/ata/sata_vsc.c 2011-04-17 15:56:46.000000000 -0400
26202 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
26203 };
26204
26205
26206 -static struct ata_port_operations vsc_sata_ops = {
26207 +static const struct ata_port_operations vsc_sata_ops = {
26208 .inherits = &ata_bmdma_port_ops,
26209 /* The IRQ handling is not quite standard SFF behaviour so we
26210 cannot use the default lost interrupt handler */
26211 diff -urNp linux-2.6.32.46/drivers/atm/adummy.c linux-2.6.32.46/drivers/atm/adummy.c
26212 --- linux-2.6.32.46/drivers/atm/adummy.c 2011-03-27 14:31:47.000000000 -0400
26213 +++ linux-2.6.32.46/drivers/atm/adummy.c 2011-04-17 15:56:46.000000000 -0400
26214 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
26215 vcc->pop(vcc, skb);
26216 else
26217 dev_kfree_skb_any(skb);
26218 - atomic_inc(&vcc->stats->tx);
26219 + atomic_inc_unchecked(&vcc->stats->tx);
26220
26221 return 0;
26222 }
26223 diff -urNp linux-2.6.32.46/drivers/atm/ambassador.c linux-2.6.32.46/drivers/atm/ambassador.c
26224 --- linux-2.6.32.46/drivers/atm/ambassador.c 2011-03-27 14:31:47.000000000 -0400
26225 +++ linux-2.6.32.46/drivers/atm/ambassador.c 2011-04-17 15:56:46.000000000 -0400
26226 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
26227 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
26228
26229 // VC layer stats
26230 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26231 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26232
26233 // free the descriptor
26234 kfree (tx_descr);
26235 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
26236 dump_skb ("<<<", vc, skb);
26237
26238 // VC layer stats
26239 - atomic_inc(&atm_vcc->stats->rx);
26240 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26241 __net_timestamp(skb);
26242 // end of our responsability
26243 atm_vcc->push (atm_vcc, skb);
26244 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
26245 } else {
26246 PRINTK (KERN_INFO, "dropped over-size frame");
26247 // should we count this?
26248 - atomic_inc(&atm_vcc->stats->rx_drop);
26249 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26250 }
26251
26252 } else {
26253 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
26254 }
26255
26256 if (check_area (skb->data, skb->len)) {
26257 - atomic_inc(&atm_vcc->stats->tx_err);
26258 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
26259 return -ENOMEM; // ?
26260 }
26261
26262 diff -urNp linux-2.6.32.46/drivers/atm/atmtcp.c linux-2.6.32.46/drivers/atm/atmtcp.c
26263 --- linux-2.6.32.46/drivers/atm/atmtcp.c 2011-03-27 14:31:47.000000000 -0400
26264 +++ linux-2.6.32.46/drivers/atm/atmtcp.c 2011-04-17 15:56:46.000000000 -0400
26265 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
26266 if (vcc->pop) vcc->pop(vcc,skb);
26267 else dev_kfree_skb(skb);
26268 if (dev_data) return 0;
26269 - atomic_inc(&vcc->stats->tx_err);
26270 + atomic_inc_unchecked(&vcc->stats->tx_err);
26271 return -ENOLINK;
26272 }
26273 size = skb->len+sizeof(struct atmtcp_hdr);
26274 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
26275 if (!new_skb) {
26276 if (vcc->pop) vcc->pop(vcc,skb);
26277 else dev_kfree_skb(skb);
26278 - atomic_inc(&vcc->stats->tx_err);
26279 + atomic_inc_unchecked(&vcc->stats->tx_err);
26280 return -ENOBUFS;
26281 }
26282 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
26283 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
26284 if (vcc->pop) vcc->pop(vcc,skb);
26285 else dev_kfree_skb(skb);
26286 out_vcc->push(out_vcc,new_skb);
26287 - atomic_inc(&vcc->stats->tx);
26288 - atomic_inc(&out_vcc->stats->rx);
26289 + atomic_inc_unchecked(&vcc->stats->tx);
26290 + atomic_inc_unchecked(&out_vcc->stats->rx);
26291 return 0;
26292 }
26293
26294 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
26295 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
26296 read_unlock(&vcc_sklist_lock);
26297 if (!out_vcc) {
26298 - atomic_inc(&vcc->stats->tx_err);
26299 + atomic_inc_unchecked(&vcc->stats->tx_err);
26300 goto done;
26301 }
26302 skb_pull(skb,sizeof(struct atmtcp_hdr));
26303 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
26304 __net_timestamp(new_skb);
26305 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
26306 out_vcc->push(out_vcc,new_skb);
26307 - atomic_inc(&vcc->stats->tx);
26308 - atomic_inc(&out_vcc->stats->rx);
26309 + atomic_inc_unchecked(&vcc->stats->tx);
26310 + atomic_inc_unchecked(&out_vcc->stats->rx);
26311 done:
26312 if (vcc->pop) vcc->pop(vcc,skb);
26313 else dev_kfree_skb(skb);
26314 diff -urNp linux-2.6.32.46/drivers/atm/eni.c linux-2.6.32.46/drivers/atm/eni.c
26315 --- linux-2.6.32.46/drivers/atm/eni.c 2011-03-27 14:31:47.000000000 -0400
26316 +++ linux-2.6.32.46/drivers/atm/eni.c 2011-04-17 15:56:46.000000000 -0400
26317 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
26318 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
26319 vcc->dev->number);
26320 length = 0;
26321 - atomic_inc(&vcc->stats->rx_err);
26322 + atomic_inc_unchecked(&vcc->stats->rx_err);
26323 }
26324 else {
26325 length = ATM_CELL_SIZE-1; /* no HEC */
26326 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26327 size);
26328 }
26329 eff = length = 0;
26330 - atomic_inc(&vcc->stats->rx_err);
26331 + atomic_inc_unchecked(&vcc->stats->rx_err);
26332 }
26333 else {
26334 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
26335 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
26336 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
26337 vcc->dev->number,vcc->vci,length,size << 2,descr);
26338 length = eff = 0;
26339 - atomic_inc(&vcc->stats->rx_err);
26340 + atomic_inc_unchecked(&vcc->stats->rx_err);
26341 }
26342 }
26343 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
26344 @@ -770,7 +770,7 @@ rx_dequeued++;
26345 vcc->push(vcc,skb);
26346 pushed++;
26347 }
26348 - atomic_inc(&vcc->stats->rx);
26349 + atomic_inc_unchecked(&vcc->stats->rx);
26350 }
26351 wake_up(&eni_dev->rx_wait);
26352 }
26353 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
26354 PCI_DMA_TODEVICE);
26355 if (vcc->pop) vcc->pop(vcc,skb);
26356 else dev_kfree_skb_irq(skb);
26357 - atomic_inc(&vcc->stats->tx);
26358 + atomic_inc_unchecked(&vcc->stats->tx);
26359 wake_up(&eni_dev->tx_wait);
26360 dma_complete++;
26361 }
26362 diff -urNp linux-2.6.32.46/drivers/atm/firestream.c linux-2.6.32.46/drivers/atm/firestream.c
26363 --- linux-2.6.32.46/drivers/atm/firestream.c 2011-03-27 14:31:47.000000000 -0400
26364 +++ linux-2.6.32.46/drivers/atm/firestream.c 2011-04-17 15:56:46.000000000 -0400
26365 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
26366 }
26367 }
26368
26369 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26370 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26371
26372 fs_dprintk (FS_DEBUG_TXMEM, "i");
26373 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
26374 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
26375 #endif
26376 skb_put (skb, qe->p1 & 0xffff);
26377 ATM_SKB(skb)->vcc = atm_vcc;
26378 - atomic_inc(&atm_vcc->stats->rx);
26379 + atomic_inc_unchecked(&atm_vcc->stats->rx);
26380 __net_timestamp(skb);
26381 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
26382 atm_vcc->push (atm_vcc, skb);
26383 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
26384 kfree (pe);
26385 }
26386 if (atm_vcc)
26387 - atomic_inc(&atm_vcc->stats->rx_drop);
26388 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26389 break;
26390 case 0x1f: /* Reassembly abort: no buffers. */
26391 /* Silently increment error counter. */
26392 if (atm_vcc)
26393 - atomic_inc(&atm_vcc->stats->rx_drop);
26394 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
26395 break;
26396 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
26397 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
26398 diff -urNp linux-2.6.32.46/drivers/atm/fore200e.c linux-2.6.32.46/drivers/atm/fore200e.c
26399 --- linux-2.6.32.46/drivers/atm/fore200e.c 2011-03-27 14:31:47.000000000 -0400
26400 +++ linux-2.6.32.46/drivers/atm/fore200e.c 2011-04-17 15:56:46.000000000 -0400
26401 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
26402 #endif
26403 /* check error condition */
26404 if (*entry->status & STATUS_ERROR)
26405 - atomic_inc(&vcc->stats->tx_err);
26406 + atomic_inc_unchecked(&vcc->stats->tx_err);
26407 else
26408 - atomic_inc(&vcc->stats->tx);
26409 + atomic_inc_unchecked(&vcc->stats->tx);
26410 }
26411 }
26412
26413 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
26414 if (skb == NULL) {
26415 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
26416
26417 - atomic_inc(&vcc->stats->rx_drop);
26418 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26419 return -ENOMEM;
26420 }
26421
26422 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
26423
26424 dev_kfree_skb_any(skb);
26425
26426 - atomic_inc(&vcc->stats->rx_drop);
26427 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26428 return -ENOMEM;
26429 }
26430
26431 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26432
26433 vcc->push(vcc, skb);
26434 - atomic_inc(&vcc->stats->rx);
26435 + atomic_inc_unchecked(&vcc->stats->rx);
26436
26437 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
26438
26439 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
26440 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
26441 fore200e->atm_dev->number,
26442 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
26443 - atomic_inc(&vcc->stats->rx_err);
26444 + atomic_inc_unchecked(&vcc->stats->rx_err);
26445 }
26446 }
26447
26448 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
26449 goto retry_here;
26450 }
26451
26452 - atomic_inc(&vcc->stats->tx_err);
26453 + atomic_inc_unchecked(&vcc->stats->tx_err);
26454
26455 fore200e->tx_sat++;
26456 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
26457 diff -urNp linux-2.6.32.46/drivers/atm/he.c linux-2.6.32.46/drivers/atm/he.c
26458 --- linux-2.6.32.46/drivers/atm/he.c 2011-03-27 14:31:47.000000000 -0400
26459 +++ linux-2.6.32.46/drivers/atm/he.c 2011-04-17 15:56:46.000000000 -0400
26460 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26461
26462 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
26463 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
26464 - atomic_inc(&vcc->stats->rx_drop);
26465 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26466 goto return_host_buffers;
26467 }
26468
26469 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26470 RBRQ_LEN_ERR(he_dev->rbrq_head)
26471 ? "LEN_ERR" : "",
26472 vcc->vpi, vcc->vci);
26473 - atomic_inc(&vcc->stats->rx_err);
26474 + atomic_inc_unchecked(&vcc->stats->rx_err);
26475 goto return_host_buffers;
26476 }
26477
26478 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
26479 vcc->push(vcc, skb);
26480 spin_lock(&he_dev->global_lock);
26481
26482 - atomic_inc(&vcc->stats->rx);
26483 + atomic_inc_unchecked(&vcc->stats->rx);
26484
26485 return_host_buffers:
26486 ++pdus_assembled;
26487 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
26488 tpd->vcc->pop(tpd->vcc, tpd->skb);
26489 else
26490 dev_kfree_skb_any(tpd->skb);
26491 - atomic_inc(&tpd->vcc->stats->tx_err);
26492 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
26493 }
26494 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
26495 return;
26496 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26497 vcc->pop(vcc, skb);
26498 else
26499 dev_kfree_skb_any(skb);
26500 - atomic_inc(&vcc->stats->tx_err);
26501 + atomic_inc_unchecked(&vcc->stats->tx_err);
26502 return -EINVAL;
26503 }
26504
26505 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26506 vcc->pop(vcc, skb);
26507 else
26508 dev_kfree_skb_any(skb);
26509 - atomic_inc(&vcc->stats->tx_err);
26510 + atomic_inc_unchecked(&vcc->stats->tx_err);
26511 return -EINVAL;
26512 }
26513 #endif
26514 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26515 vcc->pop(vcc, skb);
26516 else
26517 dev_kfree_skb_any(skb);
26518 - atomic_inc(&vcc->stats->tx_err);
26519 + atomic_inc_unchecked(&vcc->stats->tx_err);
26520 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26521 return -ENOMEM;
26522 }
26523 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26524 vcc->pop(vcc, skb);
26525 else
26526 dev_kfree_skb_any(skb);
26527 - atomic_inc(&vcc->stats->tx_err);
26528 + atomic_inc_unchecked(&vcc->stats->tx_err);
26529 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26530 return -ENOMEM;
26531 }
26532 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
26533 __enqueue_tpd(he_dev, tpd, cid);
26534 spin_unlock_irqrestore(&he_dev->global_lock, flags);
26535
26536 - atomic_inc(&vcc->stats->tx);
26537 + atomic_inc_unchecked(&vcc->stats->tx);
26538
26539 return 0;
26540 }
26541 diff -urNp linux-2.6.32.46/drivers/atm/horizon.c linux-2.6.32.46/drivers/atm/horizon.c
26542 --- linux-2.6.32.46/drivers/atm/horizon.c 2011-03-27 14:31:47.000000000 -0400
26543 +++ linux-2.6.32.46/drivers/atm/horizon.c 2011-04-17 15:56:46.000000000 -0400
26544 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
26545 {
26546 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
26547 // VC layer stats
26548 - atomic_inc(&vcc->stats->rx);
26549 + atomic_inc_unchecked(&vcc->stats->rx);
26550 __net_timestamp(skb);
26551 // end of our responsability
26552 vcc->push (vcc, skb);
26553 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
26554 dev->tx_iovec = NULL;
26555
26556 // VC layer stats
26557 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
26558 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
26559
26560 // free the skb
26561 hrz_kfree_skb (skb);
26562 diff -urNp linux-2.6.32.46/drivers/atm/idt77252.c linux-2.6.32.46/drivers/atm/idt77252.c
26563 --- linux-2.6.32.46/drivers/atm/idt77252.c 2011-03-27 14:31:47.000000000 -0400
26564 +++ linux-2.6.32.46/drivers/atm/idt77252.c 2011-04-17 15:56:46.000000000 -0400
26565 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
26566 else
26567 dev_kfree_skb(skb);
26568
26569 - atomic_inc(&vcc->stats->tx);
26570 + atomic_inc_unchecked(&vcc->stats->tx);
26571 }
26572
26573 atomic_dec(&scq->used);
26574 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
26575 if ((sb = dev_alloc_skb(64)) == NULL) {
26576 printk("%s: Can't allocate buffers for aal0.\n",
26577 card->name);
26578 - atomic_add(i, &vcc->stats->rx_drop);
26579 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
26580 break;
26581 }
26582 if (!atm_charge(vcc, sb->truesize)) {
26583 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
26584 card->name);
26585 - atomic_add(i - 1, &vcc->stats->rx_drop);
26586 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
26587 dev_kfree_skb(sb);
26588 break;
26589 }
26590 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
26591 ATM_SKB(sb)->vcc = vcc;
26592 __net_timestamp(sb);
26593 vcc->push(vcc, sb);
26594 - atomic_inc(&vcc->stats->rx);
26595 + atomic_inc_unchecked(&vcc->stats->rx);
26596
26597 cell += ATM_CELL_PAYLOAD;
26598 }
26599 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
26600 "(CDC: %08x)\n",
26601 card->name, len, rpp->len, readl(SAR_REG_CDC));
26602 recycle_rx_pool_skb(card, rpp);
26603 - atomic_inc(&vcc->stats->rx_err);
26604 + atomic_inc_unchecked(&vcc->stats->rx_err);
26605 return;
26606 }
26607 if (stat & SAR_RSQE_CRC) {
26608 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
26609 recycle_rx_pool_skb(card, rpp);
26610 - atomic_inc(&vcc->stats->rx_err);
26611 + atomic_inc_unchecked(&vcc->stats->rx_err);
26612 return;
26613 }
26614 if (skb_queue_len(&rpp->queue) > 1) {
26615 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
26616 RXPRINTK("%s: Can't alloc RX skb.\n",
26617 card->name);
26618 recycle_rx_pool_skb(card, rpp);
26619 - atomic_inc(&vcc->stats->rx_err);
26620 + atomic_inc_unchecked(&vcc->stats->rx_err);
26621 return;
26622 }
26623 if (!atm_charge(vcc, skb->truesize)) {
26624 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
26625 __net_timestamp(skb);
26626
26627 vcc->push(vcc, skb);
26628 - atomic_inc(&vcc->stats->rx);
26629 + atomic_inc_unchecked(&vcc->stats->rx);
26630
26631 return;
26632 }
26633 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
26634 __net_timestamp(skb);
26635
26636 vcc->push(vcc, skb);
26637 - atomic_inc(&vcc->stats->rx);
26638 + atomic_inc_unchecked(&vcc->stats->rx);
26639
26640 if (skb->truesize > SAR_FB_SIZE_3)
26641 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
26642 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
26643 if (vcc->qos.aal != ATM_AAL0) {
26644 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
26645 card->name, vpi, vci);
26646 - atomic_inc(&vcc->stats->rx_drop);
26647 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26648 goto drop;
26649 }
26650
26651 if ((sb = dev_alloc_skb(64)) == NULL) {
26652 printk("%s: Can't allocate buffers for AAL0.\n",
26653 card->name);
26654 - atomic_inc(&vcc->stats->rx_err);
26655 + atomic_inc_unchecked(&vcc->stats->rx_err);
26656 goto drop;
26657 }
26658
26659 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
26660 ATM_SKB(sb)->vcc = vcc;
26661 __net_timestamp(sb);
26662 vcc->push(vcc, sb);
26663 - atomic_inc(&vcc->stats->rx);
26664 + atomic_inc_unchecked(&vcc->stats->rx);
26665
26666 drop:
26667 skb_pull(queue, 64);
26668 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26669
26670 if (vc == NULL) {
26671 printk("%s: NULL connection in send().\n", card->name);
26672 - atomic_inc(&vcc->stats->tx_err);
26673 + atomic_inc_unchecked(&vcc->stats->tx_err);
26674 dev_kfree_skb(skb);
26675 return -EINVAL;
26676 }
26677 if (!test_bit(VCF_TX, &vc->flags)) {
26678 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
26679 - atomic_inc(&vcc->stats->tx_err);
26680 + atomic_inc_unchecked(&vcc->stats->tx_err);
26681 dev_kfree_skb(skb);
26682 return -EINVAL;
26683 }
26684 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26685 break;
26686 default:
26687 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
26688 - atomic_inc(&vcc->stats->tx_err);
26689 + atomic_inc_unchecked(&vcc->stats->tx_err);
26690 dev_kfree_skb(skb);
26691 return -EINVAL;
26692 }
26693
26694 if (skb_shinfo(skb)->nr_frags != 0) {
26695 printk("%s: No scatter-gather yet.\n", card->name);
26696 - atomic_inc(&vcc->stats->tx_err);
26697 + atomic_inc_unchecked(&vcc->stats->tx_err);
26698 dev_kfree_skb(skb);
26699 return -EINVAL;
26700 }
26701 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
26702
26703 err = queue_skb(card, vc, skb, oam);
26704 if (err) {
26705 - atomic_inc(&vcc->stats->tx_err);
26706 + atomic_inc_unchecked(&vcc->stats->tx_err);
26707 dev_kfree_skb(skb);
26708 return err;
26709 }
26710 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
26711 skb = dev_alloc_skb(64);
26712 if (!skb) {
26713 printk("%s: Out of memory in send_oam().\n", card->name);
26714 - atomic_inc(&vcc->stats->tx_err);
26715 + atomic_inc_unchecked(&vcc->stats->tx_err);
26716 return -ENOMEM;
26717 }
26718 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
26719 diff -urNp linux-2.6.32.46/drivers/atm/iphase.c linux-2.6.32.46/drivers/atm/iphase.c
26720 --- linux-2.6.32.46/drivers/atm/iphase.c 2011-03-27 14:31:47.000000000 -0400
26721 +++ linux-2.6.32.46/drivers/atm/iphase.c 2011-04-17 15:56:46.000000000 -0400
26722 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
26723 status = (u_short) (buf_desc_ptr->desc_mode);
26724 if (status & (RX_CER | RX_PTE | RX_OFL))
26725 {
26726 - atomic_inc(&vcc->stats->rx_err);
26727 + atomic_inc_unchecked(&vcc->stats->rx_err);
26728 IF_ERR(printk("IA: bad packet, dropping it");)
26729 if (status & RX_CER) {
26730 IF_ERR(printk(" cause: packet CRC error\n");)
26731 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
26732 len = dma_addr - buf_addr;
26733 if (len > iadev->rx_buf_sz) {
26734 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
26735 - atomic_inc(&vcc->stats->rx_err);
26736 + atomic_inc_unchecked(&vcc->stats->rx_err);
26737 goto out_free_desc;
26738 }
26739
26740 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
26741 ia_vcc = INPH_IA_VCC(vcc);
26742 if (ia_vcc == NULL)
26743 {
26744 - atomic_inc(&vcc->stats->rx_err);
26745 + atomic_inc_unchecked(&vcc->stats->rx_err);
26746 dev_kfree_skb_any(skb);
26747 atm_return(vcc, atm_guess_pdu2truesize(len));
26748 goto INCR_DLE;
26749 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
26750 if ((length > iadev->rx_buf_sz) || (length >
26751 (skb->len - sizeof(struct cpcs_trailer))))
26752 {
26753 - atomic_inc(&vcc->stats->rx_err);
26754 + atomic_inc_unchecked(&vcc->stats->rx_err);
26755 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
26756 length, skb->len);)
26757 dev_kfree_skb_any(skb);
26758 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
26759
26760 IF_RX(printk("rx_dle_intr: skb push");)
26761 vcc->push(vcc,skb);
26762 - atomic_inc(&vcc->stats->rx);
26763 + atomic_inc_unchecked(&vcc->stats->rx);
26764 iadev->rx_pkt_cnt++;
26765 }
26766 INCR_DLE:
26767 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
26768 {
26769 struct k_sonet_stats *stats;
26770 stats = &PRIV(_ia_dev[board])->sonet_stats;
26771 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
26772 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
26773 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
26774 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
26775 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
26776 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
26777 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
26778 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
26779 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
26780 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
26781 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
26782 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
26783 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
26784 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
26785 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
26786 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
26787 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
26788 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
26789 }
26790 ia_cmds.status = 0;
26791 break;
26792 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
26793 if ((desc == 0) || (desc > iadev->num_tx_desc))
26794 {
26795 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
26796 - atomic_inc(&vcc->stats->tx);
26797 + atomic_inc_unchecked(&vcc->stats->tx);
26798 if (vcc->pop)
26799 vcc->pop(vcc, skb);
26800 else
26801 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
26802 ATM_DESC(skb) = vcc->vci;
26803 skb_queue_tail(&iadev->tx_dma_q, skb);
26804
26805 - atomic_inc(&vcc->stats->tx);
26806 + atomic_inc_unchecked(&vcc->stats->tx);
26807 iadev->tx_pkt_cnt++;
26808 /* Increment transaction counter */
26809 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
26810
26811 #if 0
26812 /* add flow control logic */
26813 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
26814 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
26815 if (iavcc->vc_desc_cnt > 10) {
26816 vcc->tx_quota = vcc->tx_quota * 3 / 4;
26817 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
26818 diff -urNp linux-2.6.32.46/drivers/atm/lanai.c linux-2.6.32.46/drivers/atm/lanai.c
26819 --- linux-2.6.32.46/drivers/atm/lanai.c 2011-03-27 14:31:47.000000000 -0400
26820 +++ linux-2.6.32.46/drivers/atm/lanai.c 2011-04-17 15:56:46.000000000 -0400
26821 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
26822 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
26823 lanai_endtx(lanai, lvcc);
26824 lanai_free_skb(lvcc->tx.atmvcc, skb);
26825 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
26826 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
26827 }
26828
26829 /* Try to fill the buffer - don't call unless there is backlog */
26830 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
26831 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
26832 __net_timestamp(skb);
26833 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
26834 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
26835 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
26836 out:
26837 lvcc->rx.buf.ptr = end;
26838 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
26839 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
26840 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
26841 "vcc %d\n", lanai->number, (unsigned int) s, vci);
26842 lanai->stats.service_rxnotaal5++;
26843 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26844 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26845 return 0;
26846 }
26847 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
26848 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
26849 int bytes;
26850 read_unlock(&vcc_sklist_lock);
26851 DPRINTK("got trashed rx pdu on vci %d\n", vci);
26852 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26853 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26854 lvcc->stats.x.aal5.service_trash++;
26855 bytes = (SERVICE_GET_END(s) * 16) -
26856 (((unsigned long) lvcc->rx.buf.ptr) -
26857 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
26858 }
26859 if (s & SERVICE_STREAM) {
26860 read_unlock(&vcc_sklist_lock);
26861 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26862 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26863 lvcc->stats.x.aal5.service_stream++;
26864 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
26865 "PDU on VCI %d!\n", lanai->number, vci);
26866 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
26867 return 0;
26868 }
26869 DPRINTK("got rx crc error on vci %d\n", vci);
26870 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
26871 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
26872 lvcc->stats.x.aal5.service_rxcrc++;
26873 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
26874 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
26875 diff -urNp linux-2.6.32.46/drivers/atm/nicstar.c linux-2.6.32.46/drivers/atm/nicstar.c
26876 --- linux-2.6.32.46/drivers/atm/nicstar.c 2011-03-27 14:31:47.000000000 -0400
26877 +++ linux-2.6.32.46/drivers/atm/nicstar.c 2011-04-17 15:56:46.000000000 -0400
26878 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
26879 if ((vc = (vc_map *) vcc->dev_data) == NULL)
26880 {
26881 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
26882 - atomic_inc(&vcc->stats->tx_err);
26883 + atomic_inc_unchecked(&vcc->stats->tx_err);
26884 dev_kfree_skb_any(skb);
26885 return -EINVAL;
26886 }
26887 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
26888 if (!vc->tx)
26889 {
26890 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
26891 - atomic_inc(&vcc->stats->tx_err);
26892 + atomic_inc_unchecked(&vcc->stats->tx_err);
26893 dev_kfree_skb_any(skb);
26894 return -EINVAL;
26895 }
26896 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
26897 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
26898 {
26899 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
26900 - atomic_inc(&vcc->stats->tx_err);
26901 + atomic_inc_unchecked(&vcc->stats->tx_err);
26902 dev_kfree_skb_any(skb);
26903 return -EINVAL;
26904 }
26905 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
26906 if (skb_shinfo(skb)->nr_frags != 0)
26907 {
26908 printk("nicstar%d: No scatter-gather yet.\n", card->index);
26909 - atomic_inc(&vcc->stats->tx_err);
26910 + atomic_inc_unchecked(&vcc->stats->tx_err);
26911 dev_kfree_skb_any(skb);
26912 return -EINVAL;
26913 }
26914 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
26915
26916 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
26917 {
26918 - atomic_inc(&vcc->stats->tx_err);
26919 + atomic_inc_unchecked(&vcc->stats->tx_err);
26920 dev_kfree_skb_any(skb);
26921 return -EIO;
26922 }
26923 - atomic_inc(&vcc->stats->tx);
26924 + atomic_inc_unchecked(&vcc->stats->tx);
26925
26926 return 0;
26927 }
26928 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
26929 {
26930 printk("nicstar%d: Can't allocate buffers for aal0.\n",
26931 card->index);
26932 - atomic_add(i,&vcc->stats->rx_drop);
26933 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
26934 break;
26935 }
26936 if (!atm_charge(vcc, sb->truesize))
26937 {
26938 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
26939 card->index);
26940 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
26941 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
26942 dev_kfree_skb_any(sb);
26943 break;
26944 }
26945 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
26946 ATM_SKB(sb)->vcc = vcc;
26947 __net_timestamp(sb);
26948 vcc->push(vcc, sb);
26949 - atomic_inc(&vcc->stats->rx);
26950 + atomic_inc_unchecked(&vcc->stats->rx);
26951 cell += ATM_CELL_PAYLOAD;
26952 }
26953
26954 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
26955 if (iovb == NULL)
26956 {
26957 printk("nicstar%d: Out of iovec buffers.\n", card->index);
26958 - atomic_inc(&vcc->stats->rx_drop);
26959 + atomic_inc_unchecked(&vcc->stats->rx_drop);
26960 recycle_rx_buf(card, skb);
26961 return;
26962 }
26963 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
26964 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
26965 {
26966 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
26967 - atomic_inc(&vcc->stats->rx_err);
26968 + atomic_inc_unchecked(&vcc->stats->rx_err);
26969 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
26970 NS_SKB(iovb)->iovcnt = 0;
26971 iovb->len = 0;
26972 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
26973 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
26974 card->index);
26975 which_list(card, skb);
26976 - atomic_inc(&vcc->stats->rx_err);
26977 + atomic_inc_unchecked(&vcc->stats->rx_err);
26978 recycle_rx_buf(card, skb);
26979 vc->rx_iov = NULL;
26980 recycle_iov_buf(card, iovb);
26981 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
26982 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
26983 card->index);
26984 which_list(card, skb);
26985 - atomic_inc(&vcc->stats->rx_err);
26986 + atomic_inc_unchecked(&vcc->stats->rx_err);
26987 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
26988 NS_SKB(iovb)->iovcnt);
26989 vc->rx_iov = NULL;
26990 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
26991 printk(" - PDU size mismatch.\n");
26992 else
26993 printk(".\n");
26994 - atomic_inc(&vcc->stats->rx_err);
26995 + atomic_inc_unchecked(&vcc->stats->rx_err);
26996 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
26997 NS_SKB(iovb)->iovcnt);
26998 vc->rx_iov = NULL;
26999 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
27000 if (!atm_charge(vcc, skb->truesize))
27001 {
27002 push_rxbufs(card, skb);
27003 - atomic_inc(&vcc->stats->rx_drop);
27004 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27005 }
27006 else
27007 {
27008 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
27009 ATM_SKB(skb)->vcc = vcc;
27010 __net_timestamp(skb);
27011 vcc->push(vcc, skb);
27012 - atomic_inc(&vcc->stats->rx);
27013 + atomic_inc_unchecked(&vcc->stats->rx);
27014 }
27015 }
27016 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
27017 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
27018 if (!atm_charge(vcc, sb->truesize))
27019 {
27020 push_rxbufs(card, sb);
27021 - atomic_inc(&vcc->stats->rx_drop);
27022 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27023 }
27024 else
27025 {
27026 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
27027 ATM_SKB(sb)->vcc = vcc;
27028 __net_timestamp(sb);
27029 vcc->push(vcc, sb);
27030 - atomic_inc(&vcc->stats->rx);
27031 + atomic_inc_unchecked(&vcc->stats->rx);
27032 }
27033
27034 push_rxbufs(card, skb);
27035 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
27036 if (!atm_charge(vcc, skb->truesize))
27037 {
27038 push_rxbufs(card, skb);
27039 - atomic_inc(&vcc->stats->rx_drop);
27040 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27041 }
27042 else
27043 {
27044 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
27045 ATM_SKB(skb)->vcc = vcc;
27046 __net_timestamp(skb);
27047 vcc->push(vcc, skb);
27048 - atomic_inc(&vcc->stats->rx);
27049 + atomic_inc_unchecked(&vcc->stats->rx);
27050 }
27051
27052 push_rxbufs(card, sb);
27053 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
27054 if (hb == NULL)
27055 {
27056 printk("nicstar%d: Out of huge buffers.\n", card->index);
27057 - atomic_inc(&vcc->stats->rx_drop);
27058 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27059 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
27060 NS_SKB(iovb)->iovcnt);
27061 vc->rx_iov = NULL;
27062 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
27063 }
27064 else
27065 dev_kfree_skb_any(hb);
27066 - atomic_inc(&vcc->stats->rx_drop);
27067 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27068 }
27069 else
27070 {
27071 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
27072 #endif /* NS_USE_DESTRUCTORS */
27073 __net_timestamp(hb);
27074 vcc->push(vcc, hb);
27075 - atomic_inc(&vcc->stats->rx);
27076 + atomic_inc_unchecked(&vcc->stats->rx);
27077 }
27078 }
27079
27080 diff -urNp linux-2.6.32.46/drivers/atm/solos-pci.c linux-2.6.32.46/drivers/atm/solos-pci.c
27081 --- linux-2.6.32.46/drivers/atm/solos-pci.c 2011-04-17 17:00:52.000000000 -0400
27082 +++ linux-2.6.32.46/drivers/atm/solos-pci.c 2011-05-16 21:46:57.000000000 -0400
27083 @@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
27084 }
27085 atm_charge(vcc, skb->truesize);
27086 vcc->push(vcc, skb);
27087 - atomic_inc(&vcc->stats->rx);
27088 + atomic_inc_unchecked(&vcc->stats->rx);
27089 break;
27090
27091 case PKT_STATUS:
27092 @@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
27093 char msg[500];
27094 char item[10];
27095
27096 + pax_track_stack();
27097 +
27098 len = buf->len;
27099 for (i = 0; i < len; i++){
27100 if(i % 8 == 0)
27101 @@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
27102 vcc = SKB_CB(oldskb)->vcc;
27103
27104 if (vcc) {
27105 - atomic_inc(&vcc->stats->tx);
27106 + atomic_inc_unchecked(&vcc->stats->tx);
27107 solos_pop(vcc, oldskb);
27108 } else
27109 dev_kfree_skb_irq(oldskb);
27110 diff -urNp linux-2.6.32.46/drivers/atm/suni.c linux-2.6.32.46/drivers/atm/suni.c
27111 --- linux-2.6.32.46/drivers/atm/suni.c 2011-03-27 14:31:47.000000000 -0400
27112 +++ linux-2.6.32.46/drivers/atm/suni.c 2011-04-17 15:56:46.000000000 -0400
27113 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
27114
27115
27116 #define ADD_LIMITED(s,v) \
27117 - atomic_add((v),&stats->s); \
27118 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
27119 + atomic_add_unchecked((v),&stats->s); \
27120 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
27121
27122
27123 static void suni_hz(unsigned long from_timer)
27124 diff -urNp linux-2.6.32.46/drivers/atm/uPD98402.c linux-2.6.32.46/drivers/atm/uPD98402.c
27125 --- linux-2.6.32.46/drivers/atm/uPD98402.c 2011-03-27 14:31:47.000000000 -0400
27126 +++ linux-2.6.32.46/drivers/atm/uPD98402.c 2011-04-17 15:56:46.000000000 -0400
27127 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
27128 struct sonet_stats tmp;
27129 int error = 0;
27130
27131 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27132 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
27133 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
27134 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
27135 if (zero && !error) {
27136 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
27137
27138
27139 #define ADD_LIMITED(s,v) \
27140 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
27141 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
27142 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27143 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
27144 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
27145 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
27146
27147
27148 static void stat_event(struct atm_dev *dev)
27149 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
27150 if (reason & uPD98402_INT_PFM) stat_event(dev);
27151 if (reason & uPD98402_INT_PCO) {
27152 (void) GET(PCOCR); /* clear interrupt cause */
27153 - atomic_add(GET(HECCT),
27154 + atomic_add_unchecked(GET(HECCT),
27155 &PRIV(dev)->sonet_stats.uncorr_hcs);
27156 }
27157 if ((reason & uPD98402_INT_RFO) &&
27158 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
27159 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
27160 uPD98402_INT_LOS),PIMR); /* enable them */
27161 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
27162 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27163 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
27164 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
27165 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
27166 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
27167 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
27168 return 0;
27169 }
27170
27171 diff -urNp linux-2.6.32.46/drivers/atm/zatm.c linux-2.6.32.46/drivers/atm/zatm.c
27172 --- linux-2.6.32.46/drivers/atm/zatm.c 2011-03-27 14:31:47.000000000 -0400
27173 +++ linux-2.6.32.46/drivers/atm/zatm.c 2011-04-17 15:56:46.000000000 -0400
27174 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27175 }
27176 if (!size) {
27177 dev_kfree_skb_irq(skb);
27178 - if (vcc) atomic_inc(&vcc->stats->rx_err);
27179 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
27180 continue;
27181 }
27182 if (!atm_charge(vcc,skb->truesize)) {
27183 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
27184 skb->len = size;
27185 ATM_SKB(skb)->vcc = vcc;
27186 vcc->push(vcc,skb);
27187 - atomic_inc(&vcc->stats->rx);
27188 + atomic_inc_unchecked(&vcc->stats->rx);
27189 }
27190 zout(pos & 0xffff,MTA(mbx));
27191 #if 0 /* probably a stupid idea */
27192 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
27193 skb_queue_head(&zatm_vcc->backlog,skb);
27194 break;
27195 }
27196 - atomic_inc(&vcc->stats->tx);
27197 + atomic_inc_unchecked(&vcc->stats->tx);
27198 wake_up(&zatm_vcc->tx_wait);
27199 }
27200
27201 diff -urNp linux-2.6.32.46/drivers/base/bus.c linux-2.6.32.46/drivers/base/bus.c
27202 --- linux-2.6.32.46/drivers/base/bus.c 2011-03-27 14:31:47.000000000 -0400
27203 +++ linux-2.6.32.46/drivers/base/bus.c 2011-04-17 15:56:46.000000000 -0400
27204 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
27205 return ret;
27206 }
27207
27208 -static struct sysfs_ops driver_sysfs_ops = {
27209 +static const struct sysfs_ops driver_sysfs_ops = {
27210 .show = drv_attr_show,
27211 .store = drv_attr_store,
27212 };
27213 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
27214 return ret;
27215 }
27216
27217 -static struct sysfs_ops bus_sysfs_ops = {
27218 +static const struct sysfs_ops bus_sysfs_ops = {
27219 .show = bus_attr_show,
27220 .store = bus_attr_store,
27221 };
27222 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
27223 return 0;
27224 }
27225
27226 -static struct kset_uevent_ops bus_uevent_ops = {
27227 +static const struct kset_uevent_ops bus_uevent_ops = {
27228 .filter = bus_uevent_filter,
27229 };
27230
27231 diff -urNp linux-2.6.32.46/drivers/base/class.c linux-2.6.32.46/drivers/base/class.c
27232 --- linux-2.6.32.46/drivers/base/class.c 2011-03-27 14:31:47.000000000 -0400
27233 +++ linux-2.6.32.46/drivers/base/class.c 2011-04-17 15:56:46.000000000 -0400
27234 @@ -63,7 +63,7 @@ static void class_release(struct kobject
27235 kfree(cp);
27236 }
27237
27238 -static struct sysfs_ops class_sysfs_ops = {
27239 +static const struct sysfs_ops class_sysfs_ops = {
27240 .show = class_attr_show,
27241 .store = class_attr_store,
27242 };
27243 diff -urNp linux-2.6.32.46/drivers/base/core.c linux-2.6.32.46/drivers/base/core.c
27244 --- linux-2.6.32.46/drivers/base/core.c 2011-03-27 14:31:47.000000000 -0400
27245 +++ linux-2.6.32.46/drivers/base/core.c 2011-04-17 15:56:46.000000000 -0400
27246 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
27247 return ret;
27248 }
27249
27250 -static struct sysfs_ops dev_sysfs_ops = {
27251 +static const struct sysfs_ops dev_sysfs_ops = {
27252 .show = dev_attr_show,
27253 .store = dev_attr_store,
27254 };
27255 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
27256 return retval;
27257 }
27258
27259 -static struct kset_uevent_ops device_uevent_ops = {
27260 +static const struct kset_uevent_ops device_uevent_ops = {
27261 .filter = dev_uevent_filter,
27262 .name = dev_uevent_name,
27263 .uevent = dev_uevent,
27264 diff -urNp linux-2.6.32.46/drivers/base/memory.c linux-2.6.32.46/drivers/base/memory.c
27265 --- linux-2.6.32.46/drivers/base/memory.c 2011-03-27 14:31:47.000000000 -0400
27266 +++ linux-2.6.32.46/drivers/base/memory.c 2011-04-17 15:56:46.000000000 -0400
27267 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
27268 return retval;
27269 }
27270
27271 -static struct kset_uevent_ops memory_uevent_ops = {
27272 +static const struct kset_uevent_ops memory_uevent_ops = {
27273 .name = memory_uevent_name,
27274 .uevent = memory_uevent,
27275 };
27276 diff -urNp linux-2.6.32.46/drivers/base/sys.c linux-2.6.32.46/drivers/base/sys.c
27277 --- linux-2.6.32.46/drivers/base/sys.c 2011-03-27 14:31:47.000000000 -0400
27278 +++ linux-2.6.32.46/drivers/base/sys.c 2011-04-17 15:56:46.000000000 -0400
27279 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
27280 return -EIO;
27281 }
27282
27283 -static struct sysfs_ops sysfs_ops = {
27284 +static const struct sysfs_ops sysfs_ops = {
27285 .show = sysdev_show,
27286 .store = sysdev_store,
27287 };
27288 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
27289 return -EIO;
27290 }
27291
27292 -static struct sysfs_ops sysfs_class_ops = {
27293 +static const struct sysfs_ops sysfs_class_ops = {
27294 .show = sysdev_class_show,
27295 .store = sysdev_class_store,
27296 };
27297 diff -urNp linux-2.6.32.46/drivers/block/cciss.c linux-2.6.32.46/drivers/block/cciss.c
27298 --- linux-2.6.32.46/drivers/block/cciss.c 2011-03-27 14:31:47.000000000 -0400
27299 +++ linux-2.6.32.46/drivers/block/cciss.c 2011-08-05 20:33:55.000000000 -0400
27300 @@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
27301 int err;
27302 u32 cp;
27303
27304 + memset(&arg64, 0, sizeof(arg64));
27305 +
27306 err = 0;
27307 err |=
27308 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27309 @@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
27310 /* Wait (up to 20 seconds) for a command to complete */
27311
27312 for (i = 20 * HZ; i > 0; i--) {
27313 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
27314 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
27315 if (done == FIFO_EMPTY)
27316 schedule_timeout_uninterruptible(1);
27317 else
27318 @@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
27319 resend_cmd1:
27320
27321 /* Disable interrupt on the board. */
27322 - h->access.set_intr_mask(h, CCISS_INTR_OFF);
27323 + h->access->set_intr_mask(h, CCISS_INTR_OFF);
27324
27325 /* Make sure there is room in the command FIFO */
27326 /* Actually it should be completely empty at this time */
27327 @@ -2884,13 +2886,13 @@ resend_cmd1:
27328 /* tape side of the driver. */
27329 for (i = 200000; i > 0; i--) {
27330 /* if fifo isn't full go */
27331 - if (!(h->access.fifo_full(h)))
27332 + if (!(h->access->fifo_full(h)))
27333 break;
27334 udelay(10);
27335 printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
27336 " waiting!\n", h->ctlr);
27337 }
27338 - h->access.submit_command(h, c); /* Send the cmd */
27339 + h->access->submit_command(h, c); /* Send the cmd */
27340 do {
27341 complete = pollcomplete(h->ctlr);
27342
27343 @@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
27344 while (!hlist_empty(&h->reqQ)) {
27345 c = hlist_entry(h->reqQ.first, CommandList_struct, list);
27346 /* can't do anything if fifo is full */
27347 - if ((h->access.fifo_full(h))) {
27348 + if ((h->access->fifo_full(h))) {
27349 printk(KERN_WARNING "cciss: fifo full\n");
27350 break;
27351 }
27352 @@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
27353 h->Qdepth--;
27354
27355 /* Tell the controller execute command */
27356 - h->access.submit_command(h, c);
27357 + h->access->submit_command(h, c);
27358
27359 /* Put job onto the completed Q */
27360 addQ(&h->cmpQ, c);
27361 @@ -3393,17 +3395,17 @@ startio:
27362
27363 static inline unsigned long get_next_completion(ctlr_info_t *h)
27364 {
27365 - return h->access.command_completed(h);
27366 + return h->access->command_completed(h);
27367 }
27368
27369 static inline int interrupt_pending(ctlr_info_t *h)
27370 {
27371 - return h->access.intr_pending(h);
27372 + return h->access->intr_pending(h);
27373 }
27374
27375 static inline long interrupt_not_for_us(ctlr_info_t *h)
27376 {
27377 - return (((h->access.intr_pending(h) == 0) ||
27378 + return (((h->access->intr_pending(h) == 0) ||
27379 (h->interrupts_enabled == 0)));
27380 }
27381
27382 @@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
27383 */
27384 c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
27385 c->product_name = products[prod_index].product_name;
27386 - c->access = *(products[prod_index].access);
27387 + c->access = products[prod_index].access;
27388 c->nr_cmds = c->max_commands - 4;
27389 if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
27390 (readb(&c->cfgtable->Signature[1]) != 'I') ||
27391 @@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
27392 }
27393
27394 /* make sure the board interrupts are off */
27395 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
27396 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
27397 if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
27398 IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
27399 printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
27400 @@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
27401 cciss_scsi_setup(i);
27402
27403 /* Turn the interrupts on so we can service requests */
27404 - hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
27405 + hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
27406
27407 /* Get the firmware version */
27408 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
27409 diff -urNp linux-2.6.32.46/drivers/block/cciss.h linux-2.6.32.46/drivers/block/cciss.h
27410 --- linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:35:28.000000000 -0400
27411 +++ linux-2.6.32.46/drivers/block/cciss.h 2011-08-09 18:33:59.000000000 -0400
27412 @@ -90,7 +90,7 @@ struct ctlr_info
27413 // information about each logical volume
27414 drive_info_struct *drv[CISS_MAX_LUN];
27415
27416 - struct access_method access;
27417 + struct access_method *access;
27418
27419 /* queue and queue Info */
27420 struct hlist_head reqQ;
27421 diff -urNp linux-2.6.32.46/drivers/block/cpqarray.c linux-2.6.32.46/drivers/block/cpqarray.c
27422 --- linux-2.6.32.46/drivers/block/cpqarray.c 2011-03-27 14:31:47.000000000 -0400
27423 +++ linux-2.6.32.46/drivers/block/cpqarray.c 2011-08-05 20:33:55.000000000 -0400
27424 @@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
27425 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
27426 goto Enomem4;
27427 }
27428 - hba[i]->access.set_intr_mask(hba[i], 0);
27429 + hba[i]->access->set_intr_mask(hba[i], 0);
27430 if (request_irq(hba[i]->intr, do_ida_intr,
27431 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
27432 {
27433 @@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
27434 add_timer(&hba[i]->timer);
27435
27436 /* Enable IRQ now that spinlock and rate limit timer are set up */
27437 - hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
27438 + hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
27439
27440 for(j=0; j<NWD; j++) {
27441 struct gendisk *disk = ida_gendisk[i][j];
27442 @@ -695,7 +695,7 @@ DBGINFO(
27443 for(i=0; i<NR_PRODUCTS; i++) {
27444 if (board_id == products[i].board_id) {
27445 c->product_name = products[i].product_name;
27446 - c->access = *(products[i].access);
27447 + c->access = products[i].access;
27448 break;
27449 }
27450 }
27451 @@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
27452 hba[ctlr]->intr = intr;
27453 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
27454 hba[ctlr]->product_name = products[j].product_name;
27455 - hba[ctlr]->access = *(products[j].access);
27456 + hba[ctlr]->access = products[j].access;
27457 hba[ctlr]->ctlr = ctlr;
27458 hba[ctlr]->board_id = board_id;
27459 hba[ctlr]->pci_dev = NULL; /* not PCI */
27460 @@ -896,6 +896,8 @@ static void do_ida_request(struct reques
27461 struct scatterlist tmp_sg[SG_MAX];
27462 int i, dir, seg;
27463
27464 + pax_track_stack();
27465 +
27466 if (blk_queue_plugged(q))
27467 goto startio;
27468
27469 @@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
27470
27471 while((c = h->reqQ) != NULL) {
27472 /* Can't do anything if we're busy */
27473 - if (h->access.fifo_full(h) == 0)
27474 + if (h->access->fifo_full(h) == 0)
27475 return;
27476
27477 /* Get the first entry from the request Q */
27478 @@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
27479 h->Qdepth--;
27480
27481 /* Tell the controller to do our bidding */
27482 - h->access.submit_command(h, c);
27483 + h->access->submit_command(h, c);
27484
27485 /* Get onto the completion Q */
27486 addQ(&h->cmpQ, c);
27487 @@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
27488 unsigned long flags;
27489 __u32 a,a1;
27490
27491 - istat = h->access.intr_pending(h);
27492 + istat = h->access->intr_pending(h);
27493 /* Is this interrupt for us? */
27494 if (istat == 0)
27495 return IRQ_NONE;
27496 @@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
27497 */
27498 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
27499 if (istat & FIFO_NOT_EMPTY) {
27500 - while((a = h->access.command_completed(h))) {
27501 + while((a = h->access->command_completed(h))) {
27502 a1 = a; a &= ~3;
27503 if ((c = h->cmpQ) == NULL)
27504 {
27505 @@ -1434,11 +1436,11 @@ static int sendcmd(
27506 /*
27507 * Disable interrupt
27508 */
27509 - info_p->access.set_intr_mask(info_p, 0);
27510 + info_p->access->set_intr_mask(info_p, 0);
27511 /* Make sure there is room in the command FIFO */
27512 /* Actually it should be completely empty at this time. */
27513 for (i = 200000; i > 0; i--) {
27514 - temp = info_p->access.fifo_full(info_p);
27515 + temp = info_p->access->fifo_full(info_p);
27516 if (temp != 0) {
27517 break;
27518 }
27519 @@ -1451,7 +1453,7 @@ DBG(
27520 /*
27521 * Send the cmd
27522 */
27523 - info_p->access.submit_command(info_p, c);
27524 + info_p->access->submit_command(info_p, c);
27525 complete = pollcomplete(ctlr);
27526
27527 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
27528 @@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
27529 * we check the new geometry. Then turn interrupts back on when
27530 * we're done.
27531 */
27532 - host->access.set_intr_mask(host, 0);
27533 + host->access->set_intr_mask(host, 0);
27534 getgeometry(ctlr);
27535 - host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
27536 + host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
27537
27538 for(i=0; i<NWD; i++) {
27539 struct gendisk *disk = ida_gendisk[ctlr][i];
27540 @@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
27541 /* Wait (up to 2 seconds) for a command to complete */
27542
27543 for (i = 200000; i > 0; i--) {
27544 - done = hba[ctlr]->access.command_completed(hba[ctlr]);
27545 + done = hba[ctlr]->access->command_completed(hba[ctlr]);
27546 if (done == 0) {
27547 udelay(10); /* a short fixed delay */
27548 } else
27549 diff -urNp linux-2.6.32.46/drivers/block/cpqarray.h linux-2.6.32.46/drivers/block/cpqarray.h
27550 --- linux-2.6.32.46/drivers/block/cpqarray.h 2011-03-27 14:31:47.000000000 -0400
27551 +++ linux-2.6.32.46/drivers/block/cpqarray.h 2011-08-05 20:33:55.000000000 -0400
27552 @@ -99,7 +99,7 @@ struct ctlr_info {
27553 drv_info_t drv[NWD];
27554 struct proc_dir_entry *proc;
27555
27556 - struct access_method access;
27557 + struct access_method *access;
27558
27559 cmdlist_t *reqQ;
27560 cmdlist_t *cmpQ;
27561 diff -urNp linux-2.6.32.46/drivers/block/DAC960.c linux-2.6.32.46/drivers/block/DAC960.c
27562 --- linux-2.6.32.46/drivers/block/DAC960.c 2011-03-27 14:31:47.000000000 -0400
27563 +++ linux-2.6.32.46/drivers/block/DAC960.c 2011-05-16 21:46:57.000000000 -0400
27564 @@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
27565 unsigned long flags;
27566 int Channel, TargetID;
27567
27568 + pax_track_stack();
27569 +
27570 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
27571 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
27572 sizeof(DAC960_SCSI_Inquiry_T) +
27573 diff -urNp linux-2.6.32.46/drivers/block/nbd.c linux-2.6.32.46/drivers/block/nbd.c
27574 --- linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400
27575 +++ linux-2.6.32.46/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400
27576 @@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
27577 struct kvec iov;
27578 sigset_t blocked, oldset;
27579
27580 + pax_track_stack();
27581 +
27582 if (unlikely(!sock)) {
27583 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
27584 lo->disk->disk_name, (send ? "send" : "recv"));
27585 @@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
27586 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
27587 unsigned int cmd, unsigned long arg)
27588 {
27589 + pax_track_stack();
27590 +
27591 switch (cmd) {
27592 case NBD_DISCONNECT: {
27593 struct request sreq;
27594 diff -urNp linux-2.6.32.46/drivers/block/pktcdvd.c linux-2.6.32.46/drivers/block/pktcdvd.c
27595 --- linux-2.6.32.46/drivers/block/pktcdvd.c 2011-03-27 14:31:47.000000000 -0400
27596 +++ linux-2.6.32.46/drivers/block/pktcdvd.c 2011-04-17 15:56:46.000000000 -0400
27597 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
27598 return len;
27599 }
27600
27601 -static struct sysfs_ops kobj_pkt_ops = {
27602 +static const struct sysfs_ops kobj_pkt_ops = {
27603 .show = kobj_pkt_show,
27604 .store = kobj_pkt_store
27605 };
27606 diff -urNp linux-2.6.32.46/drivers/char/agp/frontend.c linux-2.6.32.46/drivers/char/agp/frontend.c
27607 --- linux-2.6.32.46/drivers/char/agp/frontend.c 2011-03-27 14:31:47.000000000 -0400
27608 +++ linux-2.6.32.46/drivers/char/agp/frontend.c 2011-04-17 15:56:46.000000000 -0400
27609 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
27610 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
27611 return -EFAULT;
27612
27613 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
27614 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
27615 return -EFAULT;
27616
27617 client = agp_find_client_by_pid(reserve.pid);
27618 diff -urNp linux-2.6.32.46/drivers/char/briq_panel.c linux-2.6.32.46/drivers/char/briq_panel.c
27619 --- linux-2.6.32.46/drivers/char/briq_panel.c 2011-03-27 14:31:47.000000000 -0400
27620 +++ linux-2.6.32.46/drivers/char/briq_panel.c 2011-04-18 19:48:57.000000000 -0400
27621 @@ -10,6 +10,7 @@
27622 #include <linux/types.h>
27623 #include <linux/errno.h>
27624 #include <linux/tty.h>
27625 +#include <linux/mutex.h>
27626 #include <linux/timer.h>
27627 #include <linux/kernel.h>
27628 #include <linux/wait.h>
27629 @@ -36,6 +37,7 @@ static int vfd_is_open;
27630 static unsigned char vfd[40];
27631 static int vfd_cursor;
27632 static unsigned char ledpb, led;
27633 +static DEFINE_MUTEX(vfd_mutex);
27634
27635 static void update_vfd(void)
27636 {
27637 @@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
27638 if (!vfd_is_open)
27639 return -EBUSY;
27640
27641 + mutex_lock(&vfd_mutex);
27642 for (;;) {
27643 char c;
27644 if (!indx)
27645 break;
27646 - if (get_user(c, buf))
27647 + if (get_user(c, buf)) {
27648 + mutex_unlock(&vfd_mutex);
27649 return -EFAULT;
27650 + }
27651 if (esc) {
27652 set_led(c);
27653 esc = 0;
27654 @@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
27655 buf++;
27656 }
27657 update_vfd();
27658 + mutex_unlock(&vfd_mutex);
27659
27660 return len;
27661 }
27662 diff -urNp linux-2.6.32.46/drivers/char/genrtc.c linux-2.6.32.46/drivers/char/genrtc.c
27663 --- linux-2.6.32.46/drivers/char/genrtc.c 2011-03-27 14:31:47.000000000 -0400
27664 +++ linux-2.6.32.46/drivers/char/genrtc.c 2011-04-18 19:45:42.000000000 -0400
27665 @@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
27666 switch (cmd) {
27667
27668 case RTC_PLL_GET:
27669 + memset(&pll, 0, sizeof(pll));
27670 if (get_rtc_pll(&pll))
27671 return -EINVAL;
27672 else
27673 diff -urNp linux-2.6.32.46/drivers/char/hpet.c linux-2.6.32.46/drivers/char/hpet.c
27674 --- linux-2.6.32.46/drivers/char/hpet.c 2011-03-27 14:31:47.000000000 -0400
27675 +++ linux-2.6.32.46/drivers/char/hpet.c 2011-04-23 12:56:11.000000000 -0400
27676 @@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
27677 return 0;
27678 }
27679
27680 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
27681 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
27682
27683 static int
27684 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
27685 @@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
27686 }
27687
27688 static int
27689 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
27690 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
27691 {
27692 struct hpet_timer __iomem *timer;
27693 struct hpet __iomem *hpet;
27694 @@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
27695 {
27696 struct hpet_info info;
27697
27698 + memset(&info, 0, sizeof(info));
27699 +
27700 if (devp->hd_ireqfreq)
27701 info.hi_ireqfreq =
27702 hpet_time_div(hpetp, devp->hd_ireqfreq);
27703 - else
27704 - info.hi_ireqfreq = 0;
27705 info.hi_flags =
27706 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
27707 info.hi_hpet = hpetp->hp_which;
27708 diff -urNp linux-2.6.32.46/drivers/char/hvc_beat.c linux-2.6.32.46/drivers/char/hvc_beat.c
27709 --- linux-2.6.32.46/drivers/char/hvc_beat.c 2011-03-27 14:31:47.000000000 -0400
27710 +++ linux-2.6.32.46/drivers/char/hvc_beat.c 2011-04-17 15:56:46.000000000 -0400
27711 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
27712 return cnt;
27713 }
27714
27715 -static struct hv_ops hvc_beat_get_put_ops = {
27716 +static const struct hv_ops hvc_beat_get_put_ops = {
27717 .get_chars = hvc_beat_get_chars,
27718 .put_chars = hvc_beat_put_chars,
27719 };
27720 diff -urNp linux-2.6.32.46/drivers/char/hvc_console.c linux-2.6.32.46/drivers/char/hvc_console.c
27721 --- linux-2.6.32.46/drivers/char/hvc_console.c 2011-03-27 14:31:47.000000000 -0400
27722 +++ linux-2.6.32.46/drivers/char/hvc_console.c 2011-04-17 15:56:46.000000000 -0400
27723 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
27724 * console interfaces but can still be used as a tty device. This has to be
27725 * static because kmalloc will not work during early console init.
27726 */
27727 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
27728 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
27729 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
27730 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
27731
27732 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
27733 * vty adapters do NOT get an hvc_instantiate() callback since they
27734 * appear after early console init.
27735 */
27736 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
27737 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
27738 {
27739 struct hvc_struct *hp;
27740
27741 @@ -756,7 +756,7 @@ static const struct tty_operations hvc_o
27742 };
27743
27744 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
27745 - struct hv_ops *ops, int outbuf_size)
27746 + const struct hv_ops *ops, int outbuf_size)
27747 {
27748 struct hvc_struct *hp;
27749 int i;
27750 diff -urNp linux-2.6.32.46/drivers/char/hvc_console.h linux-2.6.32.46/drivers/char/hvc_console.h
27751 --- linux-2.6.32.46/drivers/char/hvc_console.h 2011-03-27 14:31:47.000000000 -0400
27752 +++ linux-2.6.32.46/drivers/char/hvc_console.h 2011-04-17 15:56:46.000000000 -0400
27753 @@ -55,7 +55,7 @@ struct hvc_struct {
27754 int outbuf_size;
27755 int n_outbuf;
27756 uint32_t vtermno;
27757 - struct hv_ops *ops;
27758 + const struct hv_ops *ops;
27759 int irq_requested;
27760 int data;
27761 struct winsize ws;
27762 @@ -76,11 +76,11 @@ struct hv_ops {
27763 };
27764
27765 /* Register a vterm and a slot index for use as a console (console_init) */
27766 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
27767 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
27768
27769 /* register a vterm for hvc tty operation (module_init or hotplug add) */
27770 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
27771 - struct hv_ops *ops, int outbuf_size);
27772 + const struct hv_ops *ops, int outbuf_size);
27773 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
27774 extern int hvc_remove(struct hvc_struct *hp);
27775
27776 diff -urNp linux-2.6.32.46/drivers/char/hvc_iseries.c linux-2.6.32.46/drivers/char/hvc_iseries.c
27777 --- linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-03-27 14:31:47.000000000 -0400
27778 +++ linux-2.6.32.46/drivers/char/hvc_iseries.c 2011-04-17 15:56:46.000000000 -0400
27779 @@ -197,7 +197,7 @@ done:
27780 return sent;
27781 }
27782
27783 -static struct hv_ops hvc_get_put_ops = {
27784 +static const struct hv_ops hvc_get_put_ops = {
27785 .get_chars = get_chars,
27786 .put_chars = put_chars,
27787 .notifier_add = notifier_add_irq,
27788 diff -urNp linux-2.6.32.46/drivers/char/hvc_iucv.c linux-2.6.32.46/drivers/char/hvc_iucv.c
27789 --- linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-03-27 14:31:47.000000000 -0400
27790 +++ linux-2.6.32.46/drivers/char/hvc_iucv.c 2011-04-17 15:56:46.000000000 -0400
27791 @@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
27792
27793
27794 /* HVC operations */
27795 -static struct hv_ops hvc_iucv_ops = {
27796 +static const struct hv_ops hvc_iucv_ops = {
27797 .get_chars = hvc_iucv_get_chars,
27798 .put_chars = hvc_iucv_put_chars,
27799 .notifier_add = hvc_iucv_notifier_add,
27800 diff -urNp linux-2.6.32.46/drivers/char/hvc_rtas.c linux-2.6.32.46/drivers/char/hvc_rtas.c
27801 --- linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-03-27 14:31:47.000000000 -0400
27802 +++ linux-2.6.32.46/drivers/char/hvc_rtas.c 2011-04-17 15:56:46.000000000 -0400
27803 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
27804 return i;
27805 }
27806
27807 -static struct hv_ops hvc_rtas_get_put_ops = {
27808 +static const struct hv_ops hvc_rtas_get_put_ops = {
27809 .get_chars = hvc_rtas_read_console,
27810 .put_chars = hvc_rtas_write_console,
27811 };
27812 diff -urNp linux-2.6.32.46/drivers/char/hvcs.c linux-2.6.32.46/drivers/char/hvcs.c
27813 --- linux-2.6.32.46/drivers/char/hvcs.c 2011-03-27 14:31:47.000000000 -0400
27814 +++ linux-2.6.32.46/drivers/char/hvcs.c 2011-04-17 15:56:46.000000000 -0400
27815 @@ -82,6 +82,7 @@
27816 #include <asm/hvcserver.h>
27817 #include <asm/uaccess.h>
27818 #include <asm/vio.h>
27819 +#include <asm/local.h>
27820
27821 /*
27822 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
27823 @@ -269,7 +270,7 @@ struct hvcs_struct {
27824 unsigned int index;
27825
27826 struct tty_struct *tty;
27827 - int open_count;
27828 + local_t open_count;
27829
27830 /*
27831 * Used to tell the driver kernel_thread what operations need to take
27832 @@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
27833
27834 spin_lock_irqsave(&hvcsd->lock, flags);
27835
27836 - if (hvcsd->open_count > 0) {
27837 + if (local_read(&hvcsd->open_count) > 0) {
27838 spin_unlock_irqrestore(&hvcsd->lock, flags);
27839 printk(KERN_INFO "HVCS: vterm state unchanged. "
27840 "The hvcs device node is still in use.\n");
27841 @@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
27842 if ((retval = hvcs_partner_connect(hvcsd)))
27843 goto error_release;
27844
27845 - hvcsd->open_count = 1;
27846 + local_set(&hvcsd->open_count, 1);
27847 hvcsd->tty = tty;
27848 tty->driver_data = hvcsd;
27849
27850 @@ -1169,7 +1170,7 @@ fast_open:
27851
27852 spin_lock_irqsave(&hvcsd->lock, flags);
27853 kref_get(&hvcsd->kref);
27854 - hvcsd->open_count++;
27855 + local_inc(&hvcsd->open_count);
27856 hvcsd->todo_mask |= HVCS_SCHED_READ;
27857 spin_unlock_irqrestore(&hvcsd->lock, flags);
27858
27859 @@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
27860 hvcsd = tty->driver_data;
27861
27862 spin_lock_irqsave(&hvcsd->lock, flags);
27863 - if (--hvcsd->open_count == 0) {
27864 + if (local_dec_and_test(&hvcsd->open_count)) {
27865
27866 vio_disable_interrupts(hvcsd->vdev);
27867
27868 @@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
27869 free_irq(irq, hvcsd);
27870 kref_put(&hvcsd->kref, destroy_hvcs_struct);
27871 return;
27872 - } else if (hvcsd->open_count < 0) {
27873 + } else if (local_read(&hvcsd->open_count) < 0) {
27874 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
27875 " is missmanaged.\n",
27876 - hvcsd->vdev->unit_address, hvcsd->open_count);
27877 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
27878 }
27879
27880 spin_unlock_irqrestore(&hvcsd->lock, flags);
27881 @@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
27882
27883 spin_lock_irqsave(&hvcsd->lock, flags);
27884 /* Preserve this so that we know how many kref refs to put */
27885 - temp_open_count = hvcsd->open_count;
27886 + temp_open_count = local_read(&hvcsd->open_count);
27887
27888 /*
27889 * Don't kref put inside the spinlock because the destruction
27890 @@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
27891 hvcsd->tty->driver_data = NULL;
27892 hvcsd->tty = NULL;
27893
27894 - hvcsd->open_count = 0;
27895 + local_set(&hvcsd->open_count, 0);
27896
27897 /* This will drop any buffered data on the floor which is OK in a hangup
27898 * scenario. */
27899 @@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
27900 * the middle of a write operation? This is a crummy place to do this
27901 * but we want to keep it all in the spinlock.
27902 */
27903 - if (hvcsd->open_count <= 0) {
27904 + if (local_read(&hvcsd->open_count) <= 0) {
27905 spin_unlock_irqrestore(&hvcsd->lock, flags);
27906 return -ENODEV;
27907 }
27908 @@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
27909 {
27910 struct hvcs_struct *hvcsd = tty->driver_data;
27911
27912 - if (!hvcsd || hvcsd->open_count <= 0)
27913 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
27914 return 0;
27915
27916 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
27917 diff -urNp linux-2.6.32.46/drivers/char/hvc_udbg.c linux-2.6.32.46/drivers/char/hvc_udbg.c
27918 --- linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-03-27 14:31:47.000000000 -0400
27919 +++ linux-2.6.32.46/drivers/char/hvc_udbg.c 2011-04-17 15:56:46.000000000 -0400
27920 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
27921 return i;
27922 }
27923
27924 -static struct hv_ops hvc_udbg_ops = {
27925 +static const struct hv_ops hvc_udbg_ops = {
27926 .get_chars = hvc_udbg_get,
27927 .put_chars = hvc_udbg_put,
27928 };
27929 diff -urNp linux-2.6.32.46/drivers/char/hvc_vio.c linux-2.6.32.46/drivers/char/hvc_vio.c
27930 --- linux-2.6.32.46/drivers/char/hvc_vio.c 2011-03-27 14:31:47.000000000 -0400
27931 +++ linux-2.6.32.46/drivers/char/hvc_vio.c 2011-04-17 15:56:46.000000000 -0400
27932 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
27933 return got;
27934 }
27935
27936 -static struct hv_ops hvc_get_put_ops = {
27937 +static const struct hv_ops hvc_get_put_ops = {
27938 .get_chars = filtered_get_chars,
27939 .put_chars = hvc_put_chars,
27940 .notifier_add = notifier_add_irq,
27941 diff -urNp linux-2.6.32.46/drivers/char/hvc_xen.c linux-2.6.32.46/drivers/char/hvc_xen.c
27942 --- linux-2.6.32.46/drivers/char/hvc_xen.c 2011-03-27 14:31:47.000000000 -0400
27943 +++ linux-2.6.32.46/drivers/char/hvc_xen.c 2011-04-17 15:56:46.000000000 -0400
27944 @@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
27945 return recv;
27946 }
27947
27948 -static struct hv_ops hvc_ops = {
27949 +static const struct hv_ops hvc_ops = {
27950 .get_chars = read_console,
27951 .put_chars = write_console,
27952 .notifier_add = notifier_add_irq,
27953 diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c
27954 --- linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-03-27 14:31:47.000000000 -0400
27955 +++ linux-2.6.32.46/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:46:57.000000000 -0400
27956 @@ -414,7 +414,7 @@ struct ipmi_smi {
27957 struct proc_dir_entry *proc_dir;
27958 char proc_dir_name[10];
27959
27960 - atomic_t stats[IPMI_NUM_STATS];
27961 + atomic_unchecked_t stats[IPMI_NUM_STATS];
27962
27963 /*
27964 * run_to_completion duplicate of smb_info, smi_info
27965 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
27966
27967
27968 #define ipmi_inc_stat(intf, stat) \
27969 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
27970 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
27971 #define ipmi_get_stat(intf, stat) \
27972 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
27973 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
27974
27975 static int is_lan_addr(struct ipmi_addr *addr)
27976 {
27977 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
27978 INIT_LIST_HEAD(&intf->cmd_rcvrs);
27979 init_waitqueue_head(&intf->waitq);
27980 for (i = 0; i < IPMI_NUM_STATS; i++)
27981 - atomic_set(&intf->stats[i], 0);
27982 + atomic_set_unchecked(&intf->stats[i], 0);
27983
27984 intf->proc_dir = NULL;
27985
27986 @@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
27987 struct ipmi_smi_msg smi_msg;
27988 struct ipmi_recv_msg recv_msg;
27989
27990 + pax_track_stack();
27991 +
27992 si = (struct ipmi_system_interface_addr *) &addr;
27993 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
27994 si->channel = IPMI_BMC_CHANNEL;
27995 diff -urNp linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c
27996 --- linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-03-27 14:31:47.000000000 -0400
27997 +++ linux-2.6.32.46/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:56:46.000000000 -0400
27998 @@ -277,7 +277,7 @@ struct smi_info {
27999 unsigned char slave_addr;
28000
28001 /* Counters and things for the proc filesystem. */
28002 - atomic_t stats[SI_NUM_STATS];
28003 + atomic_unchecked_t stats[SI_NUM_STATS];
28004
28005 struct task_struct *thread;
28006
28007 @@ -285,9 +285,9 @@ struct smi_info {
28008 };
28009
28010 #define smi_inc_stat(smi, stat) \
28011 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
28012 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
28013 #define smi_get_stat(smi, stat) \
28014 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
28015 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
28016
28017 #define SI_MAX_PARMS 4
28018
28019 @@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
28020 atomic_set(&new_smi->req_events, 0);
28021 new_smi->run_to_completion = 0;
28022 for (i = 0; i < SI_NUM_STATS; i++)
28023 - atomic_set(&new_smi->stats[i], 0);
28024 + atomic_set_unchecked(&new_smi->stats[i], 0);
28025
28026 new_smi->interrupt_disabled = 0;
28027 atomic_set(&new_smi->stop_operation, 0);
28028 diff -urNp linux-2.6.32.46/drivers/char/istallion.c linux-2.6.32.46/drivers/char/istallion.c
28029 --- linux-2.6.32.46/drivers/char/istallion.c 2011-03-27 14:31:47.000000000 -0400
28030 +++ linux-2.6.32.46/drivers/char/istallion.c 2011-05-16 21:46:57.000000000 -0400
28031 @@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
28032 * re-used for each stats call.
28033 */
28034 static comstats_t stli_comstats;
28035 -static combrd_t stli_brdstats;
28036 static struct asystats stli_cdkstats;
28037
28038 /*****************************************************************************/
28039 @@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
28040 {
28041 struct stlibrd *brdp;
28042 unsigned int i;
28043 + combrd_t stli_brdstats;
28044
28045 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
28046 return -EFAULT;
28047 @@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
28048 struct stliport stli_dummyport;
28049 struct stliport *portp;
28050
28051 + pax_track_stack();
28052 +
28053 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
28054 return -EFAULT;
28055 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
28056 @@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
28057 struct stlibrd stli_dummybrd;
28058 struct stlibrd *brdp;
28059
28060 + pax_track_stack();
28061 +
28062 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
28063 return -EFAULT;
28064 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
28065 diff -urNp linux-2.6.32.46/drivers/char/Kconfig linux-2.6.32.46/drivers/char/Kconfig
28066 --- linux-2.6.32.46/drivers/char/Kconfig 2011-03-27 14:31:47.000000000 -0400
28067 +++ linux-2.6.32.46/drivers/char/Kconfig 2011-04-18 19:20:15.000000000 -0400
28068 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
28069
28070 config DEVKMEM
28071 bool "/dev/kmem virtual device support"
28072 - default y
28073 + default n
28074 + depends on !GRKERNSEC_KMEM
28075 help
28076 Say Y here if you want to support the /dev/kmem device. The
28077 /dev/kmem device is rarely used, but can be used for certain
28078 @@ -1114,6 +1115,7 @@ config DEVPORT
28079 bool
28080 depends on !M68K
28081 depends on ISA || PCI
28082 + depends on !GRKERNSEC_KMEM
28083 default y
28084
28085 source "drivers/s390/char/Kconfig"
28086 diff -urNp linux-2.6.32.46/drivers/char/keyboard.c linux-2.6.32.46/drivers/char/keyboard.c
28087 --- linux-2.6.32.46/drivers/char/keyboard.c 2011-03-27 14:31:47.000000000 -0400
28088 +++ linux-2.6.32.46/drivers/char/keyboard.c 2011-04-17 15:56:46.000000000 -0400
28089 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
28090 kbd->kbdmode == VC_MEDIUMRAW) &&
28091 value != KVAL(K_SAK))
28092 return; /* SAK is allowed even in raw mode */
28093 +
28094 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28095 + {
28096 + void *func = fn_handler[value];
28097 + if (func == fn_show_state || func == fn_show_ptregs ||
28098 + func == fn_show_mem)
28099 + return;
28100 + }
28101 +#endif
28102 +
28103 fn_handler[value](vc);
28104 }
28105
28106 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
28107 .evbit = { BIT_MASK(EV_SND) },
28108 },
28109
28110 - { }, /* Terminating entry */
28111 + { 0 }, /* Terminating entry */
28112 };
28113
28114 MODULE_DEVICE_TABLE(input, kbd_ids);
28115 diff -urNp linux-2.6.32.46/drivers/char/mem.c linux-2.6.32.46/drivers/char/mem.c
28116 --- linux-2.6.32.46/drivers/char/mem.c 2011-03-27 14:31:47.000000000 -0400
28117 +++ linux-2.6.32.46/drivers/char/mem.c 2011-04-17 15:56:46.000000000 -0400
28118 @@ -18,6 +18,7 @@
28119 #include <linux/raw.h>
28120 #include <linux/tty.h>
28121 #include <linux/capability.h>
28122 +#include <linux/security.h>
28123 #include <linux/ptrace.h>
28124 #include <linux/device.h>
28125 #include <linux/highmem.h>
28126 @@ -35,6 +36,10 @@
28127 # include <linux/efi.h>
28128 #endif
28129
28130 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28131 +extern struct file_operations grsec_fops;
28132 +#endif
28133 +
28134 static inline unsigned long size_inside_page(unsigned long start,
28135 unsigned long size)
28136 {
28137 @@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
28138
28139 while (cursor < to) {
28140 if (!devmem_is_allowed(pfn)) {
28141 +#ifdef CONFIG_GRKERNSEC_KMEM
28142 + gr_handle_mem_readwrite(from, to);
28143 +#else
28144 printk(KERN_INFO
28145 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
28146 current->comm, from, to);
28147 +#endif
28148 return 0;
28149 }
28150 cursor += PAGE_SIZE;
28151 @@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
28152 }
28153 return 1;
28154 }
28155 +#elif defined(CONFIG_GRKERNSEC_KMEM)
28156 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28157 +{
28158 + return 0;
28159 +}
28160 #else
28161 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
28162 {
28163 @@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
28164 #endif
28165
28166 while (count > 0) {
28167 + char *temp;
28168 +
28169 /*
28170 * Handle first page in case it's not aligned
28171 */
28172 @@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
28173 if (!ptr)
28174 return -EFAULT;
28175
28176 - if (copy_to_user(buf, ptr, sz)) {
28177 +#ifdef CONFIG_PAX_USERCOPY
28178 + temp = kmalloc(sz, GFP_KERNEL);
28179 + if (!temp) {
28180 + unxlate_dev_mem_ptr(p, ptr);
28181 + return -ENOMEM;
28182 + }
28183 + memcpy(temp, ptr, sz);
28184 +#else
28185 + temp = ptr;
28186 +#endif
28187 +
28188 + if (copy_to_user(buf, temp, sz)) {
28189 +
28190 +#ifdef CONFIG_PAX_USERCOPY
28191 + kfree(temp);
28192 +#endif
28193 +
28194 unxlate_dev_mem_ptr(p, ptr);
28195 return -EFAULT;
28196 }
28197
28198 +#ifdef CONFIG_PAX_USERCOPY
28199 + kfree(temp);
28200 +#endif
28201 +
28202 unxlate_dev_mem_ptr(p, ptr);
28203
28204 buf += sz;
28205 @@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
28206 size_t count, loff_t *ppos)
28207 {
28208 unsigned long p = *ppos;
28209 - ssize_t low_count, read, sz;
28210 + ssize_t low_count, read, sz, err = 0;
28211 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
28212 - int err = 0;
28213
28214 read = 0;
28215 if (p < (unsigned long) high_memory) {
28216 @@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
28217 }
28218 #endif
28219 while (low_count > 0) {
28220 + char *temp;
28221 +
28222 sz = size_inside_page(p, low_count);
28223
28224 /*
28225 @@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
28226 */
28227 kbuf = xlate_dev_kmem_ptr((char *)p);
28228
28229 - if (copy_to_user(buf, kbuf, sz))
28230 +#ifdef CONFIG_PAX_USERCOPY
28231 + temp = kmalloc(sz, GFP_KERNEL);
28232 + if (!temp)
28233 + return -ENOMEM;
28234 + memcpy(temp, kbuf, sz);
28235 +#else
28236 + temp = kbuf;
28237 +#endif
28238 +
28239 + err = copy_to_user(buf, temp, sz);
28240 +
28241 +#ifdef CONFIG_PAX_USERCOPY
28242 + kfree(temp);
28243 +#endif
28244 +
28245 + if (err)
28246 return -EFAULT;
28247 buf += sz;
28248 p += sz;
28249 @@ -889,6 +941,9 @@ static const struct memdev {
28250 #ifdef CONFIG_CRASH_DUMP
28251 [12] = { "oldmem", 0, &oldmem_fops, NULL },
28252 #endif
28253 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
28254 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
28255 +#endif
28256 };
28257
28258 static int memory_open(struct inode *inode, struct file *filp)
28259 diff -urNp linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c
28260 --- linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-03-27 14:31:47.000000000 -0400
28261 +++ linux-2.6.32.46/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:56:46.000000000 -0400
28262 @@ -29,6 +29,7 @@
28263 #include <linux/tty_driver.h>
28264 #include <linux/tty_flip.h>
28265 #include <linux/uaccess.h>
28266 +#include <asm/local.h>
28267
28268 #include "tty.h"
28269 #include "network.h"
28270 @@ -51,7 +52,7 @@ struct ipw_tty {
28271 int tty_type;
28272 struct ipw_network *network;
28273 struct tty_struct *linux_tty;
28274 - int open_count;
28275 + local_t open_count;
28276 unsigned int control_lines;
28277 struct mutex ipw_tty_mutex;
28278 int tx_bytes_queued;
28279 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
28280 mutex_unlock(&tty->ipw_tty_mutex);
28281 return -ENODEV;
28282 }
28283 - if (tty->open_count == 0)
28284 + if (local_read(&tty->open_count) == 0)
28285 tty->tx_bytes_queued = 0;
28286
28287 - tty->open_count++;
28288 + local_inc(&tty->open_count);
28289
28290 tty->linux_tty = linux_tty;
28291 linux_tty->driver_data = tty;
28292 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
28293
28294 static void do_ipw_close(struct ipw_tty *tty)
28295 {
28296 - tty->open_count--;
28297 -
28298 - if (tty->open_count == 0) {
28299 + if (local_dec_return(&tty->open_count) == 0) {
28300 struct tty_struct *linux_tty = tty->linux_tty;
28301
28302 if (linux_tty != NULL) {
28303 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
28304 return;
28305
28306 mutex_lock(&tty->ipw_tty_mutex);
28307 - if (tty->open_count == 0) {
28308 + if (local_read(&tty->open_count) == 0) {
28309 mutex_unlock(&tty->ipw_tty_mutex);
28310 return;
28311 }
28312 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
28313 return;
28314 }
28315
28316 - if (!tty->open_count) {
28317 + if (!local_read(&tty->open_count)) {
28318 mutex_unlock(&tty->ipw_tty_mutex);
28319 return;
28320 }
28321 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
28322 return -ENODEV;
28323
28324 mutex_lock(&tty->ipw_tty_mutex);
28325 - if (!tty->open_count) {
28326 + if (!local_read(&tty->open_count)) {
28327 mutex_unlock(&tty->ipw_tty_mutex);
28328 return -EINVAL;
28329 }
28330 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
28331 if (!tty)
28332 return -ENODEV;
28333
28334 - if (!tty->open_count)
28335 + if (!local_read(&tty->open_count))
28336 return -EINVAL;
28337
28338 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
28339 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
28340 if (!tty)
28341 return 0;
28342
28343 - if (!tty->open_count)
28344 + if (!local_read(&tty->open_count))
28345 return 0;
28346
28347 return tty->tx_bytes_queued;
28348 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
28349 if (!tty)
28350 return -ENODEV;
28351
28352 - if (!tty->open_count)
28353 + if (!local_read(&tty->open_count))
28354 return -EINVAL;
28355
28356 return get_control_lines(tty);
28357 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
28358 if (!tty)
28359 return -ENODEV;
28360
28361 - if (!tty->open_count)
28362 + if (!local_read(&tty->open_count))
28363 return -EINVAL;
28364
28365 return set_control_lines(tty, set, clear);
28366 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
28367 if (!tty)
28368 return -ENODEV;
28369
28370 - if (!tty->open_count)
28371 + if (!local_read(&tty->open_count))
28372 return -EINVAL;
28373
28374 /* FIXME: Exactly how is the tty object locked here .. */
28375 @@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
28376 against a parallel ioctl etc */
28377 mutex_lock(&ttyj->ipw_tty_mutex);
28378 }
28379 - while (ttyj->open_count)
28380 + while (local_read(&ttyj->open_count))
28381 do_ipw_close(ttyj);
28382 ipwireless_disassociate_network_ttys(network,
28383 ttyj->channel_idx);
28384 diff -urNp linux-2.6.32.46/drivers/char/pty.c linux-2.6.32.46/drivers/char/pty.c
28385 --- linux-2.6.32.46/drivers/char/pty.c 2011-03-27 14:31:47.000000000 -0400
28386 +++ linux-2.6.32.46/drivers/char/pty.c 2011-08-05 20:33:55.000000000 -0400
28387 @@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
28388 register_sysctl_table(pty_root_table);
28389
28390 /* Now create the /dev/ptmx special device */
28391 + pax_open_kernel();
28392 tty_default_fops(&ptmx_fops);
28393 - ptmx_fops.open = ptmx_open;
28394 + *(void **)&ptmx_fops.open = ptmx_open;
28395 + pax_close_kernel();
28396
28397 cdev_init(&ptmx_cdev, &ptmx_fops);
28398 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
28399 diff -urNp linux-2.6.32.46/drivers/char/random.c linux-2.6.32.46/drivers/char/random.c
28400 --- linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:37:25.000000000 -0400
28401 +++ linux-2.6.32.46/drivers/char/random.c 2011-08-16 20:43:23.000000000 -0400
28402 @@ -254,8 +254,13 @@
28403 /*
28404 * Configuration information
28405 */
28406 +#ifdef CONFIG_GRKERNSEC_RANDNET
28407 +#define INPUT_POOL_WORDS 512
28408 +#define OUTPUT_POOL_WORDS 128
28409 +#else
28410 #define INPUT_POOL_WORDS 128
28411 #define OUTPUT_POOL_WORDS 32
28412 +#endif
28413 #define SEC_XFER_SIZE 512
28414
28415 /*
28416 @@ -292,10 +297,17 @@ static struct poolinfo {
28417 int poolwords;
28418 int tap1, tap2, tap3, tap4, tap5;
28419 } poolinfo_table[] = {
28420 +#ifdef CONFIG_GRKERNSEC_RANDNET
28421 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
28422 + { 512, 411, 308, 208, 104, 1 },
28423 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
28424 + { 128, 103, 76, 51, 25, 1 },
28425 +#else
28426 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
28427 { 128, 103, 76, 51, 25, 1 },
28428 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
28429 { 32, 26, 20, 14, 7, 1 },
28430 +#endif
28431 #if 0
28432 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
28433 { 2048, 1638, 1231, 819, 411, 1 },
28434 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
28435 #include <linux/sysctl.h>
28436
28437 static int min_read_thresh = 8, min_write_thresh;
28438 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
28439 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
28440 static int max_write_thresh = INPUT_POOL_WORDS * 32;
28441 static char sysctl_bootid[16];
28442
28443 diff -urNp linux-2.6.32.46/drivers/char/rocket.c linux-2.6.32.46/drivers/char/rocket.c
28444 --- linux-2.6.32.46/drivers/char/rocket.c 2011-03-27 14:31:47.000000000 -0400
28445 +++ linux-2.6.32.46/drivers/char/rocket.c 2011-05-16 21:46:57.000000000 -0400
28446 @@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
28447 struct rocket_ports tmp;
28448 int board;
28449
28450 + pax_track_stack();
28451 +
28452 if (!retports)
28453 return -EFAULT;
28454 memset(&tmp, 0, sizeof (tmp));
28455 diff -urNp linux-2.6.32.46/drivers/char/sonypi.c linux-2.6.32.46/drivers/char/sonypi.c
28456 --- linux-2.6.32.46/drivers/char/sonypi.c 2011-03-27 14:31:47.000000000 -0400
28457 +++ linux-2.6.32.46/drivers/char/sonypi.c 2011-04-17 15:56:46.000000000 -0400
28458 @@ -55,6 +55,7 @@
28459 #include <asm/uaccess.h>
28460 #include <asm/io.h>
28461 #include <asm/system.h>
28462 +#include <asm/local.h>
28463
28464 #include <linux/sonypi.h>
28465
28466 @@ -491,7 +492,7 @@ static struct sonypi_device {
28467 spinlock_t fifo_lock;
28468 wait_queue_head_t fifo_proc_list;
28469 struct fasync_struct *fifo_async;
28470 - int open_count;
28471 + local_t open_count;
28472 int model;
28473 struct input_dev *input_jog_dev;
28474 struct input_dev *input_key_dev;
28475 @@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
28476 static int sonypi_misc_release(struct inode *inode, struct file *file)
28477 {
28478 mutex_lock(&sonypi_device.lock);
28479 - sonypi_device.open_count--;
28480 + local_dec(&sonypi_device.open_count);
28481 mutex_unlock(&sonypi_device.lock);
28482 return 0;
28483 }
28484 @@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
28485 lock_kernel();
28486 mutex_lock(&sonypi_device.lock);
28487 /* Flush input queue on first open */
28488 - if (!sonypi_device.open_count)
28489 + if (!local_read(&sonypi_device.open_count))
28490 kfifo_reset(sonypi_device.fifo);
28491 - sonypi_device.open_count++;
28492 + local_inc(&sonypi_device.open_count);
28493 mutex_unlock(&sonypi_device.lock);
28494 unlock_kernel();
28495 return 0;
28496 diff -urNp linux-2.6.32.46/drivers/char/stallion.c linux-2.6.32.46/drivers/char/stallion.c
28497 --- linux-2.6.32.46/drivers/char/stallion.c 2011-03-27 14:31:47.000000000 -0400
28498 +++ linux-2.6.32.46/drivers/char/stallion.c 2011-05-16 21:46:57.000000000 -0400
28499 @@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
28500 struct stlport stl_dummyport;
28501 struct stlport *portp;
28502
28503 + pax_track_stack();
28504 +
28505 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
28506 return -EFAULT;
28507 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
28508 diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm_bios.c linux-2.6.32.46/drivers/char/tpm/tpm_bios.c
28509 --- linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400
28510 +++ linux-2.6.32.46/drivers/char/tpm/tpm_bios.c 2011-04-17 15:56:46.000000000 -0400
28511 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
28512 event = addr;
28513
28514 if ((event->event_type == 0 && event->event_size == 0) ||
28515 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
28516 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
28517 return NULL;
28518
28519 return addr;
28520 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
28521 return NULL;
28522
28523 if ((event->event_type == 0 && event->event_size == 0) ||
28524 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
28525 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
28526 return NULL;
28527
28528 (*pos)++;
28529 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
28530 int i;
28531
28532 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
28533 - seq_putc(m, data[i]);
28534 + if (!seq_putc(m, data[i]))
28535 + return -EFAULT;
28536
28537 return 0;
28538 }
28539 @@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
28540 log->bios_event_log_end = log->bios_event_log + len;
28541
28542 virt = acpi_os_map_memory(start, len);
28543 + if (!virt) {
28544 + kfree(log->bios_event_log);
28545 + log->bios_event_log = NULL;
28546 + return -EFAULT;
28547 + }
28548
28549 memcpy(log->bios_event_log, virt, len);
28550
28551 diff -urNp linux-2.6.32.46/drivers/char/tpm/tpm.c linux-2.6.32.46/drivers/char/tpm/tpm.c
28552 --- linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400
28553 +++ linux-2.6.32.46/drivers/char/tpm/tpm.c 2011-05-16 21:46:57.000000000 -0400
28554 @@ -402,7 +402,7 @@ static ssize_t tpm_transmit(struct tpm_c
28555 chip->vendor.req_complete_val)
28556 goto out_recv;
28557
28558 - if ((status == chip->vendor.req_canceled)) {
28559 + if (status == chip->vendor.req_canceled) {
28560 dev_err(chip->dev, "Operation Canceled\n");
28561 rc = -ECANCELED;
28562 goto out;
28563 @@ -821,6 +821,8 @@ ssize_t tpm_show_pubek(struct device *de
28564
28565 struct tpm_chip *chip = dev_get_drvdata(dev);
28566
28567 + pax_track_stack();
28568 +
28569 tpm_cmd.header.in = tpm_readpubek_header;
28570 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
28571 "attempting to read the PUBEK");
28572 diff -urNp linux-2.6.32.46/drivers/char/tty_io.c linux-2.6.32.46/drivers/char/tty_io.c
28573 --- linux-2.6.32.46/drivers/char/tty_io.c 2011-03-27 14:31:47.000000000 -0400
28574 +++ linux-2.6.32.46/drivers/char/tty_io.c 2011-08-05 20:33:55.000000000 -0400
28575 @@ -2582,8 +2582,10 @@ long tty_ioctl(struct file *file, unsign
28576 return retval;
28577 }
28578
28579 +EXPORT_SYMBOL(tty_ioctl);
28580 +
28581 #ifdef CONFIG_COMPAT
28582 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28583 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28584 unsigned long arg)
28585 {
28586 struct inode *inode = file->f_dentry->d_inode;
28587 @@ -2607,6 +2609,8 @@ static long tty_compat_ioctl(struct file
28588
28589 return retval;
28590 }
28591 +
28592 +EXPORT_SYMBOL(tty_compat_ioctl);
28593 #endif
28594
28595 /*
28596 @@ -3052,7 +3056,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
28597
28598 void tty_default_fops(struct file_operations *fops)
28599 {
28600 - *fops = tty_fops;
28601 + memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
28602 }
28603
28604 /*
28605 diff -urNp linux-2.6.32.46/drivers/char/tty_ldisc.c linux-2.6.32.46/drivers/char/tty_ldisc.c
28606 --- linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:04.000000000 -0400
28607 +++ linux-2.6.32.46/drivers/char/tty_ldisc.c 2011-07-13 17:23:18.000000000 -0400
28608 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
28609 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28610 struct tty_ldisc_ops *ldo = ld->ops;
28611
28612 - ldo->refcount--;
28613 + atomic_dec(&ldo->refcount);
28614 module_put(ldo->owner);
28615 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28616
28617 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
28618 spin_lock_irqsave(&tty_ldisc_lock, flags);
28619 tty_ldiscs[disc] = new_ldisc;
28620 new_ldisc->num = disc;
28621 - new_ldisc->refcount = 0;
28622 + atomic_set(&new_ldisc->refcount, 0);
28623 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28624
28625 return ret;
28626 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
28627 return -EINVAL;
28628
28629 spin_lock_irqsave(&tty_ldisc_lock, flags);
28630 - if (tty_ldiscs[disc]->refcount)
28631 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28632 ret = -EBUSY;
28633 else
28634 tty_ldiscs[disc] = NULL;
28635 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
28636 if (ldops) {
28637 ret = ERR_PTR(-EAGAIN);
28638 if (try_module_get(ldops->owner)) {
28639 - ldops->refcount++;
28640 + atomic_inc(&ldops->refcount);
28641 ret = ldops;
28642 }
28643 }
28644 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
28645 unsigned long flags;
28646
28647 spin_lock_irqsave(&tty_ldisc_lock, flags);
28648 - ldops->refcount--;
28649 + atomic_dec(&ldops->refcount);
28650 module_put(ldops->owner);
28651 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28652 }
28653 diff -urNp linux-2.6.32.46/drivers/char/virtio_console.c linux-2.6.32.46/drivers/char/virtio_console.c
28654 --- linux-2.6.32.46/drivers/char/virtio_console.c 2011-03-27 14:31:47.000000000 -0400
28655 +++ linux-2.6.32.46/drivers/char/virtio_console.c 2011-08-05 20:33:55.000000000 -0400
28656 @@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
28657 * virtqueue, so we let the drivers do some boutique early-output thing. */
28658 int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
28659 {
28660 - virtio_cons.put_chars = put_chars;
28661 + pax_open_kernel();
28662 + *(void **)&virtio_cons.put_chars = put_chars;
28663 + pax_close_kernel();
28664 return hvc_instantiate(0, 0, &virtio_cons);
28665 }
28666
28667 @@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
28668 out_vq = vqs[1];
28669
28670 /* Start using the new console output. */
28671 - virtio_cons.get_chars = get_chars;
28672 - virtio_cons.put_chars = put_chars;
28673 - virtio_cons.notifier_add = notifier_add_vio;
28674 - virtio_cons.notifier_del = notifier_del_vio;
28675 - virtio_cons.notifier_hangup = notifier_del_vio;
28676 + pax_open_kernel();
28677 + *(void **)&virtio_cons.get_chars = get_chars;
28678 + *(void **)&virtio_cons.put_chars = put_chars;
28679 + *(void **)&virtio_cons.notifier_add = notifier_add_vio;
28680 + *(void **)&virtio_cons.notifier_del = notifier_del_vio;
28681 + *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
28682 + pax_close_kernel();
28683
28684 /* The first argument of hvc_alloc() is the virtual console number, so
28685 * we use zero. The second argument is the parameter for the
28686 diff -urNp linux-2.6.32.46/drivers/char/vt.c linux-2.6.32.46/drivers/char/vt.c
28687 --- linux-2.6.32.46/drivers/char/vt.c 2011-03-27 14:31:47.000000000 -0400
28688 +++ linux-2.6.32.46/drivers/char/vt.c 2011-04-17 15:56:46.000000000 -0400
28689 @@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
28690
28691 static void notify_write(struct vc_data *vc, unsigned int unicode)
28692 {
28693 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
28694 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
28695 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
28696 }
28697
28698 diff -urNp linux-2.6.32.46/drivers/char/vt_ioctl.c linux-2.6.32.46/drivers/char/vt_ioctl.c
28699 --- linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-03-27 14:31:47.000000000 -0400
28700 +++ linux-2.6.32.46/drivers/char/vt_ioctl.c 2011-04-17 15:56:46.000000000 -0400
28701 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28702 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28703 return -EFAULT;
28704
28705 - if (!capable(CAP_SYS_TTY_CONFIG))
28706 - perm = 0;
28707 -
28708 switch (cmd) {
28709 case KDGKBENT:
28710 key_map = key_maps[s];
28711 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28712 val = (i ? K_HOLE : K_NOSUCHMAP);
28713 return put_user(val, &user_kbe->kb_value);
28714 case KDSKBENT:
28715 + if (!capable(CAP_SYS_TTY_CONFIG))
28716 + perm = 0;
28717 +
28718 if (!perm)
28719 return -EPERM;
28720 +
28721 if (!i && v == K_NOSUCHMAP) {
28722 /* deallocate map */
28723 key_map = key_maps[s];
28724 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28725 int i, j, k;
28726 int ret;
28727
28728 - if (!capable(CAP_SYS_TTY_CONFIG))
28729 - perm = 0;
28730 -
28731 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28732 if (!kbs) {
28733 ret = -ENOMEM;
28734 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28735 kfree(kbs);
28736 return ((p && *p) ? -EOVERFLOW : 0);
28737 case KDSKBSENT:
28738 + if (!capable(CAP_SYS_TTY_CONFIG))
28739 + perm = 0;
28740 +
28741 if (!perm) {
28742 ret = -EPERM;
28743 goto reterr;
28744 diff -urNp linux-2.6.32.46/drivers/cpufreq/cpufreq.c linux-2.6.32.46/drivers/cpufreq/cpufreq.c
28745 --- linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
28746 +++ linux-2.6.32.46/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
28747 @@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
28748 complete(&policy->kobj_unregister);
28749 }
28750
28751 -static struct sysfs_ops sysfs_ops = {
28752 +static const struct sysfs_ops sysfs_ops = {
28753 .show = show,
28754 .store = store,
28755 };
28756 diff -urNp linux-2.6.32.46/drivers/cpuidle/sysfs.c linux-2.6.32.46/drivers/cpuidle/sysfs.c
28757 --- linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-03-27 14:31:47.000000000 -0400
28758 +++ linux-2.6.32.46/drivers/cpuidle/sysfs.c 2011-04-17 15:56:46.000000000 -0400
28759 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
28760 return ret;
28761 }
28762
28763 -static struct sysfs_ops cpuidle_sysfs_ops = {
28764 +static const struct sysfs_ops cpuidle_sysfs_ops = {
28765 .show = cpuidle_show,
28766 .store = cpuidle_store,
28767 };
28768 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
28769 return ret;
28770 }
28771
28772 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
28773 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
28774 .show = cpuidle_state_show,
28775 };
28776
28777 @@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
28778 .release = cpuidle_state_sysfs_release,
28779 };
28780
28781 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
28782 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
28783 {
28784 kobject_put(&device->kobjs[i]->kobj);
28785 wait_for_completion(&device->kobjs[i]->kobj_unregister);
28786 diff -urNp linux-2.6.32.46/drivers/crypto/hifn_795x.c linux-2.6.32.46/drivers/crypto/hifn_795x.c
28787 --- linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-03-27 14:31:47.000000000 -0400
28788 +++ linux-2.6.32.46/drivers/crypto/hifn_795x.c 2011-05-16 21:46:57.000000000 -0400
28789 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
28790 0xCA, 0x34, 0x2B, 0x2E};
28791 struct scatterlist sg;
28792
28793 + pax_track_stack();
28794 +
28795 memset(src, 0, sizeof(src));
28796 memset(ctx.key, 0, sizeof(ctx.key));
28797
28798 diff -urNp linux-2.6.32.46/drivers/crypto/padlock-aes.c linux-2.6.32.46/drivers/crypto/padlock-aes.c
28799 --- linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-03-27 14:31:47.000000000 -0400
28800 +++ linux-2.6.32.46/drivers/crypto/padlock-aes.c 2011-05-16 21:46:57.000000000 -0400
28801 @@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
28802 struct crypto_aes_ctx gen_aes;
28803 int cpu;
28804
28805 + pax_track_stack();
28806 +
28807 if (key_len % 8) {
28808 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
28809 return -EINVAL;
28810 diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.c linux-2.6.32.46/drivers/dma/ioat/dma.c
28811 --- linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-03-27 14:31:47.000000000 -0400
28812 +++ linux-2.6.32.46/drivers/dma/ioat/dma.c 2011-04-17 15:56:46.000000000 -0400
28813 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
28814 return entry->show(&chan->common, page);
28815 }
28816
28817 -struct sysfs_ops ioat_sysfs_ops = {
28818 +const struct sysfs_ops ioat_sysfs_ops = {
28819 .show = ioat_attr_show,
28820 };
28821
28822 diff -urNp linux-2.6.32.46/drivers/dma/ioat/dma.h linux-2.6.32.46/drivers/dma/ioat/dma.h
28823 --- linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-03-27 14:31:47.000000000 -0400
28824 +++ linux-2.6.32.46/drivers/dma/ioat/dma.h 2011-04-17 15:56:46.000000000 -0400
28825 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
28826 unsigned long *phys_complete);
28827 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
28828 void ioat_kobject_del(struct ioatdma_device *device);
28829 -extern struct sysfs_ops ioat_sysfs_ops;
28830 +extern const struct sysfs_ops ioat_sysfs_ops;
28831 extern struct ioat_sysfs_entry ioat_version_attr;
28832 extern struct ioat_sysfs_entry ioat_cap_attr;
28833 #endif /* IOATDMA_H */
28834 diff -urNp linux-2.6.32.46/drivers/edac/edac_device_sysfs.c linux-2.6.32.46/drivers/edac/edac_device_sysfs.c
28835 --- linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28836 +++ linux-2.6.32.46/drivers/edac/edac_device_sysfs.c 2011-04-17 15:56:46.000000000 -0400
28837 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
28838 }
28839
28840 /* edac_dev file operations for an 'ctl_info' */
28841 -static struct sysfs_ops device_ctl_info_ops = {
28842 +static const struct sysfs_ops device_ctl_info_ops = {
28843 .show = edac_dev_ctl_info_show,
28844 .store = edac_dev_ctl_info_store
28845 };
28846 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
28847 }
28848
28849 /* edac_dev file operations for an 'instance' */
28850 -static struct sysfs_ops device_instance_ops = {
28851 +static const struct sysfs_ops device_instance_ops = {
28852 .show = edac_dev_instance_show,
28853 .store = edac_dev_instance_store
28854 };
28855 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
28856 }
28857
28858 /* edac_dev file operations for a 'block' */
28859 -static struct sysfs_ops device_block_ops = {
28860 +static const struct sysfs_ops device_block_ops = {
28861 .show = edac_dev_block_show,
28862 .store = edac_dev_block_store
28863 };
28864 diff -urNp linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c
28865 --- linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28866 +++ linux-2.6.32.46/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:56:46.000000000 -0400
28867 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
28868 return -EIO;
28869 }
28870
28871 -static struct sysfs_ops csrowfs_ops = {
28872 +static const struct sysfs_ops csrowfs_ops = {
28873 .show = csrowdev_show,
28874 .store = csrowdev_store
28875 };
28876 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
28877 }
28878
28879 /* Intermediate show/store table */
28880 -static struct sysfs_ops mci_ops = {
28881 +static const struct sysfs_ops mci_ops = {
28882 .show = mcidev_show,
28883 .store = mcidev_store
28884 };
28885 diff -urNp linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c
28886 --- linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-03-27 14:31:47.000000000 -0400
28887 +++ linux-2.6.32.46/drivers/edac/edac_pci_sysfs.c 2011-05-04 17:56:20.000000000 -0400
28888 @@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
28889 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
28890 static int edac_pci_poll_msec = 1000; /* one second workq period */
28891
28892 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
28893 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
28894 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
28895 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
28896
28897 static struct kobject *edac_pci_top_main_kobj;
28898 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
28899 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
28900 }
28901
28902 /* fs_ops table */
28903 -static struct sysfs_ops pci_instance_ops = {
28904 +static const struct sysfs_ops pci_instance_ops = {
28905 .show = edac_pci_instance_show,
28906 .store = edac_pci_instance_store
28907 };
28908 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
28909 return -EIO;
28910 }
28911
28912 -static struct sysfs_ops edac_pci_sysfs_ops = {
28913 +static const struct sysfs_ops edac_pci_sysfs_ops = {
28914 .show = edac_pci_dev_show,
28915 .store = edac_pci_dev_store
28916 };
28917 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
28918 edac_printk(KERN_CRIT, EDAC_PCI,
28919 "Signaled System Error on %s\n",
28920 pci_name(dev));
28921 - atomic_inc(&pci_nonparity_count);
28922 + atomic_inc_unchecked(&pci_nonparity_count);
28923 }
28924
28925 if (status & (PCI_STATUS_PARITY)) {
28926 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
28927 "Master Data Parity Error on %s\n",
28928 pci_name(dev));
28929
28930 - atomic_inc(&pci_parity_count);
28931 + atomic_inc_unchecked(&pci_parity_count);
28932 }
28933
28934 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28935 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
28936 "Detected Parity Error on %s\n",
28937 pci_name(dev));
28938
28939 - atomic_inc(&pci_parity_count);
28940 + atomic_inc_unchecked(&pci_parity_count);
28941 }
28942 }
28943
28944 @@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
28945 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
28946 "Signaled System Error on %s\n",
28947 pci_name(dev));
28948 - atomic_inc(&pci_nonparity_count);
28949 + atomic_inc_unchecked(&pci_nonparity_count);
28950 }
28951
28952 if (status & (PCI_STATUS_PARITY)) {
28953 @@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
28954 "Master Data Parity Error on "
28955 "%s\n", pci_name(dev));
28956
28957 - atomic_inc(&pci_parity_count);
28958 + atomic_inc_unchecked(&pci_parity_count);
28959 }
28960
28961 if (status & (PCI_STATUS_DETECTED_PARITY)) {
28962 @@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
28963 "Detected Parity Error on %s\n",
28964 pci_name(dev));
28965
28966 - atomic_inc(&pci_parity_count);
28967 + atomic_inc_unchecked(&pci_parity_count);
28968 }
28969 }
28970 }
28971 @@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
28972 if (!check_pci_errors)
28973 return;
28974
28975 - before_count = atomic_read(&pci_parity_count);
28976 + before_count = atomic_read_unchecked(&pci_parity_count);
28977
28978 /* scan all PCI devices looking for a Parity Error on devices and
28979 * bridges.
28980 @@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
28981 /* Only if operator has selected panic on PCI Error */
28982 if (edac_pci_get_panic_on_pe()) {
28983 /* If the count is different 'after' from 'before' */
28984 - if (before_count != atomic_read(&pci_parity_count))
28985 + if (before_count != atomic_read_unchecked(&pci_parity_count))
28986 panic("EDAC: PCI Parity Error");
28987 }
28988 }
28989 diff -urNp linux-2.6.32.46/drivers/firewire/core-card.c linux-2.6.32.46/drivers/firewire/core-card.c
28990 --- linux-2.6.32.46/drivers/firewire/core-card.c 2011-03-27 14:31:47.000000000 -0400
28991 +++ linux-2.6.32.46/drivers/firewire/core-card.c 2011-08-23 21:22:32.000000000 -0400
28992 @@ -558,7 +558,7 @@ void fw_card_release(struct kref *kref)
28993
28994 void fw_core_remove_card(struct fw_card *card)
28995 {
28996 - struct fw_card_driver dummy_driver = dummy_driver_template;
28997 + fw_card_driver_no_const dummy_driver = dummy_driver_template;
28998
28999 card->driver->update_phy_reg(card, 4,
29000 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
29001 diff -urNp linux-2.6.32.46/drivers/firewire/core-cdev.c linux-2.6.32.46/drivers/firewire/core-cdev.c
29002 --- linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-03-27 14:31:47.000000000 -0400
29003 +++ linux-2.6.32.46/drivers/firewire/core-cdev.c 2011-04-17 15:56:46.000000000 -0400
29004 @@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
29005 int ret;
29006
29007 if ((request->channels == 0 && request->bandwidth == 0) ||
29008 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
29009 - request->bandwidth < 0)
29010 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
29011 return -EINVAL;
29012
29013 r = kmalloc(sizeof(*r), GFP_KERNEL);
29014 diff -urNp linux-2.6.32.46/drivers/firewire/core.h linux-2.6.32.46/drivers/firewire/core.h
29015 --- linux-2.6.32.46/drivers/firewire/core.h 2011-03-27 14:31:47.000000000 -0400
29016 +++ linux-2.6.32.46/drivers/firewire/core.h 2011-08-23 20:24:26.000000000 -0400
29017 @@ -86,6 +86,7 @@ struct fw_card_driver {
29018
29019 int (*stop_iso)(struct fw_iso_context *ctx);
29020 };
29021 +typedef struct fw_card_driver __no_const fw_card_driver_no_const;
29022
29023 void fw_card_initialize(struct fw_card *card,
29024 const struct fw_card_driver *driver, struct device *device);
29025 diff -urNp linux-2.6.32.46/drivers/firewire/core-transaction.c linux-2.6.32.46/drivers/firewire/core-transaction.c
29026 --- linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-03-27 14:31:47.000000000 -0400
29027 +++ linux-2.6.32.46/drivers/firewire/core-transaction.c 2011-05-16 21:46:57.000000000 -0400
29028 @@ -36,6 +36,7 @@
29029 #include <linux/string.h>
29030 #include <linux/timer.h>
29031 #include <linux/types.h>
29032 +#include <linux/sched.h>
29033
29034 #include <asm/byteorder.h>
29035
29036 @@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
29037 struct transaction_callback_data d;
29038 struct fw_transaction t;
29039
29040 + pax_track_stack();
29041 +
29042 init_completion(&d.done);
29043 d.payload = payload;
29044 fw_send_request(card, &t, tcode, destination_id, generation, speed,
29045 diff -urNp linux-2.6.32.46/drivers/firmware/dmi_scan.c linux-2.6.32.46/drivers/firmware/dmi_scan.c
29046 --- linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400
29047 +++ linux-2.6.32.46/drivers/firmware/dmi_scan.c 2011-04-17 15:56:46.000000000 -0400
29048 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
29049 }
29050 }
29051 else {
29052 - /*
29053 - * no iounmap() for that ioremap(); it would be a no-op, but
29054 - * it's so early in setup that sucker gets confused into doing
29055 - * what it shouldn't if we actually call it.
29056 - */
29057 p = dmi_ioremap(0xF0000, 0x10000);
29058 if (p == NULL)
29059 goto error;
29060 diff -urNp linux-2.6.32.46/drivers/firmware/edd.c linux-2.6.32.46/drivers/firmware/edd.c
29061 --- linux-2.6.32.46/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400
29062 +++ linux-2.6.32.46/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400
29063 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
29064 return ret;
29065 }
29066
29067 -static struct sysfs_ops edd_attr_ops = {
29068 +static const struct sysfs_ops edd_attr_ops = {
29069 .show = edd_attr_show,
29070 };
29071
29072 diff -urNp linux-2.6.32.46/drivers/firmware/efivars.c linux-2.6.32.46/drivers/firmware/efivars.c
29073 --- linux-2.6.32.46/drivers/firmware/efivars.c 2011-03-27 14:31:47.000000000 -0400
29074 +++ linux-2.6.32.46/drivers/firmware/efivars.c 2011-04-17 15:56:46.000000000 -0400
29075 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
29076 return ret;
29077 }
29078
29079 -static struct sysfs_ops efivar_attr_ops = {
29080 +static const struct sysfs_ops efivar_attr_ops = {
29081 .show = efivar_attr_show,
29082 .store = efivar_attr_store,
29083 };
29084 diff -urNp linux-2.6.32.46/drivers/firmware/iscsi_ibft.c linux-2.6.32.46/drivers/firmware/iscsi_ibft.c
29085 --- linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-03-27 14:31:47.000000000 -0400
29086 +++ linux-2.6.32.46/drivers/firmware/iscsi_ibft.c 2011-04-17 15:56:46.000000000 -0400
29087 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
29088 return ret;
29089 }
29090
29091 -static struct sysfs_ops ibft_attr_ops = {
29092 +static const struct sysfs_ops ibft_attr_ops = {
29093 .show = ibft_show_attribute,
29094 };
29095
29096 diff -urNp linux-2.6.32.46/drivers/firmware/memmap.c linux-2.6.32.46/drivers/firmware/memmap.c
29097 --- linux-2.6.32.46/drivers/firmware/memmap.c 2011-03-27 14:31:47.000000000 -0400
29098 +++ linux-2.6.32.46/drivers/firmware/memmap.c 2011-04-17 15:56:46.000000000 -0400
29099 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
29100 NULL
29101 };
29102
29103 -static struct sysfs_ops memmap_attr_ops = {
29104 +static const struct sysfs_ops memmap_attr_ops = {
29105 .show = memmap_attr_show,
29106 };
29107
29108 diff -urNp linux-2.6.32.46/drivers/gpio/vr41xx_giu.c linux-2.6.32.46/drivers/gpio/vr41xx_giu.c
29109 --- linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-03-27 14:31:47.000000000 -0400
29110 +++ linux-2.6.32.46/drivers/gpio/vr41xx_giu.c 2011-05-04 17:56:28.000000000 -0400
29111 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
29112 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
29113 maskl, pendl, maskh, pendh);
29114
29115 - atomic_inc(&irq_err_count);
29116 + atomic_inc_unchecked(&irq_err_count);
29117
29118 return -EINVAL;
29119 }
29120 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c
29121 --- linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400
29122 +++ linux-2.6.32.46/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400
29123 @@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
29124 struct drm_crtc *tmp;
29125 int crtc_mask = 1;
29126
29127 - WARN(!crtc, "checking null crtc?");
29128 + BUG_ON(!crtc);
29129
29130 dev = crtc->dev;
29131
29132 @@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
29133
29134 adjusted_mode = drm_mode_duplicate(dev, mode);
29135
29136 + pax_track_stack();
29137 +
29138 crtc->enabled = drm_helper_crtc_in_use(crtc);
29139
29140 if (!crtc->enabled)
29141 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_drv.c linux-2.6.32.46/drivers/gpu/drm/drm_drv.c
29142 --- linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-03-27 14:31:47.000000000 -0400
29143 +++ linux-2.6.32.46/drivers/gpu/drm/drm_drv.c 2011-04-17 15:56:46.000000000 -0400
29144 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
29145 char *kdata = NULL;
29146
29147 atomic_inc(&dev->ioctl_count);
29148 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
29149 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
29150 ++file_priv->ioctl_count;
29151
29152 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
29153 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_fops.c linux-2.6.32.46/drivers/gpu/drm/drm_fops.c
29154 --- linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-03-27 14:31:47.000000000 -0400
29155 +++ linux-2.6.32.46/drivers/gpu/drm/drm_fops.c 2011-04-17 15:56:46.000000000 -0400
29156 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
29157 }
29158
29159 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
29160 - atomic_set(&dev->counts[i], 0);
29161 + atomic_set_unchecked(&dev->counts[i], 0);
29162
29163 dev->sigdata.lock = NULL;
29164
29165 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
29166
29167 retcode = drm_open_helper(inode, filp, dev);
29168 if (!retcode) {
29169 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
29170 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
29171 spin_lock(&dev->count_lock);
29172 - if (!dev->open_count++) {
29173 + if (local_inc_return(&dev->open_count) == 1) {
29174 spin_unlock(&dev->count_lock);
29175 retcode = drm_setup(dev);
29176 goto out;
29177 @@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
29178
29179 lock_kernel();
29180
29181 - DRM_DEBUG("open_count = %d\n", dev->open_count);
29182 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
29183
29184 if (dev->driver->preclose)
29185 dev->driver->preclose(dev, file_priv);
29186 @@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
29187 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
29188 task_pid_nr(current),
29189 (long)old_encode_dev(file_priv->minor->device),
29190 - dev->open_count);
29191 + local_read(&dev->open_count));
29192
29193 /* if the master has gone away we can't do anything with the lock */
29194 if (file_priv->minor->master)
29195 @@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
29196 * End inline drm_release
29197 */
29198
29199 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
29200 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
29201 spin_lock(&dev->count_lock);
29202 - if (!--dev->open_count) {
29203 + if (local_dec_and_test(&dev->open_count)) {
29204 if (atomic_read(&dev->ioctl_count)) {
29205 DRM_ERROR("Device busy: %d\n",
29206 atomic_read(&dev->ioctl_count));
29207 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_gem.c linux-2.6.32.46/drivers/gpu/drm/drm_gem.c
29208 --- linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-03-27 14:31:47.000000000 -0400
29209 +++ linux-2.6.32.46/drivers/gpu/drm/drm_gem.c 2011-04-17 15:56:46.000000000 -0400
29210 @@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
29211 spin_lock_init(&dev->object_name_lock);
29212 idr_init(&dev->object_name_idr);
29213 atomic_set(&dev->object_count, 0);
29214 - atomic_set(&dev->object_memory, 0);
29215 + atomic_set_unchecked(&dev->object_memory, 0);
29216 atomic_set(&dev->pin_count, 0);
29217 - atomic_set(&dev->pin_memory, 0);
29218 + atomic_set_unchecked(&dev->pin_memory, 0);
29219 atomic_set(&dev->gtt_count, 0);
29220 - atomic_set(&dev->gtt_memory, 0);
29221 + atomic_set_unchecked(&dev->gtt_memory, 0);
29222
29223 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
29224 if (!mm) {
29225 @@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
29226 goto fput;
29227 }
29228 atomic_inc(&dev->object_count);
29229 - atomic_add(obj->size, &dev->object_memory);
29230 + atomic_add_unchecked(obj->size, &dev->object_memory);
29231 return obj;
29232 fput:
29233 fput(obj->filp);
29234 @@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
29235
29236 fput(obj->filp);
29237 atomic_dec(&dev->object_count);
29238 - atomic_sub(obj->size, &dev->object_memory);
29239 + atomic_sub_unchecked(obj->size, &dev->object_memory);
29240 kfree(obj);
29241 }
29242 EXPORT_SYMBOL(drm_gem_object_free);
29243 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_info.c linux-2.6.32.46/drivers/gpu/drm/drm_info.c
29244 --- linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-03-27 14:31:47.000000000 -0400
29245 +++ linux-2.6.32.46/drivers/gpu/drm/drm_info.c 2011-04-17 15:56:46.000000000 -0400
29246 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
29247 struct drm_local_map *map;
29248 struct drm_map_list *r_list;
29249
29250 - /* Hardcoded from _DRM_FRAME_BUFFER,
29251 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
29252 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
29253 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
29254 + static const char * const types[] = {
29255 + [_DRM_FRAME_BUFFER] = "FB",
29256 + [_DRM_REGISTERS] = "REG",
29257 + [_DRM_SHM] = "SHM",
29258 + [_DRM_AGP] = "AGP",
29259 + [_DRM_SCATTER_GATHER] = "SG",
29260 + [_DRM_CONSISTENT] = "PCI",
29261 + [_DRM_GEM] = "GEM" };
29262 const char *type;
29263 int i;
29264
29265 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
29266 map = r_list->map;
29267 if (!map)
29268 continue;
29269 - if (map->type < 0 || map->type > 5)
29270 + if (map->type >= ARRAY_SIZE(types))
29271 type = "??";
29272 else
29273 type = types[map->type];
29274 @@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
29275 struct drm_device *dev = node->minor->dev;
29276
29277 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
29278 - seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
29279 + seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
29280 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
29281 - seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
29282 - seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
29283 + seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
29284 + seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
29285 seq_printf(m, "%d gtt total\n", dev->gtt_total);
29286 return 0;
29287 }
29288 @@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
29289 mutex_lock(&dev->struct_mutex);
29290 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
29291 atomic_read(&dev->vma_count),
29292 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29293 + NULL, 0);
29294 +#else
29295 high_memory, (u64)virt_to_phys(high_memory));
29296 +#endif
29297
29298 list_for_each_entry(pt, &dev->vmalist, head) {
29299 vma = pt->vma;
29300 @@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
29301 continue;
29302 seq_printf(m,
29303 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
29304 - pt->pid, vma->vm_start, vma->vm_end,
29305 + pt->pid,
29306 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29307 + 0, 0,
29308 +#else
29309 + vma->vm_start, vma->vm_end,
29310 +#endif
29311 vma->vm_flags & VM_READ ? 'r' : '-',
29312 vma->vm_flags & VM_WRITE ? 'w' : '-',
29313 vma->vm_flags & VM_EXEC ? 'x' : '-',
29314 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
29315 vma->vm_flags & VM_LOCKED ? 'l' : '-',
29316 vma->vm_flags & VM_IO ? 'i' : '-',
29317 +#ifdef CONFIG_GRKERNSEC_HIDESYM
29318 + 0);
29319 +#else
29320 vma->vm_pgoff);
29321 +#endif
29322
29323 #if defined(__i386__)
29324 pgprot = pgprot_val(vma->vm_page_prot);
29325 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c
29326 --- linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400
29327 +++ linux-2.6.32.46/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400
29328 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
29329 stats->data[i].value =
29330 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
29331 else
29332 - stats->data[i].value = atomic_read(&dev->counts[i]);
29333 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
29334 stats->data[i].type = dev->types[i];
29335 }
29336
29337 diff -urNp linux-2.6.32.46/drivers/gpu/drm/drm_lock.c linux-2.6.32.46/drivers/gpu/drm/drm_lock.c
29338 --- linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-03-27 14:31:47.000000000 -0400
29339 +++ linux-2.6.32.46/drivers/gpu/drm/drm_lock.c 2011-04-17 15:56:46.000000000 -0400
29340 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
29341 if (drm_lock_take(&master->lock, lock->context)) {
29342 master->lock.file_priv = file_priv;
29343 master->lock.lock_time = jiffies;
29344 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
29345 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
29346 break; /* Got lock */
29347 }
29348
29349 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
29350 return -EINVAL;
29351 }
29352
29353 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
29354 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
29355
29356 /* kernel_context_switch isn't used by any of the x86 drm
29357 * modules but is required by the Sparc driver.
29358 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c
29359 --- linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-03-27 14:31:47.000000000 -0400
29360 +++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:56:46.000000000 -0400
29361 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
29362 dma->buflist[vertex->idx],
29363 vertex->discard, vertex->used);
29364
29365 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29366 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29367 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
29368 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29369 sarea_priv->last_enqueue = dev_priv->counter - 1;
29370 sarea_priv->last_dispatch = (int)hw_status[5];
29371
29372 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
29373 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
29374 mc->last_render);
29375
29376 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29377 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
29378 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
29379 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
29380 sarea_priv->last_enqueue = dev_priv->counter - 1;
29381 sarea_priv->last_dispatch = (int)hw_status[5];
29382
29383 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h
29384 --- linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-03-27 14:31:47.000000000 -0400
29385 +++ linux-2.6.32.46/drivers/gpu/drm/i810/i810_drv.h 2011-05-04 17:56:28.000000000 -0400
29386 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
29387 int page_flipping;
29388
29389 wait_queue_head_t irq_queue;
29390 - atomic_t irq_received;
29391 - atomic_t irq_emitted;
29392 + atomic_unchecked_t irq_received;
29393 + atomic_unchecked_t irq_emitted;
29394
29395 int front_offset;
29396 } drm_i810_private_t;
29397 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h
29398 --- linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-03-27 14:31:47.000000000 -0400
29399 +++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_drv.h 2011-05-04 17:56:28.000000000 -0400
29400 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
29401 int page_flipping;
29402
29403 wait_queue_head_t irq_queue;
29404 - atomic_t irq_received;
29405 - atomic_t irq_emitted;
29406 + atomic_unchecked_t irq_received;
29407 + atomic_unchecked_t irq_emitted;
29408
29409 int use_mi_batchbuffer_start;
29410
29411 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c
29412 --- linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-03-27 14:31:47.000000000 -0400
29413 +++ linux-2.6.32.46/drivers/gpu/drm/i830/i830_irq.c 2011-05-04 17:56:28.000000000 -0400
29414 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
29415
29416 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
29417
29418 - atomic_inc(&dev_priv->irq_received);
29419 + atomic_inc_unchecked(&dev_priv->irq_received);
29420 wake_up_interruptible(&dev_priv->irq_queue);
29421
29422 return IRQ_HANDLED;
29423 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
29424
29425 DRM_DEBUG("%s\n", __func__);
29426
29427 - atomic_inc(&dev_priv->irq_emitted);
29428 + atomic_inc_unchecked(&dev_priv->irq_emitted);
29429
29430 BEGIN_LP_RING(2);
29431 OUT_RING(0);
29432 OUT_RING(GFX_OP_USER_INTERRUPT);
29433 ADVANCE_LP_RING();
29434
29435 - return atomic_read(&dev_priv->irq_emitted);
29436 + return atomic_read_unchecked(&dev_priv->irq_emitted);
29437 }
29438
29439 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
29440 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
29441
29442 DRM_DEBUG("%s\n", __func__);
29443
29444 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
29445 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
29446 return 0;
29447
29448 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
29449 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
29450
29451 for (;;) {
29452 __set_current_state(TASK_INTERRUPTIBLE);
29453 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
29454 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
29455 break;
29456 if ((signed)(end - jiffies) <= 0) {
29457 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
29458 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
29459 I830_WRITE16(I830REG_HWSTAM, 0xffff);
29460 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
29461 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
29462 - atomic_set(&dev_priv->irq_received, 0);
29463 - atomic_set(&dev_priv->irq_emitted, 0);
29464 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29465 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
29466 init_waitqueue_head(&dev_priv->irq_queue);
29467 }
29468
29469 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c
29470 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-27 14:31:47.000000000 -0400
29471 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:56:46.000000000 -0400
29472 @@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
29473 }
29474 }
29475
29476 -struct intel_dvo_dev_ops ch7017_ops = {
29477 +const struct intel_dvo_dev_ops ch7017_ops = {
29478 .init = ch7017_init,
29479 .detect = ch7017_detect,
29480 .mode_valid = ch7017_mode_valid,
29481 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c
29482 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-27 14:31:47.000000000 -0400
29483 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:56:46.000000000 -0400
29484 @@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
29485 }
29486 }
29487
29488 -struct intel_dvo_dev_ops ch7xxx_ops = {
29489 +const struct intel_dvo_dev_ops ch7xxx_ops = {
29490 .init = ch7xxx_init,
29491 .detect = ch7xxx_detect,
29492 .mode_valid = ch7xxx_mode_valid,
29493 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h
29494 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-03-27 14:31:47.000000000 -0400
29495 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:56:46.000000000 -0400
29496 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
29497 *
29498 * \return singly-linked list of modes or NULL if no modes found.
29499 */
29500 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
29501 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
29502
29503 /**
29504 * Clean up driver-specific bits of the output
29505 */
29506 - void (*destroy) (struct intel_dvo_device *dvo);
29507 + void (* const destroy) (struct intel_dvo_device *dvo);
29508
29509 /**
29510 * Debugging hook to dump device registers to log file
29511 */
29512 - void (*dump_regs)(struct intel_dvo_device *dvo);
29513 + void (* const dump_regs)(struct intel_dvo_device *dvo);
29514 };
29515
29516 -extern struct intel_dvo_dev_ops sil164_ops;
29517 -extern struct intel_dvo_dev_ops ch7xxx_ops;
29518 -extern struct intel_dvo_dev_ops ivch_ops;
29519 -extern struct intel_dvo_dev_ops tfp410_ops;
29520 -extern struct intel_dvo_dev_ops ch7017_ops;
29521 +extern const struct intel_dvo_dev_ops sil164_ops;
29522 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
29523 +extern const struct intel_dvo_dev_ops ivch_ops;
29524 +extern const struct intel_dvo_dev_ops tfp410_ops;
29525 +extern const struct intel_dvo_dev_ops ch7017_ops;
29526
29527 #endif /* _INTEL_DVO_H */
29528 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c
29529 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-27 14:31:47.000000000 -0400
29530 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:56:46.000000000 -0400
29531 @@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
29532 }
29533 }
29534
29535 -struct intel_dvo_dev_ops ivch_ops= {
29536 +const struct intel_dvo_dev_ops ivch_ops= {
29537 .init = ivch_init,
29538 .dpms = ivch_dpms,
29539 .save = ivch_save,
29540 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c
29541 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-27 14:31:47.000000000 -0400
29542 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:56:46.000000000 -0400
29543 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
29544 }
29545 }
29546
29547 -struct intel_dvo_dev_ops sil164_ops = {
29548 +const struct intel_dvo_dev_ops sil164_ops = {
29549 .init = sil164_init,
29550 .detect = sil164_detect,
29551 .mode_valid = sil164_mode_valid,
29552 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c
29553 --- linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-27 14:31:47.000000000 -0400
29554 +++ linux-2.6.32.46/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:56:46.000000000 -0400
29555 @@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
29556 }
29557 }
29558
29559 -struct intel_dvo_dev_ops tfp410_ops = {
29560 +const struct intel_dvo_dev_ops tfp410_ops = {
29561 .init = tfp410_init,
29562 .detect = tfp410_detect,
29563 .mode_valid = tfp410_mode_valid,
29564 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c
29565 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-27 14:31:47.000000000 -0400
29566 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-04 17:56:28.000000000 -0400
29567 @@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
29568 I915_READ(GTIMR));
29569 }
29570 seq_printf(m, "Interrupts received: %d\n",
29571 - atomic_read(&dev_priv->irq_received));
29572 + atomic_read_unchecked(&dev_priv->irq_received));
29573 if (dev_priv->hw_status_page != NULL) {
29574 seq_printf(m, "Current sequence: %d\n",
29575 i915_get_gem_seqno(dev));
29576 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c
29577 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-03-27 14:31:47.000000000 -0400
29578 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:56:46.000000000 -0400
29579 @@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
29580 return i915_resume(dev);
29581 }
29582
29583 -static struct vm_operations_struct i915_gem_vm_ops = {
29584 +static const struct vm_operations_struct i915_gem_vm_ops = {
29585 .fault = i915_gem_fault,
29586 .open = drm_gem_vm_open,
29587 .close = drm_gem_vm_close,
29588 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h
29589 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-03-27 14:31:47.000000000 -0400
29590 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_drv.h 2011-08-05 20:33:55.000000000 -0400
29591 @@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
29592 /* display clock increase/decrease */
29593 /* pll clock increase/decrease */
29594 /* clock gating init */
29595 -};
29596 +} __no_const;
29597
29598 typedef struct drm_i915_private {
29599 struct drm_device *dev;
29600 @@ -197,7 +197,7 @@ typedef struct drm_i915_private {
29601 int page_flipping;
29602
29603 wait_queue_head_t irq_queue;
29604 - atomic_t irq_received;
29605 + atomic_unchecked_t irq_received;
29606 /** Protects user_irq_refcount and irq_mask_reg */
29607 spinlock_t user_irq_lock;
29608 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
29609 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c
29610 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-03-27 14:31:47.000000000 -0400
29611 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_gem.c 2011-04-17 15:56:46.000000000 -0400
29612 @@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
29613
29614 args->aper_size = dev->gtt_total;
29615 args->aper_available_size = (args->aper_size -
29616 - atomic_read(&dev->pin_memory));
29617 + atomic_read_unchecked(&dev->pin_memory));
29618
29619 return 0;
29620 }
29621 @@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
29622 return -EINVAL;
29623 }
29624
29625 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
29626 + drm_gem_object_unreference(obj);
29627 + return -EFAULT;
29628 + }
29629 +
29630 if (i915_gem_object_needs_bit17_swizzle(obj)) {
29631 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
29632 } else {
29633 @@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
29634 return -EINVAL;
29635 }
29636
29637 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
29638 + drm_gem_object_unreference(obj);
29639 + return -EFAULT;
29640 + }
29641 +
29642 /* We can only do the GTT pwrite on untiled buffers, as otherwise
29643 * it would end up going through the fenced access, and we'll get
29644 * different detiling behavior between reading and writing.
29645 @@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
29646
29647 if (obj_priv->gtt_space) {
29648 atomic_dec(&dev->gtt_count);
29649 - atomic_sub(obj->size, &dev->gtt_memory);
29650 + atomic_sub_unchecked(obj->size, &dev->gtt_memory);
29651
29652 drm_mm_put_block(obj_priv->gtt_space);
29653 obj_priv->gtt_space = NULL;
29654 @@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
29655 goto search_free;
29656 }
29657 atomic_inc(&dev->gtt_count);
29658 - atomic_add(obj->size, &dev->gtt_memory);
29659 + atomic_add_unchecked(obj->size, &dev->gtt_memory);
29660
29661 /* Assert that the object is not currently in any GPU domain. As it
29662 * wasn't in the GTT, there shouldn't be any way it could have been in
29663 @@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
29664 "%d/%d gtt bytes\n",
29665 atomic_read(&dev->object_count),
29666 atomic_read(&dev->pin_count),
29667 - atomic_read(&dev->object_memory),
29668 - atomic_read(&dev->pin_memory),
29669 - atomic_read(&dev->gtt_memory),
29670 + atomic_read_unchecked(&dev->object_memory),
29671 + atomic_read_unchecked(&dev->pin_memory),
29672 + atomic_read_unchecked(&dev->gtt_memory),
29673 dev->gtt_total);
29674 }
29675 goto err;
29676 @@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
29677 */
29678 if (obj_priv->pin_count == 1) {
29679 atomic_inc(&dev->pin_count);
29680 - atomic_add(obj->size, &dev->pin_memory);
29681 + atomic_add_unchecked(obj->size, &dev->pin_memory);
29682 if (!obj_priv->active &&
29683 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
29684 !list_empty(&obj_priv->list))
29685 @@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
29686 list_move_tail(&obj_priv->list,
29687 &dev_priv->mm.inactive_list);
29688 atomic_dec(&dev->pin_count);
29689 - atomic_sub(obj->size, &dev->pin_memory);
29690 + atomic_sub_unchecked(obj->size, &dev->pin_memory);
29691 }
29692 i915_verify_inactive(dev, __FILE__, __LINE__);
29693 }
29694 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c
29695 --- linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-03-27 14:31:47.000000000 -0400
29696 +++ linux-2.6.32.46/drivers/gpu/drm/i915/i915_irq.c 2011-05-04 17:56:28.000000000 -0400
29697 @@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
29698 int irq_received;
29699 int ret = IRQ_NONE;
29700
29701 - atomic_inc(&dev_priv->irq_received);
29702 + atomic_inc_unchecked(&dev_priv->irq_received);
29703
29704 if (IS_IGDNG(dev))
29705 return igdng_irq_handler(dev);
29706 @@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
29707 {
29708 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
29709
29710 - atomic_set(&dev_priv->irq_received, 0);
29711 + atomic_set_unchecked(&dev_priv->irq_received, 0);
29712
29713 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
29714 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
29715 diff -urNp linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c
29716 --- linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-03-27 14:31:47.000000000 -0400
29717 +++ linux-2.6.32.46/drivers/gpu/drm/i915/intel_sdvo.c 2011-08-05 20:33:55.000000000 -0400
29718 @@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
29719 sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
29720
29721 /* Save the bit-banging i2c functionality for use by the DDC wrapper */
29722 - intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
29723 + pax_open_kernel();
29724 + *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
29725 + pax_close_kernel();
29726
29727 /* Read the regs to test if we can talk to the device */
29728 for (i = 0; i < 0x40; i++) {
29729 diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h
29730 --- linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-03-27 14:31:47.000000000 -0400
29731 +++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_drv.h 2011-05-04 17:56:28.000000000 -0400
29732 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
29733 u32 clear_cmd;
29734 u32 maccess;
29735
29736 - atomic_t vbl_received; /**< Number of vblanks received. */
29737 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
29738 wait_queue_head_t fence_queue;
29739 - atomic_t last_fence_retired;
29740 + atomic_unchecked_t last_fence_retired;
29741 u32 next_fence_to_post;
29742
29743 unsigned int fb_cpp;
29744 diff -urNp linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c
29745 --- linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-03-27 14:31:47.000000000 -0400
29746 +++ linux-2.6.32.46/drivers/gpu/drm/mga/mga_irq.c 2011-05-04 17:56:28.000000000 -0400
29747 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
29748 if (crtc != 0)
29749 return 0;
29750
29751 - return atomic_read(&dev_priv->vbl_received);
29752 + return atomic_read_unchecked(&dev_priv->vbl_received);
29753 }
29754
29755
29756 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29757 /* VBLANK interrupt */
29758 if (status & MGA_VLINEPEN) {
29759 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
29760 - atomic_inc(&dev_priv->vbl_received);
29761 + atomic_inc_unchecked(&dev_priv->vbl_received);
29762 drm_handle_vblank(dev, 0);
29763 handled = 1;
29764 }
29765 @@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
29766 MGA_WRITE(MGA_PRIMEND, prim_end);
29767 }
29768
29769 - atomic_inc(&dev_priv->last_fence_retired);
29770 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
29771 DRM_WAKEUP(&dev_priv->fence_queue);
29772 handled = 1;
29773 }
29774 @@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
29775 * using fences.
29776 */
29777 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
29778 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
29779 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
29780 - *sequence) <= (1 << 23)));
29781
29782 *sequence = cur_fence;
29783 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c
29784 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-03-27 14:31:47.000000000 -0400
29785 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_cce.c 2011-05-04 17:56:28.000000000 -0400
29786 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
29787
29788 /* GH: Simple idle check.
29789 */
29790 - atomic_set(&dev_priv->idle_count, 0);
29791 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29792
29793 /* We don't support anything other than bus-mastering ring mode,
29794 * but the ring can be in either AGP or PCI space for the ring
29795 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h
29796 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-03-27 14:31:47.000000000 -0400
29797 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_drv.h 2011-05-04 17:56:28.000000000 -0400
29798 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
29799 int is_pci;
29800 unsigned long cce_buffers_offset;
29801
29802 - atomic_t idle_count;
29803 + atomic_unchecked_t idle_count;
29804
29805 int page_flipping;
29806 int current_page;
29807 u32 crtc_offset;
29808 u32 crtc_offset_cntl;
29809
29810 - atomic_t vbl_received;
29811 + atomic_unchecked_t vbl_received;
29812
29813 u32 color_fmt;
29814 unsigned int front_offset;
29815 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c
29816 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-03-27 14:31:47.000000000 -0400
29817 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_irq.c 2011-05-04 17:56:28.000000000 -0400
29818 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
29819 if (crtc != 0)
29820 return 0;
29821
29822 - return atomic_read(&dev_priv->vbl_received);
29823 + return atomic_read_unchecked(&dev_priv->vbl_received);
29824 }
29825
29826 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
29827 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
29828 /* VBLANK interrupt */
29829 if (status & R128_CRTC_VBLANK_INT) {
29830 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
29831 - atomic_inc(&dev_priv->vbl_received);
29832 + atomic_inc_unchecked(&dev_priv->vbl_received);
29833 drm_handle_vblank(dev, 0);
29834 return IRQ_HANDLED;
29835 }
29836 diff -urNp linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c
29837 --- linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-03-27 14:31:47.000000000 -0400
29838 +++ linux-2.6.32.46/drivers/gpu/drm/r128/r128_state.c 2011-05-04 17:56:28.000000000 -0400
29839 @@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
29840
29841 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
29842 {
29843 - if (atomic_read(&dev_priv->idle_count) == 0) {
29844 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
29845 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
29846 } else {
29847 - atomic_set(&dev_priv->idle_count, 0);
29848 + atomic_set_unchecked(&dev_priv->idle_count, 0);
29849 }
29850 }
29851
29852 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c
29853 --- linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:12:01.000000000 -0400
29854 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:46:57.000000000 -0400
29855 @@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
29856 char name[512];
29857 int i;
29858
29859 + pax_track_stack();
29860 +
29861 ctx->card = card;
29862 ctx->bios = bios;
29863
29864 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c
29865 --- linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-03-27 14:31:47.000000000 -0400
29866 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:56:46.000000000 -0400
29867 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
29868 regex_t mask_rex;
29869 regmatch_t match[4];
29870 char buf[1024];
29871 - size_t end;
29872 + long end;
29873 int len;
29874 int done = 0;
29875 int r;
29876 unsigned o;
29877 struct offset *offset;
29878 char last_reg_s[10];
29879 - int last_reg;
29880 + unsigned long last_reg;
29881
29882 if (regcomp
29883 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
29884 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c
29885 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-03-27 14:31:47.000000000 -0400
29886 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:46:57.000000000 -0400
29887 @@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
29888 bool linkb;
29889 struct radeon_i2c_bus_rec ddc_bus;
29890
29891 + pax_track_stack();
29892 +
29893 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
29894
29895 if (data_offset == 0)
29896 @@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
29897 }
29898 }
29899
29900 -struct bios_connector {
29901 +static struct bios_connector {
29902 bool valid;
29903 uint16_t line_mux;
29904 uint16_t devices;
29905 int connector_type;
29906 struct radeon_i2c_bus_rec ddc_bus;
29907 -};
29908 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
29909
29910 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
29911 drm_device
29912 @@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
29913 uint8_t dac;
29914 union atom_supported_devices *supported_devices;
29915 int i, j;
29916 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
29917
29918 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
29919
29920 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c
29921 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-03-27 14:31:47.000000000 -0400
29922 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_display.c 2011-04-17 15:56:46.000000000 -0400
29923 @@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
29924
29925 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
29926 error = freq - current_freq;
29927 - error = error < 0 ? 0xffffffff : error;
29928 + error = (int32_t)error < 0 ? 0xffffffff : error;
29929 } else
29930 error = abs(current_freq - freq);
29931 vco_diff = abs(vco - best_vco);
29932 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h
29933 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-27 14:31:47.000000000 -0400
29934 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-04 17:56:28.000000000 -0400
29935 @@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
29936
29937 /* SW interrupt */
29938 wait_queue_head_t swi_queue;
29939 - atomic_t swi_emitted;
29940 + atomic_unchecked_t swi_emitted;
29941 int vblank_crtc;
29942 uint32_t irq_enable_reg;
29943 uint32_t r500_disp_irq_reg;
29944 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c
29945 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-03-27 14:31:47.000000000 -0400
29946 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-04 17:56:28.000000000 -0400
29947 @@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
29948 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
29949 return 0;
29950 }
29951 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
29952 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
29953 if (!rdev->cp.ready) {
29954 /* FIXME: cp is not running assume everythings is done right
29955 * away
29956 @@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
29957 return r;
29958 }
29959 WREG32(rdev->fence_drv.scratch_reg, 0);
29960 - atomic_set(&rdev->fence_drv.seq, 0);
29961 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
29962 INIT_LIST_HEAD(&rdev->fence_drv.created);
29963 INIT_LIST_HEAD(&rdev->fence_drv.emited);
29964 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
29965 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h
29966 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-03-27 14:31:47.000000000 -0400
29967 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon.h 2011-08-05 20:33:55.000000000 -0400
29968 @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
29969 */
29970 struct radeon_fence_driver {
29971 uint32_t scratch_reg;
29972 - atomic_t seq;
29973 + atomic_unchecked_t seq;
29974 uint32_t last_seq;
29975 unsigned long count_timeout;
29976 wait_queue_head_t queue;
29977 @@ -640,7 +640,7 @@ struct radeon_asic {
29978 uint32_t offset, uint32_t obj_size);
29979 int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
29980 void (*bandwidth_update)(struct radeon_device *rdev);
29981 -};
29982 +} __no_const;
29983
29984 /*
29985 * Asic structures
29986 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c
29987 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-27 14:31:47.000000000 -0400
29988 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-23 13:57:24.000000000 -0400
29989 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
29990 request = compat_alloc_user_space(sizeof(*request));
29991 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
29992 || __put_user(req32.param, &request->param)
29993 - || __put_user((void __user *)(unsigned long)req32.value,
29994 + || __put_user((unsigned long)req32.value,
29995 &request->value))
29996 return -EFAULT;
29997
29998 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c
29999 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-27 14:31:47.000000000 -0400
30000 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-04 17:56:28.000000000 -0400
30001 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
30002 unsigned int ret;
30003 RING_LOCALS;
30004
30005 - atomic_inc(&dev_priv->swi_emitted);
30006 - ret = atomic_read(&dev_priv->swi_emitted);
30007 + atomic_inc_unchecked(&dev_priv->swi_emitted);
30008 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
30009
30010 BEGIN_RING(4);
30011 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
30012 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
30013 drm_radeon_private_t *dev_priv =
30014 (drm_radeon_private_t *) dev->dev_private;
30015
30016 - atomic_set(&dev_priv->swi_emitted, 0);
30017 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
30018 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
30019
30020 dev->max_vblank_count = 0x001fffff;
30021 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c
30022 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-03-27 14:31:47.000000000 -0400
30023 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:56:46.000000000 -0400
30024 @@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
30025 {
30026 drm_radeon_private_t *dev_priv = dev->dev_private;
30027 drm_radeon_getparam_t *param = data;
30028 - int value;
30029 + int value = 0;
30030
30031 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
30032
30033 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c
30034 --- linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-27 14:31:47.000000000 -0400
30035 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:56:46.000000000 -0400
30036 @@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
30037 DRM_INFO("radeon: ttm finalized\n");
30038 }
30039
30040 -static struct vm_operations_struct radeon_ttm_vm_ops;
30041 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
30042 -
30043 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
30044 -{
30045 - struct ttm_buffer_object *bo;
30046 - int r;
30047 -
30048 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
30049 - if (bo == NULL) {
30050 - return VM_FAULT_NOPAGE;
30051 - }
30052 - r = ttm_vm_ops->fault(vma, vmf);
30053 - return r;
30054 -}
30055 -
30056 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
30057 {
30058 struct drm_file *file_priv;
30059 struct radeon_device *rdev;
30060 - int r;
30061
30062 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
30063 return drm_mmap(filp, vma);
30064 @@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
30065
30066 file_priv = (struct drm_file *)filp->private_data;
30067 rdev = file_priv->minor->dev->dev_private;
30068 - if (rdev == NULL) {
30069 + if (!rdev)
30070 return -EINVAL;
30071 - }
30072 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30073 - if (unlikely(r != 0)) {
30074 - return r;
30075 - }
30076 - if (unlikely(ttm_vm_ops == NULL)) {
30077 - ttm_vm_ops = vma->vm_ops;
30078 - radeon_ttm_vm_ops = *ttm_vm_ops;
30079 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
30080 - }
30081 - vma->vm_ops = &radeon_ttm_vm_ops;
30082 - return 0;
30083 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
30084 }
30085
30086
30087 diff -urNp linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c
30088 --- linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-03-27 14:31:47.000000000 -0400
30089 +++ linux-2.6.32.46/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:56:46.000000000 -0400
30090 @@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
30091 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
30092 rdev->pm.sideport_bandwidth.full)
30093 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
30094 - read_delay_latency.full = rfixed_const(370 * 800 * 1000);
30095 + read_delay_latency.full = rfixed_const(800 * 1000);
30096 read_delay_latency.full = rfixed_div(read_delay_latency,
30097 rdev->pm.igp_sideport_mclk);
30098 + a.full = rfixed_const(370);
30099 + read_delay_latency.full = rfixed_mul(read_delay_latency, a);
30100 } else {
30101 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
30102 rdev->pm.k8_bandwidth.full)
30103 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c
30104 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:24:44.000000000 -0400
30105 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo.c 2011-08-29 22:25:07.000000000 -0400
30106 @@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
30107 NULL
30108 };
30109
30110 -static struct sysfs_ops ttm_bo_global_ops = {
30111 +static const struct sysfs_ops ttm_bo_global_ops = {
30112 .show = &ttm_bo_global_show
30113 };
30114
30115 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c
30116 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-27 14:31:47.000000000 -0400
30117 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:56:46.000000000 -0400
30118 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
30119 {
30120 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
30121 vma->vm_private_data;
30122 - struct ttm_bo_device *bdev = bo->bdev;
30123 + struct ttm_bo_device *bdev;
30124 unsigned long bus_base;
30125 unsigned long bus_offset;
30126 unsigned long bus_size;
30127 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
30128 unsigned long address = (unsigned long)vmf->virtual_address;
30129 int retval = VM_FAULT_NOPAGE;
30130
30131 + if (!bo)
30132 + return VM_FAULT_NOPAGE;
30133 + bdev = bo->bdev;
30134 +
30135 /*
30136 * Work around locking order reversal in fault / nopfn
30137 * between mmap_sem and bo_reserve: Perform a trylock operation
30138 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c
30139 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-03-27 14:31:47.000000000 -0400
30140 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_global.c 2011-04-17 15:56:46.000000000 -0400
30141 @@ -36,7 +36,7 @@
30142 struct ttm_global_item {
30143 struct mutex mutex;
30144 void *object;
30145 - int refcount;
30146 + atomic_t refcount;
30147 };
30148
30149 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
30150 @@ -49,7 +49,7 @@ void ttm_global_init(void)
30151 struct ttm_global_item *item = &glob[i];
30152 mutex_init(&item->mutex);
30153 item->object = NULL;
30154 - item->refcount = 0;
30155 + atomic_set(&item->refcount, 0);
30156 }
30157 }
30158
30159 @@ -59,7 +59,7 @@ void ttm_global_release(void)
30160 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
30161 struct ttm_global_item *item = &glob[i];
30162 BUG_ON(item->object != NULL);
30163 - BUG_ON(item->refcount != 0);
30164 + BUG_ON(atomic_read(&item->refcount) != 0);
30165 }
30166 }
30167
30168 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
30169 void *object;
30170
30171 mutex_lock(&item->mutex);
30172 - if (item->refcount == 0) {
30173 + if (atomic_read(&item->refcount) == 0) {
30174 item->object = kzalloc(ref->size, GFP_KERNEL);
30175 if (unlikely(item->object == NULL)) {
30176 ret = -ENOMEM;
30177 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
30178 goto out_err;
30179
30180 }
30181 - ++item->refcount;
30182 + atomic_inc(&item->refcount);
30183 ref->object = item->object;
30184 object = item->object;
30185 mutex_unlock(&item->mutex);
30186 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
30187 struct ttm_global_item *item = &glob[ref->global_type];
30188
30189 mutex_lock(&item->mutex);
30190 - BUG_ON(item->refcount == 0);
30191 + BUG_ON(atomic_read(&item->refcount) == 0);
30192 BUG_ON(ref->object != item->object);
30193 - if (--item->refcount == 0) {
30194 + if (atomic_dec_and_test(&item->refcount)) {
30195 ref->release(ref);
30196 item->object = NULL;
30197 }
30198 diff -urNp linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c
30199 --- linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-03-27 14:31:47.000000000 -0400
30200 +++ linux-2.6.32.46/drivers/gpu/drm/ttm/ttm_memory.c 2011-04-17 15:56:46.000000000 -0400
30201 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
30202 NULL
30203 };
30204
30205 -static struct sysfs_ops ttm_mem_zone_ops = {
30206 +static const struct sysfs_ops ttm_mem_zone_ops = {
30207 .show = &ttm_mem_zone_show,
30208 .store = &ttm_mem_zone_store
30209 };
30210 diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h
30211 --- linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-03-27 14:31:47.000000000 -0400
30212 +++ linux-2.6.32.46/drivers/gpu/drm/via/via_drv.h 2011-05-04 17:56:28.000000000 -0400
30213 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
30214 typedef uint32_t maskarray_t[5];
30215
30216 typedef struct drm_via_irq {
30217 - atomic_t irq_received;
30218 + atomic_unchecked_t irq_received;
30219 uint32_t pending_mask;
30220 uint32_t enable_mask;
30221 wait_queue_head_t irq_queue;
30222 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
30223 struct timeval last_vblank;
30224 int last_vblank_valid;
30225 unsigned usec_per_vblank;
30226 - atomic_t vbl_received;
30227 + atomic_unchecked_t vbl_received;
30228 drm_via_state_t hc_state;
30229 char pci_buf[VIA_PCI_BUF_SIZE];
30230 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
30231 diff -urNp linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c
30232 --- linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-03-27 14:31:47.000000000 -0400
30233 +++ linux-2.6.32.46/drivers/gpu/drm/via/via_irq.c 2011-05-04 17:56:28.000000000 -0400
30234 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
30235 if (crtc != 0)
30236 return 0;
30237
30238 - return atomic_read(&dev_priv->vbl_received);
30239 + return atomic_read_unchecked(&dev_priv->vbl_received);
30240 }
30241
30242 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
30243 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
30244
30245 status = VIA_READ(VIA_REG_INTERRUPT);
30246 if (status & VIA_IRQ_VBLANK_PENDING) {
30247 - atomic_inc(&dev_priv->vbl_received);
30248 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
30249 + atomic_inc_unchecked(&dev_priv->vbl_received);
30250 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
30251 do_gettimeofday(&cur_vblank);
30252 if (dev_priv->last_vblank_valid) {
30253 dev_priv->usec_per_vblank =
30254 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30255 dev_priv->last_vblank = cur_vblank;
30256 dev_priv->last_vblank_valid = 1;
30257 }
30258 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
30259 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
30260 DRM_DEBUG("US per vblank is: %u\n",
30261 dev_priv->usec_per_vblank);
30262 }
30263 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
30264
30265 for (i = 0; i < dev_priv->num_irqs; ++i) {
30266 if (status & cur_irq->pending_mask) {
30267 - atomic_inc(&cur_irq->irq_received);
30268 + atomic_inc_unchecked(&cur_irq->irq_received);
30269 DRM_WAKEUP(&cur_irq->irq_queue);
30270 handled = 1;
30271 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
30272 @@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
30273 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30274 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
30275 masks[irq][4]));
30276 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
30277 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
30278 } else {
30279 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
30280 (((cur_irq_sequence =
30281 - atomic_read(&cur_irq->irq_received)) -
30282 + atomic_read_unchecked(&cur_irq->irq_received)) -
30283 *sequence) <= (1 << 23)));
30284 }
30285 *sequence = cur_irq_sequence;
30286 @@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
30287 }
30288
30289 for (i = 0; i < dev_priv->num_irqs; ++i) {
30290 - atomic_set(&cur_irq->irq_received, 0);
30291 + atomic_set_unchecked(&cur_irq->irq_received, 0);
30292 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
30293 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
30294 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
30295 @@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
30296 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
30297 case VIA_IRQ_RELATIVE:
30298 irqwait->request.sequence +=
30299 - atomic_read(&cur_irq->irq_received);
30300 + atomic_read_unchecked(&cur_irq->irq_received);
30301 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
30302 case VIA_IRQ_ABSOLUTE:
30303 break;
30304 diff -urNp linux-2.6.32.46/drivers/hid/hid-core.c linux-2.6.32.46/drivers/hid/hid-core.c
30305 --- linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:01.000000000 -0400
30306 +++ linux-2.6.32.46/drivers/hid/hid-core.c 2011-05-10 22:12:32.000000000 -0400
30307 @@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
30308
30309 int hid_add_device(struct hid_device *hdev)
30310 {
30311 - static atomic_t id = ATOMIC_INIT(0);
30312 + static atomic_unchecked_t id = ATOMIC_INIT(0);
30313 int ret;
30314
30315 if (WARN_ON(hdev->status & HID_STAT_ADDED))
30316 @@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
30317 /* XXX hack, any other cleaner solution after the driver core
30318 * is converted to allow more than 20 bytes as the device name? */
30319 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
30320 - hdev->vendor, hdev->product, atomic_inc_return(&id));
30321 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
30322
30323 ret = device_add(&hdev->dev);
30324 if (!ret)
30325 diff -urNp linux-2.6.32.46/drivers/hid/usbhid/hiddev.c linux-2.6.32.46/drivers/hid/usbhid/hiddev.c
30326 --- linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-03-27 14:31:47.000000000 -0400
30327 +++ linux-2.6.32.46/drivers/hid/usbhid/hiddev.c 2011-04-17 15:56:46.000000000 -0400
30328 @@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
30329 return put_user(HID_VERSION, (int __user *)arg);
30330
30331 case HIDIOCAPPLICATION:
30332 - if (arg < 0 || arg >= hid->maxapplication)
30333 + if (arg >= hid->maxapplication)
30334 return -EINVAL;
30335
30336 for (i = 0; i < hid->maxcollection; i++)
30337 diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.c linux-2.6.32.46/drivers/hwmon/lis3lv02d.c
30338 --- linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-03-27 14:31:47.000000000 -0400
30339 +++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.c 2011-05-04 17:56:28.000000000 -0400
30340 @@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
30341 * the lid is closed. This leads to interrupts as soon as a little move
30342 * is done.
30343 */
30344 - atomic_inc(&lis3_dev.count);
30345 + atomic_inc_unchecked(&lis3_dev.count);
30346
30347 wake_up_interruptible(&lis3_dev.misc_wait);
30348 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
30349 @@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
30350 if (test_and_set_bit(0, &lis3_dev.misc_opened))
30351 return -EBUSY; /* already open */
30352
30353 - atomic_set(&lis3_dev.count, 0);
30354 + atomic_set_unchecked(&lis3_dev.count, 0);
30355
30356 /*
30357 * The sensor can generate interrupts for free-fall and direction
30358 @@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
30359 add_wait_queue(&lis3_dev.misc_wait, &wait);
30360 while (true) {
30361 set_current_state(TASK_INTERRUPTIBLE);
30362 - data = atomic_xchg(&lis3_dev.count, 0);
30363 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
30364 if (data)
30365 break;
30366
30367 @@ -244,7 +244,7 @@ out:
30368 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
30369 {
30370 poll_wait(file, &lis3_dev.misc_wait, wait);
30371 - if (atomic_read(&lis3_dev.count))
30372 + if (atomic_read_unchecked(&lis3_dev.count))
30373 return POLLIN | POLLRDNORM;
30374 return 0;
30375 }
30376 diff -urNp linux-2.6.32.46/drivers/hwmon/lis3lv02d.h linux-2.6.32.46/drivers/hwmon/lis3lv02d.h
30377 --- linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-03-27 14:31:47.000000000 -0400
30378 +++ linux-2.6.32.46/drivers/hwmon/lis3lv02d.h 2011-05-04 17:56:28.000000000 -0400
30379 @@ -201,7 +201,7 @@ struct lis3lv02d {
30380
30381 struct input_polled_dev *idev; /* input device */
30382 struct platform_device *pdev; /* platform device */
30383 - atomic_t count; /* interrupt count after last read */
30384 + atomic_unchecked_t count; /* interrupt count after last read */
30385 int xcalib; /* calibrated null value for x */
30386 int ycalib; /* calibrated null value for y */
30387 int zcalib; /* calibrated null value for z */
30388 diff -urNp linux-2.6.32.46/drivers/hwmon/sht15.c linux-2.6.32.46/drivers/hwmon/sht15.c
30389 --- linux-2.6.32.46/drivers/hwmon/sht15.c 2011-03-27 14:31:47.000000000 -0400
30390 +++ linux-2.6.32.46/drivers/hwmon/sht15.c 2011-05-04 17:56:28.000000000 -0400
30391 @@ -112,7 +112,7 @@ struct sht15_data {
30392 int supply_uV;
30393 int supply_uV_valid;
30394 struct work_struct update_supply_work;
30395 - atomic_t interrupt_handled;
30396 + atomic_unchecked_t interrupt_handled;
30397 };
30398
30399 /**
30400 @@ -245,13 +245,13 @@ static inline int sht15_update_single_va
30401 return ret;
30402
30403 gpio_direction_input(data->pdata->gpio_data);
30404 - atomic_set(&data->interrupt_handled, 0);
30405 + atomic_set_unchecked(&data->interrupt_handled, 0);
30406
30407 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30408 if (gpio_get_value(data->pdata->gpio_data) == 0) {
30409 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
30410 /* Only relevant if the interrupt hasn't occured. */
30411 - if (!atomic_read(&data->interrupt_handled))
30412 + if (!atomic_read_unchecked(&data->interrupt_handled))
30413 schedule_work(&data->read_work);
30414 }
30415 ret = wait_event_timeout(data->wait_queue,
30416 @@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
30417 struct sht15_data *data = d;
30418 /* First disable the interrupt */
30419 disable_irq_nosync(irq);
30420 - atomic_inc(&data->interrupt_handled);
30421 + atomic_inc_unchecked(&data->interrupt_handled);
30422 /* Then schedule a reading work struct */
30423 if (data->flag != SHT15_READING_NOTHING)
30424 schedule_work(&data->read_work);
30425 @@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
30426 here as could have gone low in meantime so verify
30427 it hasn't!
30428 */
30429 - atomic_set(&data->interrupt_handled, 0);
30430 + atomic_set_unchecked(&data->interrupt_handled, 0);
30431 enable_irq(gpio_to_irq(data->pdata->gpio_data));
30432 /* If still not occured or another handler has been scheduled */
30433 if (gpio_get_value(data->pdata->gpio_data)
30434 - || atomic_read(&data->interrupt_handled))
30435 + || atomic_read_unchecked(&data->interrupt_handled))
30436 return;
30437 }
30438 /* Read the data back from the device */
30439 diff -urNp linux-2.6.32.46/drivers/hwmon/w83791d.c linux-2.6.32.46/drivers/hwmon/w83791d.c
30440 --- linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-03-27 14:31:47.000000000 -0400
30441 +++ linux-2.6.32.46/drivers/hwmon/w83791d.c 2011-04-17 15:56:46.000000000 -0400
30442 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
30443 struct i2c_board_info *info);
30444 static int w83791d_remove(struct i2c_client *client);
30445
30446 -static int w83791d_read(struct i2c_client *client, u8 register);
30447 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
30448 +static int w83791d_read(struct i2c_client *client, u8 reg);
30449 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
30450 static struct w83791d_data *w83791d_update_device(struct device *dev);
30451
30452 #ifdef DEBUG
30453 diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c
30454 --- linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-03-27 14:31:47.000000000 -0400
30455 +++ linux-2.6.32.46/drivers/i2c/busses/i2c-amd756-s4882.c 2011-08-23 21:22:32.000000000 -0400
30456 @@ -43,7 +43,7 @@
30457 extern struct i2c_adapter amd756_smbus;
30458
30459 static struct i2c_adapter *s4882_adapter;
30460 -static struct i2c_algorithm *s4882_algo;
30461 +static i2c_algorithm_no_const *s4882_algo;
30462
30463 /* Wrapper access functions for multiplexed SMBus */
30464 static DEFINE_MUTEX(amd756_lock);
30465 diff -urNp linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c
30466 --- linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-03-27 14:31:47.000000000 -0400
30467 +++ linux-2.6.32.46/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-08-23 21:22:32.000000000 -0400
30468 @@ -41,7 +41,7 @@
30469 extern struct i2c_adapter *nforce2_smbus;
30470
30471 static struct i2c_adapter *s4985_adapter;
30472 -static struct i2c_algorithm *s4985_algo;
30473 +static i2c_algorithm_no_const *s4985_algo;
30474
30475 /* Wrapper access functions for multiplexed SMBus */
30476 static DEFINE_MUTEX(nforce2_lock);
30477 diff -urNp linux-2.6.32.46/drivers/ide/ide-cd.c linux-2.6.32.46/drivers/ide/ide-cd.c
30478 --- linux-2.6.32.46/drivers/ide/ide-cd.c 2011-03-27 14:31:47.000000000 -0400
30479 +++ linux-2.6.32.46/drivers/ide/ide-cd.c 2011-04-17 15:56:46.000000000 -0400
30480 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
30481 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
30482 if ((unsigned long)buf & alignment
30483 || blk_rq_bytes(rq) & q->dma_pad_mask
30484 - || object_is_on_stack(buf))
30485 + || object_starts_on_stack(buf))
30486 drive->dma = 0;
30487 }
30488 }
30489 diff -urNp linux-2.6.32.46/drivers/ide/ide-floppy.c linux-2.6.32.46/drivers/ide/ide-floppy.c
30490 --- linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-03-27 14:31:47.000000000 -0400
30491 +++ linux-2.6.32.46/drivers/ide/ide-floppy.c 2011-05-16 21:46:57.000000000 -0400
30492 @@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
30493 u8 pc_buf[256], header_len, desc_cnt;
30494 int i, rc = 1, blocks, length;
30495
30496 + pax_track_stack();
30497 +
30498 ide_debug_log(IDE_DBG_FUNC, "enter");
30499
30500 drive->bios_cyl = 0;
30501 diff -urNp linux-2.6.32.46/drivers/ide/setup-pci.c linux-2.6.32.46/drivers/ide/setup-pci.c
30502 --- linux-2.6.32.46/drivers/ide/setup-pci.c 2011-03-27 14:31:47.000000000 -0400
30503 +++ linux-2.6.32.46/drivers/ide/setup-pci.c 2011-05-16 21:46:57.000000000 -0400
30504 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
30505 int ret, i, n_ports = dev2 ? 4 : 2;
30506 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
30507
30508 + pax_track_stack();
30509 +
30510 for (i = 0; i < n_ports / 2; i++) {
30511 ret = ide_setup_pci_controller(pdev[i], d, !i);
30512 if (ret < 0)
30513 diff -urNp linux-2.6.32.46/drivers/ieee1394/dv1394.c linux-2.6.32.46/drivers/ieee1394/dv1394.c
30514 --- linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-03-27 14:31:47.000000000 -0400
30515 +++ linux-2.6.32.46/drivers/ieee1394/dv1394.c 2011-04-23 12:56:11.000000000 -0400
30516 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
30517 based upon DIF section and sequence
30518 */
30519
30520 -static void inline
30521 +static inline void
30522 frame_put_packet (struct frame *f, struct packet *p)
30523 {
30524 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
30525 diff -urNp linux-2.6.32.46/drivers/ieee1394/hosts.c linux-2.6.32.46/drivers/ieee1394/hosts.c
30526 --- linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-03-27 14:31:47.000000000 -0400
30527 +++ linux-2.6.32.46/drivers/ieee1394/hosts.c 2011-04-17 15:56:46.000000000 -0400
30528 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
30529 }
30530
30531 static struct hpsb_host_driver dummy_driver = {
30532 + .name = "dummy",
30533 .transmit_packet = dummy_transmit_packet,
30534 .devctl = dummy_devctl,
30535 .isoctl = dummy_isoctl
30536 diff -urNp linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c
30537 --- linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-03-27 14:31:47.000000000 -0400
30538 +++ linux-2.6.32.46/drivers/ieee1394/init_ohci1394_dma.c 2011-04-17 15:56:46.000000000 -0400
30539 @@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
30540 for (func = 0; func < 8; func++) {
30541 u32 class = read_pci_config(num,slot,func,
30542 PCI_CLASS_REVISION);
30543 - if ((class == 0xffffffff))
30544 + if (class == 0xffffffff)
30545 continue; /* No device at this func */
30546
30547 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
30548 diff -urNp linux-2.6.32.46/drivers/ieee1394/ohci1394.c linux-2.6.32.46/drivers/ieee1394/ohci1394.c
30549 --- linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-03-27 14:31:47.000000000 -0400
30550 +++ linux-2.6.32.46/drivers/ieee1394/ohci1394.c 2011-04-23 12:56:11.000000000 -0400
30551 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
30552 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
30553
30554 /* Module Parameters */
30555 -static int phys_dma = 1;
30556 +static int phys_dma;
30557 module_param(phys_dma, int, 0444);
30558 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
30559 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
30560
30561 static void dma_trm_tasklet(unsigned long data);
30562 static void dma_trm_reset(struct dma_trm_ctx *d);
30563 diff -urNp linux-2.6.32.46/drivers/ieee1394/sbp2.c linux-2.6.32.46/drivers/ieee1394/sbp2.c
30564 --- linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-03-27 14:31:47.000000000 -0400
30565 +++ linux-2.6.32.46/drivers/ieee1394/sbp2.c 2011-04-23 12:56:11.000000000 -0400
30566 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
30567 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
30568 MODULE_LICENSE("GPL");
30569
30570 -static int sbp2_module_init(void)
30571 +static int __init sbp2_module_init(void)
30572 {
30573 int ret;
30574
30575 diff -urNp linux-2.6.32.46/drivers/infiniband/core/cm.c linux-2.6.32.46/drivers/infiniband/core/cm.c
30576 --- linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-03-27 14:31:47.000000000 -0400
30577 +++ linux-2.6.32.46/drivers/infiniband/core/cm.c 2011-04-17 15:56:46.000000000 -0400
30578 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
30579
30580 struct cm_counter_group {
30581 struct kobject obj;
30582 - atomic_long_t counter[CM_ATTR_COUNT];
30583 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
30584 };
30585
30586 struct cm_counter_attribute {
30587 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
30588 struct ib_mad_send_buf *msg = NULL;
30589 int ret;
30590
30591 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30592 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30593 counter[CM_REQ_COUNTER]);
30594
30595 /* Quick state check to discard duplicate REQs. */
30596 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
30597 if (!cm_id_priv)
30598 return;
30599
30600 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30601 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30602 counter[CM_REP_COUNTER]);
30603 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
30604 if (ret)
30605 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
30606 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
30607 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
30608 spin_unlock_irq(&cm_id_priv->lock);
30609 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30610 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30611 counter[CM_RTU_COUNTER]);
30612 goto out;
30613 }
30614 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
30615 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
30616 dreq_msg->local_comm_id);
30617 if (!cm_id_priv) {
30618 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30619 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30620 counter[CM_DREQ_COUNTER]);
30621 cm_issue_drep(work->port, work->mad_recv_wc);
30622 return -EINVAL;
30623 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
30624 case IB_CM_MRA_REP_RCVD:
30625 break;
30626 case IB_CM_TIMEWAIT:
30627 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30628 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30629 counter[CM_DREQ_COUNTER]);
30630 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30631 goto unlock;
30632 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
30633 cm_free_msg(msg);
30634 goto deref;
30635 case IB_CM_DREQ_RCVD:
30636 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30637 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30638 counter[CM_DREQ_COUNTER]);
30639 goto unlock;
30640 default:
30641 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
30642 ib_modify_mad(cm_id_priv->av.port->mad_agent,
30643 cm_id_priv->msg, timeout)) {
30644 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
30645 - atomic_long_inc(&work->port->
30646 + atomic_long_inc_unchecked(&work->port->
30647 counter_group[CM_RECV_DUPLICATES].
30648 counter[CM_MRA_COUNTER]);
30649 goto out;
30650 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
30651 break;
30652 case IB_CM_MRA_REQ_RCVD:
30653 case IB_CM_MRA_REP_RCVD:
30654 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30655 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30656 counter[CM_MRA_COUNTER]);
30657 /* fall through */
30658 default:
30659 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
30660 case IB_CM_LAP_IDLE:
30661 break;
30662 case IB_CM_MRA_LAP_SENT:
30663 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30664 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30665 counter[CM_LAP_COUNTER]);
30666 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
30667 goto unlock;
30668 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
30669 cm_free_msg(msg);
30670 goto deref;
30671 case IB_CM_LAP_RCVD:
30672 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30673 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30674 counter[CM_LAP_COUNTER]);
30675 goto unlock;
30676 default:
30677 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
30678 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
30679 if (cur_cm_id_priv) {
30680 spin_unlock_irq(&cm.lock);
30681 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
30682 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
30683 counter[CM_SIDR_REQ_COUNTER]);
30684 goto out; /* Duplicate message. */
30685 }
30686 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
30687 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
30688 msg->retries = 1;
30689
30690 - atomic_long_add(1 + msg->retries,
30691 + atomic_long_add_unchecked(1 + msg->retries,
30692 &port->counter_group[CM_XMIT].counter[attr_index]);
30693 if (msg->retries)
30694 - atomic_long_add(msg->retries,
30695 + atomic_long_add_unchecked(msg->retries,
30696 &port->counter_group[CM_XMIT_RETRIES].
30697 counter[attr_index]);
30698
30699 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
30700 }
30701
30702 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
30703 - atomic_long_inc(&port->counter_group[CM_RECV].
30704 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
30705 counter[attr_id - CM_ATTR_ID_OFFSET]);
30706
30707 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
30708 @@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
30709 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
30710
30711 return sprintf(buf, "%ld\n",
30712 - atomic_long_read(&group->counter[cm_attr->index]));
30713 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
30714 }
30715
30716 -static struct sysfs_ops cm_counter_ops = {
30717 +static const struct sysfs_ops cm_counter_ops = {
30718 .show = cm_show_counter
30719 };
30720
30721 diff -urNp linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c
30722 --- linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-03-27 14:31:47.000000000 -0400
30723 +++ linux-2.6.32.46/drivers/infiniband/core/fmr_pool.c 2011-05-04 17:56:28.000000000 -0400
30724 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
30725
30726 struct task_struct *thread;
30727
30728 - atomic_t req_ser;
30729 - atomic_t flush_ser;
30730 + atomic_unchecked_t req_ser;
30731 + atomic_unchecked_t flush_ser;
30732
30733 wait_queue_head_t force_wait;
30734 };
30735 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
30736 struct ib_fmr_pool *pool = pool_ptr;
30737
30738 do {
30739 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
30740 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
30741 ib_fmr_batch_release(pool);
30742
30743 - atomic_inc(&pool->flush_ser);
30744 + atomic_inc_unchecked(&pool->flush_ser);
30745 wake_up_interruptible(&pool->force_wait);
30746
30747 if (pool->flush_function)
30748 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
30749 }
30750
30751 set_current_state(TASK_INTERRUPTIBLE);
30752 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
30753 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
30754 !kthread_should_stop())
30755 schedule();
30756 __set_current_state(TASK_RUNNING);
30757 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
30758 pool->dirty_watermark = params->dirty_watermark;
30759 pool->dirty_len = 0;
30760 spin_lock_init(&pool->pool_lock);
30761 - atomic_set(&pool->req_ser, 0);
30762 - atomic_set(&pool->flush_ser, 0);
30763 + atomic_set_unchecked(&pool->req_ser, 0);
30764 + atomic_set_unchecked(&pool->flush_ser, 0);
30765 init_waitqueue_head(&pool->force_wait);
30766
30767 pool->thread = kthread_run(ib_fmr_cleanup_thread,
30768 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
30769 }
30770 spin_unlock_irq(&pool->pool_lock);
30771
30772 - serial = atomic_inc_return(&pool->req_ser);
30773 + serial = atomic_inc_return_unchecked(&pool->req_ser);
30774 wake_up_process(pool->thread);
30775
30776 if (wait_event_interruptible(pool->force_wait,
30777 - atomic_read(&pool->flush_ser) - serial >= 0))
30778 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
30779 return -EINTR;
30780
30781 return 0;
30782 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
30783 } else {
30784 list_add_tail(&fmr->list, &pool->dirty_list);
30785 if (++pool->dirty_len >= pool->dirty_watermark) {
30786 - atomic_inc(&pool->req_ser);
30787 + atomic_inc_unchecked(&pool->req_ser);
30788 wake_up_process(pool->thread);
30789 }
30790 }
30791 diff -urNp linux-2.6.32.46/drivers/infiniband/core/sysfs.c linux-2.6.32.46/drivers/infiniband/core/sysfs.c
30792 --- linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-03-27 14:31:47.000000000 -0400
30793 +++ linux-2.6.32.46/drivers/infiniband/core/sysfs.c 2011-04-17 15:56:46.000000000 -0400
30794 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
30795 return port_attr->show(p, port_attr, buf);
30796 }
30797
30798 -static struct sysfs_ops port_sysfs_ops = {
30799 +static const struct sysfs_ops port_sysfs_ops = {
30800 .show = port_attr_show
30801 };
30802
30803 diff -urNp linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c
30804 --- linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-03-27 14:31:47.000000000 -0400
30805 +++ linux-2.6.32.46/drivers/infiniband/core/uverbs_marshall.c 2011-04-17 15:56:46.000000000 -0400
30806 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
30807 dst->grh.sgid_index = src->grh.sgid_index;
30808 dst->grh.hop_limit = src->grh.hop_limit;
30809 dst->grh.traffic_class = src->grh.traffic_class;
30810 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
30811 dst->dlid = src->dlid;
30812 dst->sl = src->sl;
30813 dst->src_path_bits = src->src_path_bits;
30814 dst->static_rate = src->static_rate;
30815 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
30816 dst->port_num = src->port_num;
30817 + dst->reserved = 0;
30818 }
30819 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
30820
30821 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
30822 struct ib_qp_attr *src)
30823 {
30824 + dst->qp_state = src->qp_state;
30825 dst->cur_qp_state = src->cur_qp_state;
30826 dst->path_mtu = src->path_mtu;
30827 dst->path_mig_state = src->path_mig_state;
30828 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
30829 dst->rnr_retry = src->rnr_retry;
30830 dst->alt_port_num = src->alt_port_num;
30831 dst->alt_timeout = src->alt_timeout;
30832 + memset(dst->reserved, 0, sizeof(dst->reserved));
30833 }
30834 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
30835
30836 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c
30837 --- linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-27 14:31:47.000000000 -0400
30838 +++ linux-2.6.32.46/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:46:57.000000000 -0400
30839 @@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
30840 struct infinipath_counters counters;
30841 struct ipath_devdata *dd;
30842
30843 + pax_track_stack();
30844 +
30845 dd = file->f_path.dentry->d_inode->i_private;
30846 dd->ipath_f_read_counters(dd, &counters);
30847
30848 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c
30849 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-03-27 14:31:47.000000000 -0400
30850 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.c 2011-05-04 17:56:28.000000000 -0400
30851 @@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
30852 LIST_HEAD(nes_adapter_list);
30853 static LIST_HEAD(nes_dev_list);
30854
30855 -atomic_t qps_destroyed;
30856 +atomic_unchecked_t qps_destroyed;
30857
30858 static unsigned int ee_flsh_adapter;
30859 static unsigned int sysfs_nonidx_addr;
30860 @@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
30861 struct nes_adapter *nesadapter = nesdev->nesadapter;
30862 u32 qp_id;
30863
30864 - atomic_inc(&qps_destroyed);
30865 + atomic_inc_unchecked(&qps_destroyed);
30866
30867 /* Free the control structures */
30868
30869 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c
30870 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-03-27 14:31:47.000000000 -0400
30871 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_cm.c 2011-05-04 17:56:28.000000000 -0400
30872 @@ -69,11 +69,11 @@ u32 cm_packets_received;
30873 u32 cm_listens_created;
30874 u32 cm_listens_destroyed;
30875 u32 cm_backlog_drops;
30876 -atomic_t cm_loopbacks;
30877 -atomic_t cm_nodes_created;
30878 -atomic_t cm_nodes_destroyed;
30879 -atomic_t cm_accel_dropped_pkts;
30880 -atomic_t cm_resets_recvd;
30881 +atomic_unchecked_t cm_loopbacks;
30882 +atomic_unchecked_t cm_nodes_created;
30883 +atomic_unchecked_t cm_nodes_destroyed;
30884 +atomic_unchecked_t cm_accel_dropped_pkts;
30885 +atomic_unchecked_t cm_resets_recvd;
30886
30887 static inline int mini_cm_accelerated(struct nes_cm_core *,
30888 struct nes_cm_node *);
30889 @@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
30890
30891 static struct nes_cm_core *g_cm_core;
30892
30893 -atomic_t cm_connects;
30894 -atomic_t cm_accepts;
30895 -atomic_t cm_disconnects;
30896 -atomic_t cm_closes;
30897 -atomic_t cm_connecteds;
30898 -atomic_t cm_connect_reqs;
30899 -atomic_t cm_rejects;
30900 +atomic_unchecked_t cm_connects;
30901 +atomic_unchecked_t cm_accepts;
30902 +atomic_unchecked_t cm_disconnects;
30903 +atomic_unchecked_t cm_closes;
30904 +atomic_unchecked_t cm_connecteds;
30905 +atomic_unchecked_t cm_connect_reqs;
30906 +atomic_unchecked_t cm_rejects;
30907
30908
30909 /**
30910 @@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
30911 cm_node->rem_mac);
30912
30913 add_hte_node(cm_core, cm_node);
30914 - atomic_inc(&cm_nodes_created);
30915 + atomic_inc_unchecked(&cm_nodes_created);
30916
30917 return cm_node;
30918 }
30919 @@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
30920 }
30921
30922 atomic_dec(&cm_core->node_cnt);
30923 - atomic_inc(&cm_nodes_destroyed);
30924 + atomic_inc_unchecked(&cm_nodes_destroyed);
30925 nesqp = cm_node->nesqp;
30926 if (nesqp) {
30927 nesqp->cm_node = NULL;
30928 @@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
30929
30930 static void drop_packet(struct sk_buff *skb)
30931 {
30932 - atomic_inc(&cm_accel_dropped_pkts);
30933 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30934 dev_kfree_skb_any(skb);
30935 }
30936
30937 @@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
30938
30939 int reset = 0; /* whether to send reset in case of err.. */
30940 int passive_state;
30941 - atomic_inc(&cm_resets_recvd);
30942 + atomic_inc_unchecked(&cm_resets_recvd);
30943 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
30944 " refcnt=%d\n", cm_node, cm_node->state,
30945 atomic_read(&cm_node->ref_count));
30946 @@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
30947 rem_ref_cm_node(cm_node->cm_core, cm_node);
30948 return NULL;
30949 }
30950 - atomic_inc(&cm_loopbacks);
30951 + atomic_inc_unchecked(&cm_loopbacks);
30952 loopbackremotenode->loopbackpartner = cm_node;
30953 loopbackremotenode->tcp_cntxt.rcv_wscale =
30954 NES_CM_DEFAULT_RCV_WND_SCALE;
30955 @@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
30956 add_ref_cm_node(cm_node);
30957 } else if (cm_node->state == NES_CM_STATE_TSA) {
30958 rem_ref_cm_node(cm_core, cm_node);
30959 - atomic_inc(&cm_accel_dropped_pkts);
30960 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
30961 dev_kfree_skb_any(skb);
30962 break;
30963 }
30964 @@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
30965
30966 if ((cm_id) && (cm_id->event_handler)) {
30967 if (issue_disconn) {
30968 - atomic_inc(&cm_disconnects);
30969 + atomic_inc_unchecked(&cm_disconnects);
30970 cm_event.event = IW_CM_EVENT_DISCONNECT;
30971 cm_event.status = disconn_status;
30972 cm_event.local_addr = cm_id->local_addr;
30973 @@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
30974 }
30975
30976 if (issue_close) {
30977 - atomic_inc(&cm_closes);
30978 + atomic_inc_unchecked(&cm_closes);
30979 nes_disconnect(nesqp, 1);
30980
30981 cm_id->provider_data = nesqp;
30982 @@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
30983
30984 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
30985 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
30986 - atomic_inc(&cm_accepts);
30987 + atomic_inc_unchecked(&cm_accepts);
30988
30989 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
30990 atomic_read(&nesvnic->netdev->refcnt));
30991 @@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
30992
30993 struct nes_cm_core *cm_core;
30994
30995 - atomic_inc(&cm_rejects);
30996 + atomic_inc_unchecked(&cm_rejects);
30997 cm_node = (struct nes_cm_node *) cm_id->provider_data;
30998 loopback = cm_node->loopbackpartner;
30999 cm_core = cm_node->cm_core;
31000 @@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
31001 ntohl(cm_id->local_addr.sin_addr.s_addr),
31002 ntohs(cm_id->local_addr.sin_port));
31003
31004 - atomic_inc(&cm_connects);
31005 + atomic_inc_unchecked(&cm_connects);
31006 nesqp->active_conn = 1;
31007
31008 /* cache the cm_id in the qp */
31009 @@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
31010 if (nesqp->destroyed) {
31011 return;
31012 }
31013 - atomic_inc(&cm_connecteds);
31014 + atomic_inc_unchecked(&cm_connecteds);
31015 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
31016 " local port 0x%04X. jiffies = %lu.\n",
31017 nesqp->hwqp.qp_id,
31018 @@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
31019
31020 ret = cm_id->event_handler(cm_id, &cm_event);
31021 cm_id->add_ref(cm_id);
31022 - atomic_inc(&cm_closes);
31023 + atomic_inc_unchecked(&cm_closes);
31024 cm_event.event = IW_CM_EVENT_CLOSE;
31025 cm_event.status = IW_CM_EVENT_STATUS_OK;
31026 cm_event.provider_data = cm_id->provider_data;
31027 @@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
31028 return;
31029 cm_id = cm_node->cm_id;
31030
31031 - atomic_inc(&cm_connect_reqs);
31032 + atomic_inc_unchecked(&cm_connect_reqs);
31033 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31034 cm_node, cm_id, jiffies);
31035
31036 @@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
31037 return;
31038 cm_id = cm_node->cm_id;
31039
31040 - atomic_inc(&cm_connect_reqs);
31041 + atomic_inc_unchecked(&cm_connect_reqs);
31042 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
31043 cm_node, cm_id, jiffies);
31044
31045 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h
31046 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-03-27 14:31:47.000000000 -0400
31047 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes.h 2011-05-04 17:56:28.000000000 -0400
31048 @@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
31049 extern unsigned int wqm_quanta;
31050 extern struct list_head nes_adapter_list;
31051
31052 -extern atomic_t cm_connects;
31053 -extern atomic_t cm_accepts;
31054 -extern atomic_t cm_disconnects;
31055 -extern atomic_t cm_closes;
31056 -extern atomic_t cm_connecteds;
31057 -extern atomic_t cm_connect_reqs;
31058 -extern atomic_t cm_rejects;
31059 -extern atomic_t mod_qp_timouts;
31060 -extern atomic_t qps_created;
31061 -extern atomic_t qps_destroyed;
31062 -extern atomic_t sw_qps_destroyed;
31063 +extern atomic_unchecked_t cm_connects;
31064 +extern atomic_unchecked_t cm_accepts;
31065 +extern atomic_unchecked_t cm_disconnects;
31066 +extern atomic_unchecked_t cm_closes;
31067 +extern atomic_unchecked_t cm_connecteds;
31068 +extern atomic_unchecked_t cm_connect_reqs;
31069 +extern atomic_unchecked_t cm_rejects;
31070 +extern atomic_unchecked_t mod_qp_timouts;
31071 +extern atomic_unchecked_t qps_created;
31072 +extern atomic_unchecked_t qps_destroyed;
31073 +extern atomic_unchecked_t sw_qps_destroyed;
31074 extern u32 mh_detected;
31075 extern u32 mh_pauses_sent;
31076 extern u32 cm_packets_sent;
31077 @@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
31078 extern u32 cm_listens_created;
31079 extern u32 cm_listens_destroyed;
31080 extern u32 cm_backlog_drops;
31081 -extern atomic_t cm_loopbacks;
31082 -extern atomic_t cm_nodes_created;
31083 -extern atomic_t cm_nodes_destroyed;
31084 -extern atomic_t cm_accel_dropped_pkts;
31085 -extern atomic_t cm_resets_recvd;
31086 +extern atomic_unchecked_t cm_loopbacks;
31087 +extern atomic_unchecked_t cm_nodes_created;
31088 +extern atomic_unchecked_t cm_nodes_destroyed;
31089 +extern atomic_unchecked_t cm_accel_dropped_pkts;
31090 +extern atomic_unchecked_t cm_resets_recvd;
31091
31092 extern u32 int_mod_timer_init;
31093 extern u32 int_mod_cq_depth_256;
31094 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c
31095 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-03-27 14:31:47.000000000 -0400
31096 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_nic.c 2011-05-04 17:56:28.000000000 -0400
31097 @@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
31098 target_stat_values[++index] = mh_detected;
31099 target_stat_values[++index] = mh_pauses_sent;
31100 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
31101 - target_stat_values[++index] = atomic_read(&cm_connects);
31102 - target_stat_values[++index] = atomic_read(&cm_accepts);
31103 - target_stat_values[++index] = atomic_read(&cm_disconnects);
31104 - target_stat_values[++index] = atomic_read(&cm_connecteds);
31105 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
31106 - target_stat_values[++index] = atomic_read(&cm_rejects);
31107 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
31108 - target_stat_values[++index] = atomic_read(&qps_created);
31109 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
31110 - target_stat_values[++index] = atomic_read(&qps_destroyed);
31111 - target_stat_values[++index] = atomic_read(&cm_closes);
31112 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
31113 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
31114 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
31115 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
31116 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
31117 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
31118 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
31119 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
31120 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
31121 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
31122 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
31123 target_stat_values[++index] = cm_packets_sent;
31124 target_stat_values[++index] = cm_packets_bounced;
31125 target_stat_values[++index] = cm_packets_created;
31126 @@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
31127 target_stat_values[++index] = cm_listens_created;
31128 target_stat_values[++index] = cm_listens_destroyed;
31129 target_stat_values[++index] = cm_backlog_drops;
31130 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
31131 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
31132 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
31133 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
31134 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
31135 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
31136 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
31137 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
31138 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
31139 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
31140 target_stat_values[++index] = int_mod_timer_init;
31141 target_stat_values[++index] = int_mod_cq_depth_1;
31142 target_stat_values[++index] = int_mod_cq_depth_4;
31143 diff -urNp linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c
31144 --- linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-27 14:31:47.000000000 -0400
31145 +++ linux-2.6.32.46/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-04 17:56:28.000000000 -0400
31146 @@ -45,9 +45,9 @@
31147
31148 #include <rdma/ib_umem.h>
31149
31150 -atomic_t mod_qp_timouts;
31151 -atomic_t qps_created;
31152 -atomic_t sw_qps_destroyed;
31153 +atomic_unchecked_t mod_qp_timouts;
31154 +atomic_unchecked_t qps_created;
31155 +atomic_unchecked_t sw_qps_destroyed;
31156
31157 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
31158
31159 @@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
31160 if (init_attr->create_flags)
31161 return ERR_PTR(-EINVAL);
31162
31163 - atomic_inc(&qps_created);
31164 + atomic_inc_unchecked(&qps_created);
31165 switch (init_attr->qp_type) {
31166 case IB_QPT_RC:
31167 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
31168 @@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
31169 struct iw_cm_event cm_event;
31170 int ret;
31171
31172 - atomic_inc(&sw_qps_destroyed);
31173 + atomic_inc_unchecked(&sw_qps_destroyed);
31174 nesqp->destroyed = 1;
31175
31176 /* Blow away the connection if it exists. */
31177 diff -urNp linux-2.6.32.46/drivers/input/gameport/gameport.c linux-2.6.32.46/drivers/input/gameport/gameport.c
31178 --- linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-03-27 14:31:47.000000000 -0400
31179 +++ linux-2.6.32.46/drivers/input/gameport/gameport.c 2011-05-04 17:56:28.000000000 -0400
31180 @@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
31181 */
31182 static void gameport_init_port(struct gameport *gameport)
31183 {
31184 - static atomic_t gameport_no = ATOMIC_INIT(0);
31185 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
31186
31187 __module_get(THIS_MODULE);
31188
31189 mutex_init(&gameport->drv_mutex);
31190 device_initialize(&gameport->dev);
31191 - dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
31192 + dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
31193 gameport->dev.bus = &gameport_bus;
31194 gameport->dev.release = gameport_release_port;
31195 if (gameport->parent)
31196 diff -urNp linux-2.6.32.46/drivers/input/input.c linux-2.6.32.46/drivers/input/input.c
31197 --- linux-2.6.32.46/drivers/input/input.c 2011-03-27 14:31:47.000000000 -0400
31198 +++ linux-2.6.32.46/drivers/input/input.c 2011-05-04 17:56:28.000000000 -0400
31199 @@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
31200 */
31201 int input_register_device(struct input_dev *dev)
31202 {
31203 - static atomic_t input_no = ATOMIC_INIT(0);
31204 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
31205 struct input_handler *handler;
31206 const char *path;
31207 int error;
31208 @@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
31209 dev->setkeycode = input_default_setkeycode;
31210
31211 dev_set_name(&dev->dev, "input%ld",
31212 - (unsigned long) atomic_inc_return(&input_no) - 1);
31213 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
31214
31215 error = device_add(&dev->dev);
31216 if (error)
31217 diff -urNp linux-2.6.32.46/drivers/input/joystick/sidewinder.c linux-2.6.32.46/drivers/input/joystick/sidewinder.c
31218 --- linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-03-27 14:31:47.000000000 -0400
31219 +++ linux-2.6.32.46/drivers/input/joystick/sidewinder.c 2011-05-18 20:09:36.000000000 -0400
31220 @@ -30,6 +30,7 @@
31221 #include <linux/kernel.h>
31222 #include <linux/module.h>
31223 #include <linux/slab.h>
31224 +#include <linux/sched.h>
31225 #include <linux/init.h>
31226 #include <linux/input.h>
31227 #include <linux/gameport.h>
31228 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
31229 unsigned char buf[SW_LENGTH];
31230 int i;
31231
31232 + pax_track_stack();
31233 +
31234 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
31235
31236 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
31237 diff -urNp linux-2.6.32.46/drivers/input/joystick/xpad.c linux-2.6.32.46/drivers/input/joystick/xpad.c
31238 --- linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-03-27 14:31:47.000000000 -0400
31239 +++ linux-2.6.32.46/drivers/input/joystick/xpad.c 2011-05-04 17:56:28.000000000 -0400
31240 @@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
31241
31242 static int xpad_led_probe(struct usb_xpad *xpad)
31243 {
31244 - static atomic_t led_seq = ATOMIC_INIT(0);
31245 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
31246 long led_no;
31247 struct xpad_led *led;
31248 struct led_classdev *led_cdev;
31249 @@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
31250 if (!led)
31251 return -ENOMEM;
31252
31253 - led_no = (long)atomic_inc_return(&led_seq) - 1;
31254 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
31255
31256 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
31257 led->xpad = xpad;
31258 diff -urNp linux-2.6.32.46/drivers/input/serio/serio.c linux-2.6.32.46/drivers/input/serio/serio.c
31259 --- linux-2.6.32.46/drivers/input/serio/serio.c 2011-03-27 14:31:47.000000000 -0400
31260 +++ linux-2.6.32.46/drivers/input/serio/serio.c 2011-05-04 17:56:28.000000000 -0400
31261 @@ -527,7 +527,7 @@ static void serio_release_port(struct de
31262 */
31263 static void serio_init_port(struct serio *serio)
31264 {
31265 - static atomic_t serio_no = ATOMIC_INIT(0);
31266 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
31267
31268 __module_get(THIS_MODULE);
31269
31270 @@ -536,7 +536,7 @@ static void serio_init_port(struct serio
31271 mutex_init(&serio->drv_mutex);
31272 device_initialize(&serio->dev);
31273 dev_set_name(&serio->dev, "serio%ld",
31274 - (long)atomic_inc_return(&serio_no) - 1);
31275 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
31276 serio->dev.bus = &serio_bus;
31277 serio->dev.release = serio_release_port;
31278 if (serio->parent) {
31279 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/common.c linux-2.6.32.46/drivers/isdn/gigaset/common.c
31280 --- linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-03-27 14:31:47.000000000 -0400
31281 +++ linux-2.6.32.46/drivers/isdn/gigaset/common.c 2011-04-17 15:56:46.000000000 -0400
31282 @@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
31283 cs->commands_pending = 0;
31284 cs->cur_at_seq = 0;
31285 cs->gotfwver = -1;
31286 - cs->open_count = 0;
31287 + local_set(&cs->open_count, 0);
31288 cs->dev = NULL;
31289 cs->tty = NULL;
31290 cs->tty_dev = NULL;
31291 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h
31292 --- linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-03-27 14:31:47.000000000 -0400
31293 +++ linux-2.6.32.46/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:56:46.000000000 -0400
31294 @@ -34,6 +34,7 @@
31295 #include <linux/tty_driver.h>
31296 #include <linux/list.h>
31297 #include <asm/atomic.h>
31298 +#include <asm/local.h>
31299
31300 #define GIG_VERSION {0,5,0,0}
31301 #define GIG_COMPAT {0,4,0,0}
31302 @@ -446,7 +447,7 @@ struct cardstate {
31303 spinlock_t cmdlock;
31304 unsigned curlen, cmdbytes;
31305
31306 - unsigned open_count;
31307 + local_t open_count;
31308 struct tty_struct *tty;
31309 struct tasklet_struct if_wake_tasklet;
31310 unsigned control_state;
31311 diff -urNp linux-2.6.32.46/drivers/isdn/gigaset/interface.c linux-2.6.32.46/drivers/isdn/gigaset/interface.c
31312 --- linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-03-27 14:31:47.000000000 -0400
31313 +++ linux-2.6.32.46/drivers/isdn/gigaset/interface.c 2011-04-17 15:56:46.000000000 -0400
31314 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
31315 return -ERESTARTSYS; // FIXME -EINTR?
31316 tty->driver_data = cs;
31317
31318 - ++cs->open_count;
31319 -
31320 - if (cs->open_count == 1) {
31321 + if (local_inc_return(&cs->open_count) == 1) {
31322 spin_lock_irqsave(&cs->lock, flags);
31323 cs->tty = tty;
31324 spin_unlock_irqrestore(&cs->lock, flags);
31325 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
31326
31327 if (!cs->connected)
31328 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31329 - else if (!cs->open_count)
31330 + else if (!local_read(&cs->open_count))
31331 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31332 else {
31333 - if (!--cs->open_count) {
31334 + if (!local_dec_return(&cs->open_count)) {
31335 spin_lock_irqsave(&cs->lock, flags);
31336 cs->tty = NULL;
31337 spin_unlock_irqrestore(&cs->lock, flags);
31338 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
31339 if (!cs->connected) {
31340 gig_dbg(DEBUG_IF, "not connected");
31341 retval = -ENODEV;
31342 - } else if (!cs->open_count)
31343 + } else if (!local_read(&cs->open_count))
31344 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31345 else {
31346 retval = 0;
31347 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
31348 if (!cs->connected) {
31349 gig_dbg(DEBUG_IF, "not connected");
31350 retval = -ENODEV;
31351 - } else if (!cs->open_count)
31352 + } else if (!local_read(&cs->open_count))
31353 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31354 else if (cs->mstate != MS_LOCKED) {
31355 dev_warn(cs->dev, "can't write to unlocked device\n");
31356 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
31357 if (!cs->connected) {
31358 gig_dbg(DEBUG_IF, "not connected");
31359 retval = -ENODEV;
31360 - } else if (!cs->open_count)
31361 + } else if (!local_read(&cs->open_count))
31362 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31363 else if (cs->mstate != MS_LOCKED) {
31364 dev_warn(cs->dev, "can't write to unlocked device\n");
31365 @@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
31366
31367 if (!cs->connected)
31368 gig_dbg(DEBUG_IF, "not connected");
31369 - else if (!cs->open_count)
31370 + else if (!local_read(&cs->open_count))
31371 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31372 else if (cs->mstate != MS_LOCKED)
31373 dev_warn(cs->dev, "can't write to unlocked device\n");
31374 @@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
31375
31376 if (!cs->connected)
31377 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31378 - else if (!cs->open_count)
31379 + else if (!local_read(&cs->open_count))
31380 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31381 else {
31382 //FIXME
31383 @@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
31384
31385 if (!cs->connected)
31386 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
31387 - else if (!cs->open_count)
31388 + else if (!local_read(&cs->open_count))
31389 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31390 else {
31391 //FIXME
31392 @@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
31393 goto out;
31394 }
31395
31396 - if (!cs->open_count) {
31397 + if (!local_read(&cs->open_count)) {
31398 dev_warn(cs->dev, "%s: device not opened\n", __func__);
31399 goto out;
31400 }
31401 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c
31402 --- linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-03-27 14:31:47.000000000 -0400
31403 +++ linux-2.6.32.46/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:56:46.000000000 -0400
31404 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
31405 }
31406 if (left) {
31407 if (t4file->user) {
31408 - if (copy_from_user(buf, dp, left))
31409 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31410 return -EFAULT;
31411 } else {
31412 memcpy(buf, dp, left);
31413 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
31414 }
31415 if (left) {
31416 if (config->user) {
31417 - if (copy_from_user(buf, dp, left))
31418 + if (left > sizeof buf || copy_from_user(buf, dp, left))
31419 return -EFAULT;
31420 } else {
31421 memcpy(buf, dp, left);
31422 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c
31423 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-27 14:31:47.000000000 -0400
31424 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:46:57.000000000 -0400
31425 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
31426 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
31427 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
31428
31429 + pax_track_stack();
31430
31431 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
31432 {
31433 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c
31434 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-03-27 14:31:47.000000000 -0400
31435 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:46:57.000000000 -0400
31436 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
31437 IDI_SYNC_REQ req;
31438 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31439
31440 + pax_track_stack();
31441 +
31442 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31443
31444 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31445 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c
31446 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-27 14:31:47.000000000 -0400
31447 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:46:57.000000000 -0400
31448 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
31449 IDI_SYNC_REQ req;
31450 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31451
31452 + pax_track_stack();
31453 +
31454 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31455
31456 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31457 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c
31458 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-27 14:31:47.000000000 -0400
31459 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:46:57.000000000 -0400
31460 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
31461 IDI_SYNC_REQ req;
31462 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31463
31464 + pax_track_stack();
31465 +
31466 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31467
31468 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31469 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h
31470 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-03-27 14:31:47.000000000 -0400
31471 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/divasync.h 2011-08-05 20:33:55.000000000 -0400
31472 @@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
31473 } diva_didd_add_adapter_t;
31474 typedef struct _diva_didd_remove_adapter {
31475 IDI_CALL p_request;
31476 -} diva_didd_remove_adapter_t;
31477 +} __no_const diva_didd_remove_adapter_t;
31478 typedef struct _diva_didd_read_adapter_array {
31479 void * buffer;
31480 dword length;
31481 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c
31482 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-03-27 14:31:47.000000000 -0400
31483 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:46:57.000000000 -0400
31484 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
31485 IDI_SYNC_REQ req;
31486 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31487
31488 + pax_track_stack();
31489 +
31490 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31491
31492 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31493 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c
31494 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-03-27 14:31:47.000000000 -0400
31495 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:46:57.000000000 -0400
31496 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
31497 dword d;
31498 word w;
31499
31500 + pax_track_stack();
31501 +
31502 a = plci->adapter;
31503 Id = ((word)plci->Id<<8)|a->Id;
31504 PUT_WORD(&SS_Ind[4],0x0000);
31505 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
31506 word j, n, w;
31507 dword d;
31508
31509 + pax_track_stack();
31510 +
31511
31512 for(i=0;i<8;i++) bp_parms[i].length = 0;
31513 for(i=0;i<2;i++) global_config[i].length = 0;
31514 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
31515 const byte llc3[] = {4,3,2,2,6,6,0};
31516 const byte header[] = {0,2,3,3,0,0,0};
31517
31518 + pax_track_stack();
31519 +
31520 for(i=0;i<8;i++) bp_parms[i].length = 0;
31521 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
31522 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
31523 @@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
31524 word appl_number_group_type[MAX_APPL];
31525 PLCI *auxplci;
31526
31527 + pax_track_stack();
31528 +
31529 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
31530
31531 if(!a->group_optimization_enabled)
31532 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c
31533 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-27 14:31:47.000000000 -0400
31534 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:46:57.000000000 -0400
31535 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
31536 IDI_SYNC_REQ req;
31537 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
31538
31539 + pax_track_stack();
31540 +
31541 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
31542
31543 for (x = 0; x < MAX_DESCRIPTORS; x++) {
31544 diff -urNp linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h
31545 --- linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-03-27 14:31:47.000000000 -0400
31546 +++ linux-2.6.32.46/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-08-05 20:33:55.000000000 -0400
31547 @@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
31548 typedef struct _diva_os_idi_adapter_interface {
31549 diva_init_card_proc_t cleanup_adapter_proc;
31550 diva_cmd_card_proc_t cmd_proc;
31551 -} diva_os_idi_adapter_interface_t;
31552 +} __no_const diva_os_idi_adapter_interface_t;
31553
31554 typedef struct _diva_os_xdi_adapter {
31555 struct list_head link;
31556 diff -urNp linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c
31557 --- linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-03-27 14:31:47.000000000 -0400
31558 +++ linux-2.6.32.46/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:46:57.000000000 -0400
31559 @@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
31560 } iocpar;
31561 void __user *argp = (void __user *)arg;
31562
31563 + pax_track_stack();
31564 +
31565 #define name iocpar.name
31566 #define bname iocpar.bname
31567 #define iocts iocpar.iocts
31568 diff -urNp linux-2.6.32.46/drivers/isdn/icn/icn.c linux-2.6.32.46/drivers/isdn/icn/icn.c
31569 --- linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-03-27 14:31:47.000000000 -0400
31570 +++ linux-2.6.32.46/drivers/isdn/icn/icn.c 2011-04-17 15:56:46.000000000 -0400
31571 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
31572 if (count > len)
31573 count = len;
31574 if (user) {
31575 - if (copy_from_user(msg, buf, count))
31576 + if (count > sizeof msg || copy_from_user(msg, buf, count))
31577 return -EFAULT;
31578 } else
31579 memcpy(msg, buf, count);
31580 diff -urNp linux-2.6.32.46/drivers/isdn/mISDN/socket.c linux-2.6.32.46/drivers/isdn/mISDN/socket.c
31581 --- linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-03-27 14:31:47.000000000 -0400
31582 +++ linux-2.6.32.46/drivers/isdn/mISDN/socket.c 2011-04-17 15:56:46.000000000 -0400
31583 @@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
31584 if (dev) {
31585 struct mISDN_devinfo di;
31586
31587 + memset(&di, 0, sizeof(di));
31588 di.id = dev->id;
31589 di.Dprotocols = dev->Dprotocols;
31590 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
31591 @@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
31592 if (dev) {
31593 struct mISDN_devinfo di;
31594
31595 + memset(&di, 0, sizeof(di));
31596 di.id = dev->id;
31597 di.Dprotocols = dev->Dprotocols;
31598 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
31599 diff -urNp linux-2.6.32.46/drivers/isdn/sc/interrupt.c linux-2.6.32.46/drivers/isdn/sc/interrupt.c
31600 --- linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-03-27 14:31:47.000000000 -0400
31601 +++ linux-2.6.32.46/drivers/isdn/sc/interrupt.c 2011-04-17 15:56:46.000000000 -0400
31602 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
31603 }
31604 else if(callid>=0x0000 && callid<=0x7FFF)
31605 {
31606 + int len;
31607 +
31608 pr_debug("%s: Got Incoming Call\n",
31609 sc_adapter[card]->devicename);
31610 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
31611 - strcpy(setup.eazmsn,
31612 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
31613 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
31614 + sizeof(setup.phone));
31615 + if (len >= sizeof(setup.phone))
31616 + continue;
31617 + len = strlcpy(setup.eazmsn,
31618 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
31619 + sizeof(setup.eazmsn));
31620 + if (len >= sizeof(setup.eazmsn))
31621 + continue;
31622 setup.si1 = 7;
31623 setup.si2 = 0;
31624 setup.plan = 0;
31625 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
31626 * Handle a GetMyNumber Rsp
31627 */
31628 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
31629 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
31630 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
31631 + rcvmsg.msg_data.byte_array,
31632 + sizeof(rcvmsg.msg_data.byte_array));
31633 continue;
31634 }
31635
31636 diff -urNp linux-2.6.32.46/drivers/lguest/core.c linux-2.6.32.46/drivers/lguest/core.c
31637 --- linux-2.6.32.46/drivers/lguest/core.c 2011-03-27 14:31:47.000000000 -0400
31638 +++ linux-2.6.32.46/drivers/lguest/core.c 2011-04-17 15:56:46.000000000 -0400
31639 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
31640 * it's worked so far. The end address needs +1 because __get_vm_area
31641 * allocates an extra guard page, so we need space for that.
31642 */
31643 +
31644 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
31645 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31646 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
31647 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31648 +#else
31649 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
31650 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
31651 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
31652 +#endif
31653 +
31654 if (!switcher_vma) {
31655 err = -ENOMEM;
31656 printk("lguest: could not map switcher pages high\n");
31657 @@ -118,7 +126,7 @@ static __init int map_switcher(void)
31658 * Now the Switcher is mapped at the right address, we can't fail!
31659 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
31660 */
31661 - memcpy(switcher_vma->addr, start_switcher_text,
31662 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
31663 end_switcher_text - start_switcher_text);
31664
31665 printk(KERN_INFO "lguest: mapped switcher at %p\n",
31666 diff -urNp linux-2.6.32.46/drivers/lguest/x86/core.c linux-2.6.32.46/drivers/lguest/x86/core.c
31667 --- linux-2.6.32.46/drivers/lguest/x86/core.c 2011-03-27 14:31:47.000000000 -0400
31668 +++ linux-2.6.32.46/drivers/lguest/x86/core.c 2011-04-17 15:56:46.000000000 -0400
31669 @@ -59,7 +59,7 @@ static struct {
31670 /* Offset from where switcher.S was compiled to where we've copied it */
31671 static unsigned long switcher_offset(void)
31672 {
31673 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
31674 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
31675 }
31676
31677 /* This cpu's struct lguest_pages. */
31678 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
31679 * These copies are pretty cheap, so we do them unconditionally: */
31680 /* Save the current Host top-level page directory.
31681 */
31682 +
31683 +#ifdef CONFIG_PAX_PER_CPU_PGD
31684 + pages->state.host_cr3 = read_cr3();
31685 +#else
31686 pages->state.host_cr3 = __pa(current->mm->pgd);
31687 +#endif
31688 +
31689 /*
31690 * Set up the Guest's page tables to see this CPU's pages (and no
31691 * other CPU's pages).
31692 @@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
31693 * compiled-in switcher code and the high-mapped copy we just made.
31694 */
31695 for (i = 0; i < IDT_ENTRIES; i++)
31696 - default_idt_entries[i] += switcher_offset();
31697 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
31698
31699 /*
31700 * Set up the Switcher's per-cpu areas.
31701 @@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
31702 * it will be undisturbed when we switch. To change %cs and jump we
31703 * need this structure to feed to Intel's "lcall" instruction.
31704 */
31705 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
31706 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
31707 lguest_entry.segment = LGUEST_CS;
31708
31709 /*
31710 diff -urNp linux-2.6.32.46/drivers/lguest/x86/switcher_32.S linux-2.6.32.46/drivers/lguest/x86/switcher_32.S
31711 --- linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-03-27 14:31:47.000000000 -0400
31712 +++ linux-2.6.32.46/drivers/lguest/x86/switcher_32.S 2011-04-17 15:56:46.000000000 -0400
31713 @@ -87,6 +87,7 @@
31714 #include <asm/page.h>
31715 #include <asm/segment.h>
31716 #include <asm/lguest.h>
31717 +#include <asm/processor-flags.h>
31718
31719 // We mark the start of the code to copy
31720 // It's placed in .text tho it's never run here
31721 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
31722 // Changes type when we load it: damn Intel!
31723 // For after we switch over our page tables
31724 // That entry will be read-only: we'd crash.
31725 +
31726 +#ifdef CONFIG_PAX_KERNEXEC
31727 + mov %cr0, %edx
31728 + xor $X86_CR0_WP, %edx
31729 + mov %edx, %cr0
31730 +#endif
31731 +
31732 movl $(GDT_ENTRY_TSS*8), %edx
31733 ltr %dx
31734
31735 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
31736 // Let's clear it again for our return.
31737 // The GDT descriptor of the Host
31738 // Points to the table after two "size" bytes
31739 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
31740 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
31741 // Clear "used" from type field (byte 5, bit 2)
31742 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
31743 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
31744 +
31745 +#ifdef CONFIG_PAX_KERNEXEC
31746 + mov %cr0, %eax
31747 + xor $X86_CR0_WP, %eax
31748 + mov %eax, %cr0
31749 +#endif
31750
31751 // Once our page table's switched, the Guest is live!
31752 // The Host fades as we run this final step.
31753 @@ -295,13 +309,12 @@ deliver_to_host:
31754 // I consulted gcc, and it gave
31755 // These instructions, which I gladly credit:
31756 leal (%edx,%ebx,8), %eax
31757 - movzwl (%eax),%edx
31758 - movl 4(%eax), %eax
31759 - xorw %ax, %ax
31760 - orl %eax, %edx
31761 + movl 4(%eax), %edx
31762 + movw (%eax), %dx
31763 // Now the address of the handler's in %edx
31764 // We call it now: its "iret" drops us home.
31765 - jmp *%edx
31766 + ljmp $__KERNEL_CS, $1f
31767 +1: jmp *%edx
31768
31769 // Every interrupt can come to us here
31770 // But we must truly tell each apart.
31771 diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c
31772 --- linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-03-27 14:31:47.000000000 -0400
31773 +++ linux-2.6.32.46/drivers/macintosh/via-pmu-backlight.c 2011-04-17 15:56:46.000000000 -0400
31774 @@ -15,7 +15,7 @@
31775
31776 #define MAX_PMU_LEVEL 0xFF
31777
31778 -static struct backlight_ops pmu_backlight_data;
31779 +static const struct backlight_ops pmu_backlight_data;
31780 static DEFINE_SPINLOCK(pmu_backlight_lock);
31781 static int sleeping, uses_pmu_bl;
31782 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
31783 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
31784 return bd->props.brightness;
31785 }
31786
31787 -static struct backlight_ops pmu_backlight_data = {
31788 +static const struct backlight_ops pmu_backlight_data = {
31789 .get_brightness = pmu_backlight_get_brightness,
31790 .update_status = pmu_backlight_update_status,
31791
31792 diff -urNp linux-2.6.32.46/drivers/macintosh/via-pmu.c linux-2.6.32.46/drivers/macintosh/via-pmu.c
31793 --- linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-03-27 14:31:47.000000000 -0400
31794 +++ linux-2.6.32.46/drivers/macintosh/via-pmu.c 2011-04-17 15:56:46.000000000 -0400
31795 @@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
31796 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
31797 }
31798
31799 -static struct platform_suspend_ops pmu_pm_ops = {
31800 +static const struct platform_suspend_ops pmu_pm_ops = {
31801 .enter = powerbook_sleep,
31802 .valid = pmu_sleep_valid,
31803 };
31804 diff -urNp linux-2.6.32.46/drivers/md/dm.c linux-2.6.32.46/drivers/md/dm.c
31805 --- linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:35:29.000000000 -0400
31806 +++ linux-2.6.32.46/drivers/md/dm.c 2011-08-09 18:33:59.000000000 -0400
31807 @@ -165,9 +165,9 @@ struct mapped_device {
31808 /*
31809 * Event handling.
31810 */
31811 - atomic_t event_nr;
31812 + atomic_unchecked_t event_nr;
31813 wait_queue_head_t eventq;
31814 - atomic_t uevent_seq;
31815 + atomic_unchecked_t uevent_seq;
31816 struct list_head uevent_list;
31817 spinlock_t uevent_lock; /* Protect access to uevent_list */
31818
31819 @@ -1776,8 +1776,8 @@ static struct mapped_device *alloc_dev(i
31820 rwlock_init(&md->map_lock);
31821 atomic_set(&md->holders, 1);
31822 atomic_set(&md->open_count, 0);
31823 - atomic_set(&md->event_nr, 0);
31824 - atomic_set(&md->uevent_seq, 0);
31825 + atomic_set_unchecked(&md->event_nr, 0);
31826 + atomic_set_unchecked(&md->uevent_seq, 0);
31827 INIT_LIST_HEAD(&md->uevent_list);
31828 spin_lock_init(&md->uevent_lock);
31829
31830 @@ -1927,7 +1927,7 @@ static void event_callback(void *context
31831
31832 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
31833
31834 - atomic_inc(&md->event_nr);
31835 + atomic_inc_unchecked(&md->event_nr);
31836 wake_up(&md->eventq);
31837 }
31838
31839 @@ -2562,18 +2562,18 @@ void dm_kobject_uevent(struct mapped_dev
31840
31841 uint32_t dm_next_uevent_seq(struct mapped_device *md)
31842 {
31843 - return atomic_add_return(1, &md->uevent_seq);
31844 + return atomic_add_return_unchecked(1, &md->uevent_seq);
31845 }
31846
31847 uint32_t dm_get_event_nr(struct mapped_device *md)
31848 {
31849 - return atomic_read(&md->event_nr);
31850 + return atomic_read_unchecked(&md->event_nr);
31851 }
31852
31853 int dm_wait_event(struct mapped_device *md, int event_nr)
31854 {
31855 return wait_event_interruptible(md->eventq,
31856 - (event_nr != atomic_read(&md->event_nr)));
31857 + (event_nr != atomic_read_unchecked(&md->event_nr)));
31858 }
31859
31860 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
31861 diff -urNp linux-2.6.32.46/drivers/md/dm-ioctl.c linux-2.6.32.46/drivers/md/dm-ioctl.c
31862 --- linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-03-27 14:31:47.000000000 -0400
31863 +++ linux-2.6.32.46/drivers/md/dm-ioctl.c 2011-04-17 15:56:46.000000000 -0400
31864 @@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
31865 cmd == DM_LIST_VERSIONS_CMD)
31866 return 0;
31867
31868 - if ((cmd == DM_DEV_CREATE_CMD)) {
31869 + if (cmd == DM_DEV_CREATE_CMD) {
31870 if (!*param->name) {
31871 DMWARN("name not supplied when creating device");
31872 return -EINVAL;
31873 diff -urNp linux-2.6.32.46/drivers/md/dm-raid1.c linux-2.6.32.46/drivers/md/dm-raid1.c
31874 --- linux-2.6.32.46/drivers/md/dm-raid1.c 2011-03-27 14:31:47.000000000 -0400
31875 +++ linux-2.6.32.46/drivers/md/dm-raid1.c 2011-05-04 17:56:28.000000000 -0400
31876 @@ -41,7 +41,7 @@ enum dm_raid1_error {
31877
31878 struct mirror {
31879 struct mirror_set *ms;
31880 - atomic_t error_count;
31881 + atomic_unchecked_t error_count;
31882 unsigned long error_type;
31883 struct dm_dev *dev;
31884 sector_t offset;
31885 @@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
31886 * simple way to tell if a device has encountered
31887 * errors.
31888 */
31889 - atomic_inc(&m->error_count);
31890 + atomic_inc_unchecked(&m->error_count);
31891
31892 if (test_and_set_bit(error_type, &m->error_type))
31893 return;
31894 @@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
31895 }
31896
31897 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
31898 - if (!atomic_read(&new->error_count)) {
31899 + if (!atomic_read_unchecked(&new->error_count)) {
31900 set_default_mirror(new);
31901 break;
31902 }
31903 @@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
31904 struct mirror *m = get_default_mirror(ms);
31905
31906 do {
31907 - if (likely(!atomic_read(&m->error_count)))
31908 + if (likely(!atomic_read_unchecked(&m->error_count)))
31909 return m;
31910
31911 if (m-- == ms->mirror)
31912 @@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
31913 {
31914 struct mirror *default_mirror = get_default_mirror(m->ms);
31915
31916 - return !atomic_read(&default_mirror->error_count);
31917 + return !atomic_read_unchecked(&default_mirror->error_count);
31918 }
31919
31920 static int mirror_available(struct mirror_set *ms, struct bio *bio)
31921 @@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
31922 */
31923 if (likely(region_in_sync(ms, region, 1)))
31924 m = choose_mirror(ms, bio->bi_sector);
31925 - else if (m && atomic_read(&m->error_count))
31926 + else if (m && atomic_read_unchecked(&m->error_count))
31927 m = NULL;
31928
31929 if (likely(m))
31930 @@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
31931 }
31932
31933 ms->mirror[mirror].ms = ms;
31934 - atomic_set(&(ms->mirror[mirror].error_count), 0);
31935 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
31936 ms->mirror[mirror].error_type = 0;
31937 ms->mirror[mirror].offset = offset;
31938
31939 @@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
31940 */
31941 static char device_status_char(struct mirror *m)
31942 {
31943 - if (!atomic_read(&(m->error_count)))
31944 + if (!atomic_read_unchecked(&(m->error_count)))
31945 return 'A';
31946
31947 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
31948 diff -urNp linux-2.6.32.46/drivers/md/dm-stripe.c linux-2.6.32.46/drivers/md/dm-stripe.c
31949 --- linux-2.6.32.46/drivers/md/dm-stripe.c 2011-03-27 14:31:47.000000000 -0400
31950 +++ linux-2.6.32.46/drivers/md/dm-stripe.c 2011-05-04 17:56:28.000000000 -0400
31951 @@ -20,7 +20,7 @@ struct stripe {
31952 struct dm_dev *dev;
31953 sector_t physical_start;
31954
31955 - atomic_t error_count;
31956 + atomic_unchecked_t error_count;
31957 };
31958
31959 struct stripe_c {
31960 @@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
31961 kfree(sc);
31962 return r;
31963 }
31964 - atomic_set(&(sc->stripe[i].error_count), 0);
31965 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
31966 }
31967
31968 ti->private = sc;
31969 @@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
31970 DMEMIT("%d ", sc->stripes);
31971 for (i = 0; i < sc->stripes; i++) {
31972 DMEMIT("%s ", sc->stripe[i].dev->name);
31973 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
31974 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
31975 'D' : 'A';
31976 }
31977 buffer[i] = '\0';
31978 @@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
31979 */
31980 for (i = 0; i < sc->stripes; i++)
31981 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
31982 - atomic_inc(&(sc->stripe[i].error_count));
31983 - if (atomic_read(&(sc->stripe[i].error_count)) <
31984 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
31985 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
31986 DM_IO_ERROR_THRESHOLD)
31987 queue_work(kstriped, &sc->kstriped_ws);
31988 }
31989 diff -urNp linux-2.6.32.46/drivers/md/dm-sysfs.c linux-2.6.32.46/drivers/md/dm-sysfs.c
31990 --- linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-03-27 14:31:47.000000000 -0400
31991 +++ linux-2.6.32.46/drivers/md/dm-sysfs.c 2011-04-17 15:56:46.000000000 -0400
31992 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
31993 NULL,
31994 };
31995
31996 -static struct sysfs_ops dm_sysfs_ops = {
31997 +static const struct sysfs_ops dm_sysfs_ops = {
31998 .show = dm_attr_show,
31999 };
32000
32001 diff -urNp linux-2.6.32.46/drivers/md/dm-table.c linux-2.6.32.46/drivers/md/dm-table.c
32002 --- linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:55:34.000000000 -0400
32003 +++ linux-2.6.32.46/drivers/md/dm-table.c 2011-06-25 12:56:37.000000000 -0400
32004 @@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
32005 if (!dev_size)
32006 return 0;
32007
32008 - if ((start >= dev_size) || (start + len > dev_size)) {
32009 + if ((start >= dev_size) || (len > dev_size - start)) {
32010 DMWARN("%s: %s too small for target: "
32011 "start=%llu, len=%llu, dev_size=%llu",
32012 dm_device_name(ti->table->md), bdevname(bdev, b),
32013 diff -urNp linux-2.6.32.46/drivers/md/md.c linux-2.6.32.46/drivers/md/md.c
32014 --- linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:04.000000000 -0400
32015 +++ linux-2.6.32.46/drivers/md/md.c 2011-07-13 17:23:18.000000000 -0400
32016 @@ -153,10 +153,10 @@ static int start_readonly;
32017 * start build, activate spare
32018 */
32019 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
32020 -static atomic_t md_event_count;
32021 +static atomic_unchecked_t md_event_count;
32022 void md_new_event(mddev_t *mddev)
32023 {
32024 - atomic_inc(&md_event_count);
32025 + atomic_inc_unchecked(&md_event_count);
32026 wake_up(&md_event_waiters);
32027 }
32028 EXPORT_SYMBOL_GPL(md_new_event);
32029 @@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
32030 */
32031 static void md_new_event_inintr(mddev_t *mddev)
32032 {
32033 - atomic_inc(&md_event_count);
32034 + atomic_inc_unchecked(&md_event_count);
32035 wake_up(&md_event_waiters);
32036 }
32037
32038 @@ -1218,7 +1218,7 @@ static int super_1_load(mdk_rdev_t *rdev
32039
32040 rdev->preferred_minor = 0xffff;
32041 rdev->data_offset = le64_to_cpu(sb->data_offset);
32042 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32043 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
32044
32045 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
32046 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
32047 @@ -1392,7 +1392,7 @@ static void super_1_sync(mddev_t *mddev,
32048 else
32049 sb->resync_offset = cpu_to_le64(0);
32050
32051 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
32052 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
32053
32054 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
32055 sb->size = cpu_to_le64(mddev->dev_sectors);
32056 @@ -2214,7 +2214,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
32057 static ssize_t
32058 errors_show(mdk_rdev_t *rdev, char *page)
32059 {
32060 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
32061 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
32062 }
32063
32064 static ssize_t
32065 @@ -2223,7 +2223,7 @@ errors_store(mdk_rdev_t *rdev, const cha
32066 char *e;
32067 unsigned long n = simple_strtoul(buf, &e, 10);
32068 if (*buf && (*e == 0 || *e == '\n')) {
32069 - atomic_set(&rdev->corrected_errors, n);
32070 + atomic_set_unchecked(&rdev->corrected_errors, n);
32071 return len;
32072 }
32073 return -EINVAL;
32074 @@ -2517,7 +2517,7 @@ static void rdev_free(struct kobject *ko
32075 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
32076 kfree(rdev);
32077 }
32078 -static struct sysfs_ops rdev_sysfs_ops = {
32079 +static const struct sysfs_ops rdev_sysfs_ops = {
32080 .show = rdev_attr_show,
32081 .store = rdev_attr_store,
32082 };
32083 @@ -2566,8 +2566,8 @@ static mdk_rdev_t *md_import_device(dev_
32084 rdev->data_offset = 0;
32085 rdev->sb_events = 0;
32086 atomic_set(&rdev->nr_pending, 0);
32087 - atomic_set(&rdev->read_errors, 0);
32088 - atomic_set(&rdev->corrected_errors, 0);
32089 + atomic_set_unchecked(&rdev->read_errors, 0);
32090 + atomic_set_unchecked(&rdev->corrected_errors, 0);
32091
32092 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
32093 if (!size) {
32094 @@ -3887,7 +3887,7 @@ static void md_free(struct kobject *ko)
32095 kfree(mddev);
32096 }
32097
32098 -static struct sysfs_ops md_sysfs_ops = {
32099 +static const struct sysfs_ops md_sysfs_ops = {
32100 .show = md_attr_show,
32101 .store = md_attr_store,
32102 };
32103 @@ -4474,7 +4474,8 @@ out:
32104 err = 0;
32105 blk_integrity_unregister(disk);
32106 md_new_event(mddev);
32107 - sysfs_notify_dirent(mddev->sysfs_state);
32108 + if (mddev->sysfs_state)
32109 + sysfs_notify_dirent(mddev->sysfs_state);
32110 return err;
32111 }
32112
32113 @@ -5954,7 +5955,7 @@ static int md_seq_show(struct seq_file *
32114
32115 spin_unlock(&pers_lock);
32116 seq_printf(seq, "\n");
32117 - mi->event = atomic_read(&md_event_count);
32118 + mi->event = atomic_read_unchecked(&md_event_count);
32119 return 0;
32120 }
32121 if (v == (void*)2) {
32122 @@ -6043,7 +6044,7 @@ static int md_seq_show(struct seq_file *
32123 chunk_kb ? "KB" : "B");
32124 if (bitmap->file) {
32125 seq_printf(seq, ", file: ");
32126 - seq_path(seq, &bitmap->file->f_path, " \t\n");
32127 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
32128 }
32129
32130 seq_printf(seq, "\n");
32131 @@ -6077,7 +6078,7 @@ static int md_seq_open(struct inode *ino
32132 else {
32133 struct seq_file *p = file->private_data;
32134 p->private = mi;
32135 - mi->event = atomic_read(&md_event_count);
32136 + mi->event = atomic_read_unchecked(&md_event_count);
32137 }
32138 return error;
32139 }
32140 @@ -6093,7 +6094,7 @@ static unsigned int mdstat_poll(struct f
32141 /* always allow read */
32142 mask = POLLIN | POLLRDNORM;
32143
32144 - if (mi->event != atomic_read(&md_event_count))
32145 + if (mi->event != atomic_read_unchecked(&md_event_count))
32146 mask |= POLLERR | POLLPRI;
32147 return mask;
32148 }
32149 @@ -6137,7 +6138,7 @@ static int is_mddev_idle(mddev_t *mddev,
32150 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
32151 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
32152 (int)part_stat_read(&disk->part0, sectors[1]) -
32153 - atomic_read(&disk->sync_io);
32154 + atomic_read_unchecked(&disk->sync_io);
32155 /* sync IO will cause sync_io to increase before the disk_stats
32156 * as sync_io is counted when a request starts, and
32157 * disk_stats is counted when it completes.
32158 diff -urNp linux-2.6.32.46/drivers/md/md.h linux-2.6.32.46/drivers/md/md.h
32159 --- linux-2.6.32.46/drivers/md/md.h 2011-03-27 14:31:47.000000000 -0400
32160 +++ linux-2.6.32.46/drivers/md/md.h 2011-05-04 17:56:20.000000000 -0400
32161 @@ -94,10 +94,10 @@ struct mdk_rdev_s
32162 * only maintained for arrays that
32163 * support hot removal
32164 */
32165 - atomic_t read_errors; /* number of consecutive read errors that
32166 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
32167 * we have tried to ignore.
32168 */
32169 - atomic_t corrected_errors; /* number of corrected read errors,
32170 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
32171 * for reporting to userspace and storing
32172 * in superblock.
32173 */
32174 @@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
32175
32176 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
32177 {
32178 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32179 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
32180 }
32181
32182 struct mdk_personality
32183 diff -urNp linux-2.6.32.46/drivers/md/raid10.c linux-2.6.32.46/drivers/md/raid10.c
32184 --- linux-2.6.32.46/drivers/md/raid10.c 2011-03-27 14:31:47.000000000 -0400
32185 +++ linux-2.6.32.46/drivers/md/raid10.c 2011-05-04 17:56:28.000000000 -0400
32186 @@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
32187 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
32188 set_bit(R10BIO_Uptodate, &r10_bio->state);
32189 else {
32190 - atomic_add(r10_bio->sectors,
32191 + atomic_add_unchecked(r10_bio->sectors,
32192 &conf->mirrors[d].rdev->corrected_errors);
32193 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
32194 md_error(r10_bio->mddev,
32195 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
32196 test_bit(In_sync, &rdev->flags)) {
32197 atomic_inc(&rdev->nr_pending);
32198 rcu_read_unlock();
32199 - atomic_add(s, &rdev->corrected_errors);
32200 + atomic_add_unchecked(s, &rdev->corrected_errors);
32201 if (sync_page_io(rdev->bdev,
32202 r10_bio->devs[sl].addr +
32203 sect + rdev->data_offset,
32204 diff -urNp linux-2.6.32.46/drivers/md/raid1.c linux-2.6.32.46/drivers/md/raid1.c
32205 --- linux-2.6.32.46/drivers/md/raid1.c 2011-03-27 14:31:47.000000000 -0400
32206 +++ linux-2.6.32.46/drivers/md/raid1.c 2011-05-04 17:56:28.000000000 -0400
32207 @@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
32208 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
32209 continue;
32210 rdev = conf->mirrors[d].rdev;
32211 - atomic_add(s, &rdev->corrected_errors);
32212 + atomic_add_unchecked(s, &rdev->corrected_errors);
32213 if (sync_page_io(rdev->bdev,
32214 sect + rdev->data_offset,
32215 s<<9,
32216 @@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
32217 /* Well, this device is dead */
32218 md_error(mddev, rdev);
32219 else {
32220 - atomic_add(s, &rdev->corrected_errors);
32221 + atomic_add_unchecked(s, &rdev->corrected_errors);
32222 printk(KERN_INFO
32223 "raid1:%s: read error corrected "
32224 "(%d sectors at %llu on %s)\n",
32225 diff -urNp linux-2.6.32.46/drivers/md/raid5.c linux-2.6.32.46/drivers/md/raid5.c
32226 --- linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:55:34.000000000 -0400
32227 +++ linux-2.6.32.46/drivers/md/raid5.c 2011-06-25 12:58:39.000000000 -0400
32228 @@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
32229 bi->bi_next = NULL;
32230 if ((rw & WRITE) &&
32231 test_bit(R5_ReWrite, &sh->dev[i].flags))
32232 - atomic_add(STRIPE_SECTORS,
32233 + atomic_add_unchecked(STRIPE_SECTORS,
32234 &rdev->corrected_errors);
32235 generic_make_request(bi);
32236 } else {
32237 @@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
32238 clear_bit(R5_ReadError, &sh->dev[i].flags);
32239 clear_bit(R5_ReWrite, &sh->dev[i].flags);
32240 }
32241 - if (atomic_read(&conf->disks[i].rdev->read_errors))
32242 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
32243 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
32244 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
32245 } else {
32246 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
32247 int retry = 0;
32248 rdev = conf->disks[i].rdev;
32249
32250 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
32251 - atomic_inc(&rdev->read_errors);
32252 + atomic_inc_unchecked(&rdev->read_errors);
32253 if (conf->mddev->degraded >= conf->max_degraded)
32254 printk_rl(KERN_WARNING
32255 "raid5:%s: read error not correctable "
32256 @@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
32257 (unsigned long long)(sh->sector
32258 + rdev->data_offset),
32259 bdn);
32260 - else if (atomic_read(&rdev->read_errors)
32261 + else if (atomic_read_unchecked(&rdev->read_errors)
32262 > conf->max_nr_stripes)
32263 printk(KERN_WARNING
32264 "raid5:%s: Too many read errors, failing device %s.\n",
32265 @@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
32266 sector_t r_sector;
32267 struct stripe_head sh2;
32268
32269 + pax_track_stack();
32270
32271 chunk_offset = sector_div(new_sector, sectors_per_chunk);
32272 stripe = new_sector;
32273 diff -urNp linux-2.6.32.46/drivers/media/common/saa7146_hlp.c linux-2.6.32.46/drivers/media/common/saa7146_hlp.c
32274 --- linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-03-27 14:31:47.000000000 -0400
32275 +++ linux-2.6.32.46/drivers/media/common/saa7146_hlp.c 2011-05-16 21:46:57.000000000 -0400
32276 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
32277
32278 int x[32], y[32], w[32], h[32];
32279
32280 + pax_track_stack();
32281 +
32282 /* clear out memory */
32283 memset(&line_list[0], 0x00, sizeof(u32)*32);
32284 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
32285 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
32286 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-27 14:31:47.000000000 -0400
32287 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:46:57.000000000 -0400
32288 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
32289 u8 buf[HOST_LINK_BUF_SIZE];
32290 int i;
32291
32292 + pax_track_stack();
32293 +
32294 dprintk("%s\n", __func__);
32295
32296 /* check if we have space for a link buf in the rx_buffer */
32297 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
32298 unsigned long timeout;
32299 int written;
32300
32301 + pax_track_stack();
32302 +
32303 dprintk("%s\n", __func__);
32304
32305 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
32306 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h
32307 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-03-27 14:31:47.000000000 -0400
32308 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvb_demux.h 2011-08-05 20:33:55.000000000 -0400
32309 @@ -71,7 +71,7 @@ struct dvb_demux_feed {
32310 union {
32311 dmx_ts_cb ts;
32312 dmx_section_cb sec;
32313 - } cb;
32314 + } __no_const cb;
32315
32316 struct dvb_demux *demux;
32317 void *priv;
32318 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c
32319 --- linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-27 14:31:47.000000000 -0400
32320 +++ linux-2.6.32.46/drivers/media/dvb/dvb-core/dvbdev.c 2011-08-23 21:22:32.000000000 -0400
32321 @@ -191,7 +191,7 @@ int dvb_register_device(struct dvb_adapt
32322 const struct dvb_device *template, void *priv, int type)
32323 {
32324 struct dvb_device *dvbdev;
32325 - struct file_operations *dvbdevfops;
32326 + file_operations_no_const *dvbdevfops;
32327 struct device *clsdev;
32328 int minor;
32329 int id;
32330 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c
32331 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-03-27 14:31:47.000000000 -0400
32332 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/cxusb.c 2011-08-05 20:33:55.000000000 -0400
32333 @@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
32334 struct dib0700_adapter_state {
32335 int (*set_param_save) (struct dvb_frontend *,
32336 struct dvb_frontend_parameters *);
32337 -};
32338 +} __no_const;
32339
32340 static int dib7070_set_param_override(struct dvb_frontend *fe,
32341 struct dvb_frontend_parameters *fep)
32342 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c
32343 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-27 14:31:47.000000000 -0400
32344 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:46:57.000000000 -0400
32345 @@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
32346
32347 u8 buf[260];
32348
32349 + pax_track_stack();
32350 +
32351 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
32352 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
32353
32354 diff -urNp linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c
32355 --- linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-05-10 22:12:01.000000000 -0400
32356 +++ linux-2.6.32.46/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-08-05 20:33:55.000000000 -0400
32357 @@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
32358
32359 struct dib0700_adapter_state {
32360 int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
32361 -};
32362 +} __no_const;
32363
32364 /* Hauppauge Nova-T 500 (aka Bristol)
32365 * has a LNA on GPIO0 which is enabled by setting 1 */
32366 diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h
32367 --- linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-03-27 14:31:47.000000000 -0400
32368 +++ linux-2.6.32.46/drivers/media/dvb/frontends/dib3000.h 2011-08-05 20:33:55.000000000 -0400
32369 @@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
32370 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
32371 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
32372 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
32373 -};
32374 +} __no_const;
32375
32376 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
32377 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
32378 diff -urNp linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c
32379 --- linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-03-27 14:31:47.000000000 -0400
32380 +++ linux-2.6.32.46/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:46:57.000000000 -0400
32381 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
32382 u8 tudata[585];
32383 int i;
32384
32385 + pax_track_stack();
32386 +
32387 dprintk("Firmware is %zd bytes\n",fw->size);
32388
32389 /* Get eprom data */
32390 diff -urNp linux-2.6.32.46/drivers/media/radio/radio-cadet.c linux-2.6.32.46/drivers/media/radio/radio-cadet.c
32391 --- linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-03-27 14:31:47.000000000 -0400
32392 +++ linux-2.6.32.46/drivers/media/radio/radio-cadet.c 2011-04-17 15:56:46.000000000 -0400
32393 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
32394 while (i < count && dev->rdsin != dev->rdsout)
32395 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
32396
32397 - if (copy_to_user(data, readbuf, i))
32398 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
32399 return -EFAULT;
32400 return i;
32401 }
32402 diff -urNp linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c
32403 --- linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-03-27 14:31:47.000000000 -0400
32404 +++ linux-2.6.32.46/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:46:57.000000000 -0400
32405 @@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
32406
32407 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
32408
32409 -static atomic_t cx18_instance = ATOMIC_INIT(0);
32410 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
32411
32412 /* Parameter declarations */
32413 static int cardtype[CX18_MAX_CARDS];
32414 @@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
32415 struct i2c_client c;
32416 u8 eedata[256];
32417
32418 + pax_track_stack();
32419 +
32420 memset(&c, 0, sizeof(c));
32421 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
32422 c.adapter = &cx->i2c_adap[0];
32423 @@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
32424 struct cx18 *cx;
32425
32426 /* FIXME - module parameter arrays constrain max instances */
32427 - i = atomic_inc_return(&cx18_instance) - 1;
32428 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
32429 if (i >= CX18_MAX_CARDS) {
32430 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
32431 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
32432 diff -urNp linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c
32433 --- linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-03-27 14:31:47.000000000 -0400
32434 +++ linux-2.6.32.46/drivers/media/video/ivtv/ivtv-driver.c 2011-05-04 17:56:28.000000000 -0400
32435 @@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
32436 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
32437
32438 /* ivtv instance counter */
32439 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
32440 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
32441
32442 /* Parameter declarations */
32443 static int cardtype[IVTV_MAX_CARDS];
32444 diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.c linux-2.6.32.46/drivers/media/video/omap24xxcam.c
32445 --- linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-03-27 14:31:47.000000000 -0400
32446 +++ linux-2.6.32.46/drivers/media/video/omap24xxcam.c 2011-05-04 17:56:28.000000000 -0400
32447 @@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
32448 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
32449
32450 do_gettimeofday(&vb->ts);
32451 - vb->field_count = atomic_add_return(2, &fh->field_count);
32452 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
32453 if (csr & csr_error) {
32454 vb->state = VIDEOBUF_ERROR;
32455 if (!atomic_read(&fh->cam->in_reset)) {
32456 diff -urNp linux-2.6.32.46/drivers/media/video/omap24xxcam.h linux-2.6.32.46/drivers/media/video/omap24xxcam.h
32457 --- linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-03-27 14:31:47.000000000 -0400
32458 +++ linux-2.6.32.46/drivers/media/video/omap24xxcam.h 2011-05-04 17:56:28.000000000 -0400
32459 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
32460 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
32461 struct videobuf_queue vbq;
32462 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
32463 - atomic_t field_count; /* field counter for videobuf_buffer */
32464 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
32465 /* accessing cam here doesn't need serialisation: it's constant */
32466 struct omap24xxcam_device *cam;
32467 };
32468 diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
32469 --- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-27 14:31:47.000000000 -0400
32470 +++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:46:57.000000000 -0400
32471 @@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
32472 u8 *eeprom;
32473 struct tveeprom tvdata;
32474
32475 + pax_track_stack();
32476 +
32477 memset(&tvdata,0,sizeof(tvdata));
32478
32479 eeprom = pvr2_eeprom_fetch(hdw);
32480 diff -urNp linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
32481 --- linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-03-27 14:31:47.000000000 -0400
32482 +++ linux-2.6.32.46/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-08-23 21:22:38.000000000 -0400
32483 @@ -195,7 +195,7 @@ struct pvr2_hdw {
32484
32485 /* I2C stuff */
32486 struct i2c_adapter i2c_adap;
32487 - struct i2c_algorithm i2c_algo;
32488 + i2c_algorithm_no_const i2c_algo;
32489 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
32490 int i2c_cx25840_hack_state;
32491 int i2c_linked;
32492 diff -urNp linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c
32493 --- linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-03-27 14:31:47.000000000 -0400
32494 +++ linux-2.6.32.46/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:46:57.000000000 -0400
32495 @@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
32496 unsigned char localPAT[256];
32497 unsigned char localPMT[256];
32498
32499 + pax_track_stack();
32500 +
32501 /* Set video format - must be done first as it resets other settings */
32502 set_reg8(client, 0x41, h->video_format);
32503
32504 diff -urNp linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c
32505 --- linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-27 14:31:47.000000000 -0400
32506 +++ linux-2.6.32.46/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:46:57.000000000 -0400
32507 @@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
32508 wait_queue_head_t *q = 0;
32509 dprintk(DBGLVL_CMD, "%s()\n", __func__);
32510
32511 + pax_track_stack();
32512 +
32513 /* While any outstand message on the bus exists... */
32514 do {
32515
32516 @@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
32517 u8 tmp[512];
32518 dprintk(DBGLVL_CMD, "%s()\n", __func__);
32519
32520 + pax_track_stack();
32521 +
32522 while (loop) {
32523
32524 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
32525 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c
32526 --- linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-03-27 14:31:47.000000000 -0400
32527 +++ linux-2.6.32.46/drivers/media/video/usbvideo/ibmcam.c 2011-08-05 20:33:55.000000000 -0400
32528 @@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
32529 static int __init ibmcam_init(void)
32530 {
32531 struct usbvideo_cb cbTbl;
32532 - memset(&cbTbl, 0, sizeof(cbTbl));
32533 - cbTbl.probe = ibmcam_probe;
32534 - cbTbl.setupOnOpen = ibmcam_setup_on_open;
32535 - cbTbl.videoStart = ibmcam_video_start;
32536 - cbTbl.videoStop = ibmcam_video_stop;
32537 - cbTbl.processData = ibmcam_ProcessIsocData;
32538 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32539 - cbTbl.adjustPicture = ibmcam_adjust_picture;
32540 - cbTbl.getFPS = ibmcam_calculate_fps;
32541 + memset((void *)&cbTbl, 0, sizeof(cbTbl));
32542 + *(void **)&cbTbl.probe = ibmcam_probe;
32543 + *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
32544 + *(void **)&cbTbl.videoStart = ibmcam_video_start;
32545 + *(void **)&cbTbl.videoStop = ibmcam_video_stop;
32546 + *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
32547 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32548 + *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
32549 + *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
32550 return usbvideo_register(
32551 &cams,
32552 MAX_IBMCAM,
32553 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c
32554 --- linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-03-27 14:31:47.000000000 -0400
32555 +++ linux-2.6.32.46/drivers/media/video/usbvideo/konicawc.c 2011-08-05 20:33:55.000000000 -0400
32556 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
32557 int error;
32558
32559 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
32560 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32561 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32562
32563 cam->input = input_dev = input_allocate_device();
32564 if (!input_dev) {
32565 @@ -935,16 +935,16 @@ static int __init konicawc_init(void)
32566 struct usbvideo_cb cbTbl;
32567 printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
32568 DRIVER_DESC "\n");
32569 - memset(&cbTbl, 0, sizeof(cbTbl));
32570 - cbTbl.probe = konicawc_probe;
32571 - cbTbl.setupOnOpen = konicawc_setup_on_open;
32572 - cbTbl.processData = konicawc_process_isoc;
32573 - cbTbl.getFPS = konicawc_calculate_fps;
32574 - cbTbl.setVideoMode = konicawc_set_video_mode;
32575 - cbTbl.startDataPump = konicawc_start_data;
32576 - cbTbl.stopDataPump = konicawc_stop_data;
32577 - cbTbl.adjustPicture = konicawc_adjust_picture;
32578 - cbTbl.userFree = konicawc_free_uvd;
32579 + memset((void * )&cbTbl, 0, sizeof(cbTbl));
32580 + *(void **)&cbTbl.probe = konicawc_probe;
32581 + *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
32582 + *(void **)&cbTbl.processData = konicawc_process_isoc;
32583 + *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
32584 + *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
32585 + *(void **)&cbTbl.startDataPump = konicawc_start_data;
32586 + *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
32587 + *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
32588 + *(void **)&cbTbl.userFree = konicawc_free_uvd;
32589 return usbvideo_register(
32590 &cams,
32591 MAX_CAMERAS,
32592 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c
32593 --- linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-03-27 14:31:47.000000000 -0400
32594 +++ linux-2.6.32.46/drivers/media/video/usbvideo/quickcam_messenger.c 2011-04-17 15:56:46.000000000 -0400
32595 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
32596 int error;
32597
32598 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
32599 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32600 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
32601
32602 cam->input = input_dev = input_allocate_device();
32603 if (!input_dev) {
32604 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c
32605 --- linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-03-27 14:31:47.000000000 -0400
32606 +++ linux-2.6.32.46/drivers/media/video/usbvideo/ultracam.c 2011-08-05 20:33:55.000000000 -0400
32607 @@ -655,14 +655,14 @@ static int __init ultracam_init(void)
32608 {
32609 struct usbvideo_cb cbTbl;
32610 memset(&cbTbl, 0, sizeof(cbTbl));
32611 - cbTbl.probe = ultracam_probe;
32612 - cbTbl.setupOnOpen = ultracam_setup_on_open;
32613 - cbTbl.videoStart = ultracam_video_start;
32614 - cbTbl.videoStop = ultracam_video_stop;
32615 - cbTbl.processData = ultracam_ProcessIsocData;
32616 - cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32617 - cbTbl.adjustPicture = ultracam_adjust_picture;
32618 - cbTbl.getFPS = ultracam_calculate_fps;
32619 + *(void **)&cbTbl.probe = ultracam_probe;
32620 + *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
32621 + *(void **)&cbTbl.videoStart = ultracam_video_start;
32622 + *(void **)&cbTbl.videoStop = ultracam_video_stop;
32623 + *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
32624 + *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
32625 + *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
32626 + *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
32627 return usbvideo_register(
32628 &cams,
32629 MAX_CAMERAS,
32630 diff -urNp linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c
32631 --- linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-03-27 14:31:47.000000000 -0400
32632 +++ linux-2.6.32.46/drivers/media/video/usbvideo/usbvideo.c 2011-08-05 20:33:55.000000000 -0400
32633 @@ -697,15 +697,15 @@ int usbvideo_register(
32634 __func__, cams, base_size, num_cams);
32635
32636 /* Copy callbacks, apply defaults for those that are not set */
32637 - memmove(&cams->cb, cbTbl, sizeof(cams->cb));
32638 + memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
32639 if (cams->cb.getFrame == NULL)
32640 - cams->cb.getFrame = usbvideo_GetFrame;
32641 + *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
32642 if (cams->cb.disconnect == NULL)
32643 - cams->cb.disconnect = usbvideo_Disconnect;
32644 + *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
32645 if (cams->cb.startDataPump == NULL)
32646 - cams->cb.startDataPump = usbvideo_StartDataPump;
32647 + *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
32648 if (cams->cb.stopDataPump == NULL)
32649 - cams->cb.stopDataPump = usbvideo_StopDataPump;
32650 + *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
32651
32652 cams->num_cameras = num_cams;
32653 cams->cam = (struct uvd *) &cams[1];
32654 diff -urNp linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c
32655 --- linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-03-27 14:31:47.000000000 -0400
32656 +++ linux-2.6.32.46/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:46:57.000000000 -0400
32657 @@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
32658 unsigned char rv, gv, bv;
32659 static unsigned char *Y, *U, *V;
32660
32661 + pax_track_stack();
32662 +
32663 frame = usbvision->curFrame;
32664 imageSize = frame->frmwidth * frame->frmheight;
32665 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
32666 diff -urNp linux-2.6.32.46/drivers/media/video/v4l2-device.c linux-2.6.32.46/drivers/media/video/v4l2-device.c
32667 --- linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-03-27 14:31:47.000000000 -0400
32668 +++ linux-2.6.32.46/drivers/media/video/v4l2-device.c 2011-05-04 17:56:28.000000000 -0400
32669 @@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
32670 EXPORT_SYMBOL_GPL(v4l2_device_register);
32671
32672 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
32673 - atomic_t *instance)
32674 + atomic_unchecked_t *instance)
32675 {
32676 - int num = atomic_inc_return(instance) - 1;
32677 + int num = atomic_inc_return_unchecked(instance) - 1;
32678 int len = strlen(basename);
32679
32680 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
32681 diff -urNp linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c
32682 --- linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-03-27 14:31:47.000000000 -0400
32683 +++ linux-2.6.32.46/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:46:57.000000000 -0400
32684 @@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
32685 {
32686 struct videobuf_queue q;
32687
32688 + pax_track_stack();
32689 +
32690 /* Required to make generic handler to call __videobuf_alloc */
32691 q.int_ops = &sg_ops;
32692
32693 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptbase.c linux-2.6.32.46/drivers/message/fusion/mptbase.c
32694 --- linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-03-27 14:31:47.000000000 -0400
32695 +++ linux-2.6.32.46/drivers/message/fusion/mptbase.c 2011-04-17 15:56:46.000000000 -0400
32696 @@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
32697 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
32698 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
32699
32700 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32701 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
32702 + NULL, NULL);
32703 +#else
32704 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
32705 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
32706 +#endif
32707 +
32708 /*
32709 * Rounding UP to nearest 4-kB boundary here...
32710 */
32711 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptsas.c linux-2.6.32.46/drivers/message/fusion/mptsas.c
32712 --- linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-03-27 14:31:47.000000000 -0400
32713 +++ linux-2.6.32.46/drivers/message/fusion/mptsas.c 2011-04-17 15:56:46.000000000 -0400
32714 @@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
32715 return 0;
32716 }
32717
32718 +static inline void
32719 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
32720 +{
32721 + if (phy_info->port_details) {
32722 + phy_info->port_details->rphy = rphy;
32723 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
32724 + ioc->name, rphy));
32725 + }
32726 +
32727 + if (rphy) {
32728 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
32729 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
32730 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
32731 + ioc->name, rphy, rphy->dev.release));
32732 + }
32733 +}
32734 +
32735 /* no mutex */
32736 static void
32737 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
32738 @@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
32739 return NULL;
32740 }
32741
32742 -static inline void
32743 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
32744 -{
32745 - if (phy_info->port_details) {
32746 - phy_info->port_details->rphy = rphy;
32747 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
32748 - ioc->name, rphy));
32749 - }
32750 -
32751 - if (rphy) {
32752 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
32753 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
32754 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
32755 - ioc->name, rphy, rphy->dev.release));
32756 - }
32757 -}
32758 -
32759 static inline struct sas_port *
32760 mptsas_get_port(struct mptsas_phyinfo *phy_info)
32761 {
32762 diff -urNp linux-2.6.32.46/drivers/message/fusion/mptscsih.c linux-2.6.32.46/drivers/message/fusion/mptscsih.c
32763 --- linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-03-27 14:31:47.000000000 -0400
32764 +++ linux-2.6.32.46/drivers/message/fusion/mptscsih.c 2011-04-17 15:56:46.000000000 -0400
32765 @@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
32766
32767 h = shost_priv(SChost);
32768
32769 - if (h) {
32770 - if (h->info_kbuf == NULL)
32771 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
32772 - return h->info_kbuf;
32773 - h->info_kbuf[0] = '\0';
32774 + if (!h)
32775 + return NULL;
32776
32777 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
32778 - h->info_kbuf[size-1] = '\0';
32779 - }
32780 + if (h->info_kbuf == NULL)
32781 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
32782 + return h->info_kbuf;
32783 + h->info_kbuf[0] = '\0';
32784 +
32785 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
32786 + h->info_kbuf[size-1] = '\0';
32787
32788 return h->info_kbuf;
32789 }
32790 diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_config.c linux-2.6.32.46/drivers/message/i2o/i2o_config.c
32791 --- linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-03-27 14:31:47.000000000 -0400
32792 +++ linux-2.6.32.46/drivers/message/i2o/i2o_config.c 2011-05-16 21:46:57.000000000 -0400
32793 @@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
32794 struct i2o_message *msg;
32795 unsigned int iop;
32796
32797 + pax_track_stack();
32798 +
32799 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
32800 return -EFAULT;
32801
32802 diff -urNp linux-2.6.32.46/drivers/message/i2o/i2o_proc.c linux-2.6.32.46/drivers/message/i2o/i2o_proc.c
32803 --- linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-03-27 14:31:47.000000000 -0400
32804 +++ linux-2.6.32.46/drivers/message/i2o/i2o_proc.c 2011-04-17 15:56:46.000000000 -0400
32805 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
32806 "Array Controller Device"
32807 };
32808
32809 -static char *chtostr(u8 * chars, int n)
32810 -{
32811 - char tmp[256];
32812 - tmp[0] = 0;
32813 - return strncat(tmp, (char *)chars, n);
32814 -}
32815 -
32816 static int i2o_report_query_status(struct seq_file *seq, int block_status,
32817 char *group)
32818 {
32819 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
32820
32821 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
32822 seq_printf(seq, "%-#8x", ddm_table.module_id);
32823 - seq_printf(seq, "%-29s",
32824 - chtostr(ddm_table.module_name_version, 28));
32825 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
32826 seq_printf(seq, "%9d ", ddm_table.data_size);
32827 seq_printf(seq, "%8d", ddm_table.code_size);
32828
32829 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
32830
32831 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
32832 seq_printf(seq, "%-#8x", dst->module_id);
32833 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
32834 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
32835 + seq_printf(seq, "%-.28s", dst->module_name_version);
32836 + seq_printf(seq, "%-.8s", dst->date);
32837 seq_printf(seq, "%8d ", dst->module_size);
32838 seq_printf(seq, "%8d ", dst->mpb_size);
32839 seq_printf(seq, "0x%04x", dst->module_flags);
32840 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
32841 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
32842 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
32843 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
32844 - seq_printf(seq, "Vendor info : %s\n",
32845 - chtostr((u8 *) (work32 + 2), 16));
32846 - seq_printf(seq, "Product info : %s\n",
32847 - chtostr((u8 *) (work32 + 6), 16));
32848 - seq_printf(seq, "Description : %s\n",
32849 - chtostr((u8 *) (work32 + 10), 16));
32850 - seq_printf(seq, "Product rev. : %s\n",
32851 - chtostr((u8 *) (work32 + 14), 8));
32852 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
32853 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
32854 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
32855 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
32856
32857 seq_printf(seq, "Serial number : ");
32858 print_serial_number(seq, (u8 *) (work32 + 16),
32859 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
32860 }
32861
32862 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
32863 - seq_printf(seq, "Module name : %s\n",
32864 - chtostr(result.module_name, 24));
32865 - seq_printf(seq, "Module revision : %s\n",
32866 - chtostr(result.module_rev, 8));
32867 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
32868 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
32869
32870 seq_printf(seq, "Serial number : ");
32871 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
32872 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
32873 return 0;
32874 }
32875
32876 - seq_printf(seq, "Device name : %s\n",
32877 - chtostr(result.device_name, 64));
32878 - seq_printf(seq, "Service name : %s\n",
32879 - chtostr(result.service_name, 64));
32880 - seq_printf(seq, "Physical name : %s\n",
32881 - chtostr(result.physical_location, 64));
32882 - seq_printf(seq, "Instance number : %s\n",
32883 - chtostr(result.instance_number, 4));
32884 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
32885 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
32886 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
32887 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
32888
32889 return 0;
32890 }
32891 diff -urNp linux-2.6.32.46/drivers/message/i2o/iop.c linux-2.6.32.46/drivers/message/i2o/iop.c
32892 --- linux-2.6.32.46/drivers/message/i2o/iop.c 2011-03-27 14:31:47.000000000 -0400
32893 +++ linux-2.6.32.46/drivers/message/i2o/iop.c 2011-05-04 17:56:28.000000000 -0400
32894 @@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
32895
32896 spin_lock_irqsave(&c->context_list_lock, flags);
32897
32898 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
32899 - atomic_inc(&c->context_list_counter);
32900 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
32901 + atomic_inc_unchecked(&c->context_list_counter);
32902
32903 - entry->context = atomic_read(&c->context_list_counter);
32904 + entry->context = atomic_read_unchecked(&c->context_list_counter);
32905
32906 list_add(&entry->list, &c->context_list);
32907
32908 @@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
32909
32910 #if BITS_PER_LONG == 64
32911 spin_lock_init(&c->context_list_lock);
32912 - atomic_set(&c->context_list_counter, 0);
32913 + atomic_set_unchecked(&c->context_list_counter, 0);
32914 INIT_LIST_HEAD(&c->context_list);
32915 #endif
32916
32917 diff -urNp linux-2.6.32.46/drivers/mfd/wm8350-i2c.c linux-2.6.32.46/drivers/mfd/wm8350-i2c.c
32918 --- linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-03-27 14:31:47.000000000 -0400
32919 +++ linux-2.6.32.46/drivers/mfd/wm8350-i2c.c 2011-05-16 21:46:57.000000000 -0400
32920 @@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
32921 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
32922 int ret;
32923
32924 + pax_track_stack();
32925 +
32926 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
32927 return -EINVAL;
32928
32929 diff -urNp linux-2.6.32.46/drivers/misc/kgdbts.c linux-2.6.32.46/drivers/misc/kgdbts.c
32930 --- linux-2.6.32.46/drivers/misc/kgdbts.c 2011-03-27 14:31:47.000000000 -0400
32931 +++ linux-2.6.32.46/drivers/misc/kgdbts.c 2011-04-17 15:56:46.000000000 -0400
32932 @@ -118,7 +118,7 @@
32933 } while (0)
32934 #define MAX_CONFIG_LEN 40
32935
32936 -static struct kgdb_io kgdbts_io_ops;
32937 +static const struct kgdb_io kgdbts_io_ops;
32938 static char get_buf[BUFMAX];
32939 static int get_buf_cnt;
32940 static char put_buf[BUFMAX];
32941 @@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
32942 module_put(THIS_MODULE);
32943 }
32944
32945 -static struct kgdb_io kgdbts_io_ops = {
32946 +static const struct kgdb_io kgdbts_io_ops = {
32947 .name = "kgdbts",
32948 .read_char = kgdbts_get_char,
32949 .write_char = kgdbts_put_char,
32950 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c
32951 --- linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-03-27 14:31:47.000000000 -0400
32952 +++ linux-2.6.32.46/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:56:46.000000000 -0400
32953 @@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
32954
32955 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
32956 {
32957 - atomic_long_inc(&mcs_op_statistics[op].count);
32958 - atomic_long_add(clks, &mcs_op_statistics[op].total);
32959 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
32960 + atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
32961 if (mcs_op_statistics[op].max < clks)
32962 mcs_op_statistics[op].max = clks;
32963 }
32964 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c
32965 --- linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-03-27 14:31:47.000000000 -0400
32966 +++ linux-2.6.32.46/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:56:46.000000000 -0400
32967 @@ -32,9 +32,9 @@
32968
32969 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
32970
32971 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
32972 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
32973 {
32974 - unsigned long val = atomic_long_read(v);
32975 + unsigned long val = atomic_long_read_unchecked(v);
32976
32977 if (val)
32978 seq_printf(s, "%16lu %s\n", val, id);
32979 @@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
32980 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
32981
32982 for (op = 0; op < mcsop_last; op++) {
32983 - count = atomic_long_read(&mcs_op_statistics[op].count);
32984 - total = atomic_long_read(&mcs_op_statistics[op].total);
32985 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
32986 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
32987 max = mcs_op_statistics[op].max;
32988 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
32989 count ? total / count : 0, max);
32990 diff -urNp linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h
32991 --- linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-03-27 14:31:47.000000000 -0400
32992 +++ linux-2.6.32.46/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:56:46.000000000 -0400
32993 @@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
32994 * GRU statistics.
32995 */
32996 struct gru_stats_s {
32997 - atomic_long_t vdata_alloc;
32998 - atomic_long_t vdata_free;
32999 - atomic_long_t gts_alloc;
33000 - atomic_long_t gts_free;
33001 - atomic_long_t vdata_double_alloc;
33002 - atomic_long_t gts_double_allocate;
33003 - atomic_long_t assign_context;
33004 - atomic_long_t assign_context_failed;
33005 - atomic_long_t free_context;
33006 - atomic_long_t load_user_context;
33007 - atomic_long_t load_kernel_context;
33008 - atomic_long_t lock_kernel_context;
33009 - atomic_long_t unlock_kernel_context;
33010 - atomic_long_t steal_user_context;
33011 - atomic_long_t steal_kernel_context;
33012 - atomic_long_t steal_context_failed;
33013 - atomic_long_t nopfn;
33014 - atomic_long_t break_cow;
33015 - atomic_long_t asid_new;
33016 - atomic_long_t asid_next;
33017 - atomic_long_t asid_wrap;
33018 - atomic_long_t asid_reuse;
33019 - atomic_long_t intr;
33020 - atomic_long_t intr_mm_lock_failed;
33021 - atomic_long_t call_os;
33022 - atomic_long_t call_os_offnode_reference;
33023 - atomic_long_t call_os_check_for_bug;
33024 - atomic_long_t call_os_wait_queue;
33025 - atomic_long_t user_flush_tlb;
33026 - atomic_long_t user_unload_context;
33027 - atomic_long_t user_exception;
33028 - atomic_long_t set_context_option;
33029 - atomic_long_t migrate_check;
33030 - atomic_long_t migrated_retarget;
33031 - atomic_long_t migrated_unload;
33032 - atomic_long_t migrated_unload_delay;
33033 - atomic_long_t migrated_nopfn_retarget;
33034 - atomic_long_t migrated_nopfn_unload;
33035 - atomic_long_t tlb_dropin;
33036 - atomic_long_t tlb_dropin_fail_no_asid;
33037 - atomic_long_t tlb_dropin_fail_upm;
33038 - atomic_long_t tlb_dropin_fail_invalid;
33039 - atomic_long_t tlb_dropin_fail_range_active;
33040 - atomic_long_t tlb_dropin_fail_idle;
33041 - atomic_long_t tlb_dropin_fail_fmm;
33042 - atomic_long_t tlb_dropin_fail_no_exception;
33043 - atomic_long_t tlb_dropin_fail_no_exception_war;
33044 - atomic_long_t tfh_stale_on_fault;
33045 - atomic_long_t mmu_invalidate_range;
33046 - atomic_long_t mmu_invalidate_page;
33047 - atomic_long_t mmu_clear_flush_young;
33048 - atomic_long_t flush_tlb;
33049 - atomic_long_t flush_tlb_gru;
33050 - atomic_long_t flush_tlb_gru_tgh;
33051 - atomic_long_t flush_tlb_gru_zero_asid;
33052 -
33053 - atomic_long_t copy_gpa;
33054 -
33055 - atomic_long_t mesq_receive;
33056 - atomic_long_t mesq_receive_none;
33057 - atomic_long_t mesq_send;
33058 - atomic_long_t mesq_send_failed;
33059 - atomic_long_t mesq_noop;
33060 - atomic_long_t mesq_send_unexpected_error;
33061 - atomic_long_t mesq_send_lb_overflow;
33062 - atomic_long_t mesq_send_qlimit_reached;
33063 - atomic_long_t mesq_send_amo_nacked;
33064 - atomic_long_t mesq_send_put_nacked;
33065 - atomic_long_t mesq_qf_not_full;
33066 - atomic_long_t mesq_qf_locked;
33067 - atomic_long_t mesq_qf_noop_not_full;
33068 - atomic_long_t mesq_qf_switch_head_failed;
33069 - atomic_long_t mesq_qf_unexpected_error;
33070 - atomic_long_t mesq_noop_unexpected_error;
33071 - atomic_long_t mesq_noop_lb_overflow;
33072 - atomic_long_t mesq_noop_qlimit_reached;
33073 - atomic_long_t mesq_noop_amo_nacked;
33074 - atomic_long_t mesq_noop_put_nacked;
33075 + atomic_long_unchecked_t vdata_alloc;
33076 + atomic_long_unchecked_t vdata_free;
33077 + atomic_long_unchecked_t gts_alloc;
33078 + atomic_long_unchecked_t gts_free;
33079 + atomic_long_unchecked_t vdata_double_alloc;
33080 + atomic_long_unchecked_t gts_double_allocate;
33081 + atomic_long_unchecked_t assign_context;
33082 + atomic_long_unchecked_t assign_context_failed;
33083 + atomic_long_unchecked_t free_context;
33084 + atomic_long_unchecked_t load_user_context;
33085 + atomic_long_unchecked_t load_kernel_context;
33086 + atomic_long_unchecked_t lock_kernel_context;
33087 + atomic_long_unchecked_t unlock_kernel_context;
33088 + atomic_long_unchecked_t steal_user_context;
33089 + atomic_long_unchecked_t steal_kernel_context;
33090 + atomic_long_unchecked_t steal_context_failed;
33091 + atomic_long_unchecked_t nopfn;
33092 + atomic_long_unchecked_t break_cow;
33093 + atomic_long_unchecked_t asid_new;
33094 + atomic_long_unchecked_t asid_next;
33095 + atomic_long_unchecked_t asid_wrap;
33096 + atomic_long_unchecked_t asid_reuse;
33097 + atomic_long_unchecked_t intr;
33098 + atomic_long_unchecked_t intr_mm_lock_failed;
33099 + atomic_long_unchecked_t call_os;
33100 + atomic_long_unchecked_t call_os_offnode_reference;
33101 + atomic_long_unchecked_t call_os_check_for_bug;
33102 + atomic_long_unchecked_t call_os_wait_queue;
33103 + atomic_long_unchecked_t user_flush_tlb;
33104 + atomic_long_unchecked_t user_unload_context;
33105 + atomic_long_unchecked_t user_exception;
33106 + atomic_long_unchecked_t set_context_option;
33107 + atomic_long_unchecked_t migrate_check;
33108 + atomic_long_unchecked_t migrated_retarget;
33109 + atomic_long_unchecked_t migrated_unload;
33110 + atomic_long_unchecked_t migrated_unload_delay;
33111 + atomic_long_unchecked_t migrated_nopfn_retarget;
33112 + atomic_long_unchecked_t migrated_nopfn_unload;
33113 + atomic_long_unchecked_t tlb_dropin;
33114 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
33115 + atomic_long_unchecked_t tlb_dropin_fail_upm;
33116 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
33117 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
33118 + atomic_long_unchecked_t tlb_dropin_fail_idle;
33119 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
33120 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
33121 + atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
33122 + atomic_long_unchecked_t tfh_stale_on_fault;
33123 + atomic_long_unchecked_t mmu_invalidate_range;
33124 + atomic_long_unchecked_t mmu_invalidate_page;
33125 + atomic_long_unchecked_t mmu_clear_flush_young;
33126 + atomic_long_unchecked_t flush_tlb;
33127 + atomic_long_unchecked_t flush_tlb_gru;
33128 + atomic_long_unchecked_t flush_tlb_gru_tgh;
33129 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
33130 +
33131 + atomic_long_unchecked_t copy_gpa;
33132 +
33133 + atomic_long_unchecked_t mesq_receive;
33134 + atomic_long_unchecked_t mesq_receive_none;
33135 + atomic_long_unchecked_t mesq_send;
33136 + atomic_long_unchecked_t mesq_send_failed;
33137 + atomic_long_unchecked_t mesq_noop;
33138 + atomic_long_unchecked_t mesq_send_unexpected_error;
33139 + atomic_long_unchecked_t mesq_send_lb_overflow;
33140 + atomic_long_unchecked_t mesq_send_qlimit_reached;
33141 + atomic_long_unchecked_t mesq_send_amo_nacked;
33142 + atomic_long_unchecked_t mesq_send_put_nacked;
33143 + atomic_long_unchecked_t mesq_qf_not_full;
33144 + atomic_long_unchecked_t mesq_qf_locked;
33145 + atomic_long_unchecked_t mesq_qf_noop_not_full;
33146 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
33147 + atomic_long_unchecked_t mesq_qf_unexpected_error;
33148 + atomic_long_unchecked_t mesq_noop_unexpected_error;
33149 + atomic_long_unchecked_t mesq_noop_lb_overflow;
33150 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
33151 + atomic_long_unchecked_t mesq_noop_amo_nacked;
33152 + atomic_long_unchecked_t mesq_noop_put_nacked;
33153
33154 };
33155
33156 @@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
33157 cchop_deallocate, tghop_invalidate, mcsop_last};
33158
33159 struct mcs_op_statistic {
33160 - atomic_long_t count;
33161 - atomic_long_t total;
33162 + atomic_long_unchecked_t count;
33163 + atomic_long_unchecked_t total;
33164 unsigned long max;
33165 };
33166
33167 @@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
33168
33169 #define STAT(id) do { \
33170 if (gru_options & OPT_STATS) \
33171 - atomic_long_inc(&gru_stats.id); \
33172 + atomic_long_inc_unchecked(&gru_stats.id); \
33173 } while (0)
33174
33175 #ifdef CONFIG_SGI_GRU_DEBUG
33176 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h
33177 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-03-27 14:31:47.000000000 -0400
33178 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc.h 2011-08-05 20:33:55.000000000 -0400
33179 @@ -876,7 +876,7 @@ extern struct xpc_registration xpc_regis
33180 /* found in xpc_main.c */
33181 extern struct device *xpc_part;
33182 extern struct device *xpc_chan;
33183 -extern struct xpc_arch_operations xpc_arch_ops;
33184 +extern const struct xpc_arch_operations xpc_arch_ops;
33185 extern int xpc_disengage_timelimit;
33186 extern int xpc_disengage_timedout;
33187 extern int xpc_activate_IRQ_rcvd;
33188 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c
33189 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-03-27 14:31:47.000000000 -0400
33190 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_main.c 2011-08-05 20:33:55.000000000 -0400
33191 @@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
33192 .notifier_call = xpc_system_die,
33193 };
33194
33195 -struct xpc_arch_operations xpc_arch_ops;
33196 +const struct xpc_arch_operations xpc_arch_ops;
33197
33198 /*
33199 * Timer function to enforce the timelimit on the partition disengage.
33200 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c
33201 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-03-27 14:31:47.000000000 -0400
33202 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_sn2.c 2011-08-05 20:33:55.000000000 -0400
33203 @@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
33204 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
33205 }
33206
33207 -static struct xpc_arch_operations xpc_arch_ops_sn2 = {
33208 +static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
33209 .setup_partitions = xpc_setup_partitions_sn2,
33210 .teardown_partitions = xpc_teardown_partitions_sn2,
33211 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
33212 @@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
33213 int ret;
33214 size_t buf_size;
33215
33216 - xpc_arch_ops = xpc_arch_ops_sn2;
33217 + pax_open_kernel();
33218 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
33219 + pax_close_kernel();
33220
33221 if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
33222 dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
33223 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c
33224 --- linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-03-27 14:31:47.000000000 -0400
33225 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xpc_uv.c 2011-08-05 20:33:55.000000000 -0400
33226 @@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
33227 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
33228 }
33229
33230 -static struct xpc_arch_operations xpc_arch_ops_uv = {
33231 +static const struct xpc_arch_operations xpc_arch_ops_uv = {
33232 .setup_partitions = xpc_setup_partitions_uv,
33233 .teardown_partitions = xpc_teardown_partitions_uv,
33234 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
33235 @@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
33236 int
33237 xpc_init_uv(void)
33238 {
33239 - xpc_arch_ops = xpc_arch_ops_uv;
33240 + pax_open_kernel();
33241 + memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
33242 + pax_close_kernel();
33243
33244 if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
33245 dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
33246 diff -urNp linux-2.6.32.46/drivers/misc/sgi-xp/xp.h linux-2.6.32.46/drivers/misc/sgi-xp/xp.h
33247 --- linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-03-27 14:31:47.000000000 -0400
33248 +++ linux-2.6.32.46/drivers/misc/sgi-xp/xp.h 2011-08-05 20:33:55.000000000 -0400
33249 @@ -289,7 +289,7 @@ struct xpc_interface {
33250 xpc_notify_func, void *);
33251 void (*received) (short, int, void *);
33252 enum xp_retval (*partid_to_nasids) (short, void *);
33253 -};
33254 +} __no_const;
33255
33256 extern struct xpc_interface xpc_interface;
33257
33258 diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c
33259 --- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-27 14:31:47.000000000 -0400
33260 +++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:46:57.000000000 -0400
33261 @@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
33262 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
33263 unsigned long timeo = jiffies + HZ;
33264
33265 + pax_track_stack();
33266 +
33267 /* Prevent setting state FL_SYNCING for chip in suspended state. */
33268 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
33269 goto sleep;
33270 @@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
33271 unsigned long initial_adr;
33272 int initial_len = len;
33273
33274 + pax_track_stack();
33275 +
33276 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
33277 adr += chip->start;
33278 initial_adr = adr;
33279 @@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
33280 int retries = 3;
33281 int ret;
33282
33283 + pax_track_stack();
33284 +
33285 adr += chip->start;
33286
33287 retry:
33288 diff -urNp linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c
33289 --- linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-27 14:31:47.000000000 -0400
33290 +++ linux-2.6.32.46/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:46:57.000000000 -0400
33291 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
33292 unsigned long cmd_addr;
33293 struct cfi_private *cfi = map->fldrv_priv;
33294
33295 + pax_track_stack();
33296 +
33297 adr += chip->start;
33298
33299 /* Ensure cmd read/writes are aligned. */
33300 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
33301 DECLARE_WAITQUEUE(wait, current);
33302 int wbufsize, z;
33303
33304 + pax_track_stack();
33305 +
33306 /* M58LW064A requires bus alignment for buffer wriets -- saw */
33307 if (adr & (map_bankwidth(map)-1))
33308 return -EINVAL;
33309 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
33310 DECLARE_WAITQUEUE(wait, current);
33311 int ret = 0;
33312
33313 + pax_track_stack();
33314 +
33315 adr += chip->start;
33316
33317 /* Let's determine this according to the interleave only once */
33318 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
33319 unsigned long timeo = jiffies + HZ;
33320 DECLARE_WAITQUEUE(wait, current);
33321
33322 + pax_track_stack();
33323 +
33324 adr += chip->start;
33325
33326 /* Let's determine this according to the interleave only once */
33327 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
33328 unsigned long timeo = jiffies + HZ;
33329 DECLARE_WAITQUEUE(wait, current);
33330
33331 + pax_track_stack();
33332 +
33333 adr += chip->start;
33334
33335 /* Let's determine this according to the interleave only once */
33336 diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2000.c linux-2.6.32.46/drivers/mtd/devices/doc2000.c
33337 --- linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-03-27 14:31:47.000000000 -0400
33338 +++ linux-2.6.32.46/drivers/mtd/devices/doc2000.c 2011-04-17 15:56:46.000000000 -0400
33339 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
33340
33341 /* The ECC will not be calculated correctly if less than 512 is written */
33342 /* DBB-
33343 - if (len != 0x200 && eccbuf)
33344 + if (len != 0x200)
33345 printk(KERN_WARNING
33346 "ECC needs a full sector write (adr: %lx size %lx)\n",
33347 (long) to, (long) len);
33348 diff -urNp linux-2.6.32.46/drivers/mtd/devices/doc2001.c linux-2.6.32.46/drivers/mtd/devices/doc2001.c
33349 --- linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-03-27 14:31:47.000000000 -0400
33350 +++ linux-2.6.32.46/drivers/mtd/devices/doc2001.c 2011-04-17 15:56:46.000000000 -0400
33351 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
33352 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
33353
33354 /* Don't allow read past end of device */
33355 - if (from >= this->totlen)
33356 + if (from >= this->totlen || !len)
33357 return -EINVAL;
33358
33359 /* Don't allow a single read to cross a 512-byte block boundary */
33360 diff -urNp linux-2.6.32.46/drivers/mtd/ftl.c linux-2.6.32.46/drivers/mtd/ftl.c
33361 --- linux-2.6.32.46/drivers/mtd/ftl.c 2011-03-27 14:31:47.000000000 -0400
33362 +++ linux-2.6.32.46/drivers/mtd/ftl.c 2011-05-16 21:46:57.000000000 -0400
33363 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
33364 loff_t offset;
33365 uint16_t srcunitswap = cpu_to_le16(srcunit);
33366
33367 + pax_track_stack();
33368 +
33369 eun = &part->EUNInfo[srcunit];
33370 xfer = &part->XferInfo[xferunit];
33371 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
33372 diff -urNp linux-2.6.32.46/drivers/mtd/inftlcore.c linux-2.6.32.46/drivers/mtd/inftlcore.c
33373 --- linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-03-27 14:31:47.000000000 -0400
33374 +++ linux-2.6.32.46/drivers/mtd/inftlcore.c 2011-05-16 21:46:57.000000000 -0400
33375 @@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
33376 struct inftl_oob oob;
33377 size_t retlen;
33378
33379 + pax_track_stack();
33380 +
33381 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
33382 "pending=%d)\n", inftl, thisVUC, pendingblock);
33383
33384 diff -urNp linux-2.6.32.46/drivers/mtd/inftlmount.c linux-2.6.32.46/drivers/mtd/inftlmount.c
33385 --- linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-03-27 14:31:47.000000000 -0400
33386 +++ linux-2.6.32.46/drivers/mtd/inftlmount.c 2011-05-16 21:46:57.000000000 -0400
33387 @@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
33388 struct INFTLPartition *ip;
33389 size_t retlen;
33390
33391 + pax_track_stack();
33392 +
33393 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
33394
33395 /*
33396 diff -urNp linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c
33397 --- linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-03-27 14:31:47.000000000 -0400
33398 +++ linux-2.6.32.46/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:46:57.000000000 -0400
33399 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
33400 {
33401 map_word pfow_val[4];
33402
33403 + pax_track_stack();
33404 +
33405 /* Check identification string */
33406 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
33407 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
33408 diff -urNp linux-2.6.32.46/drivers/mtd/mtdchar.c linux-2.6.32.46/drivers/mtd/mtdchar.c
33409 --- linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-03-27 14:31:47.000000000 -0400
33410 +++ linux-2.6.32.46/drivers/mtd/mtdchar.c 2011-05-16 21:46:57.000000000 -0400
33411 @@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
33412 u_long size;
33413 struct mtd_info_user info;
33414
33415 + pax_track_stack();
33416 +
33417 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
33418
33419 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
33420 diff -urNp linux-2.6.32.46/drivers/mtd/nftlcore.c linux-2.6.32.46/drivers/mtd/nftlcore.c
33421 --- linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-03-27 14:31:47.000000000 -0400
33422 +++ linux-2.6.32.46/drivers/mtd/nftlcore.c 2011-05-16 21:46:57.000000000 -0400
33423 @@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
33424 int inplace = 1;
33425 size_t retlen;
33426
33427 + pax_track_stack();
33428 +
33429 memset(BlockMap, 0xff, sizeof(BlockMap));
33430 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
33431
33432 diff -urNp linux-2.6.32.46/drivers/mtd/nftlmount.c linux-2.6.32.46/drivers/mtd/nftlmount.c
33433 --- linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-03-27 14:31:47.000000000 -0400
33434 +++ linux-2.6.32.46/drivers/mtd/nftlmount.c 2011-05-18 20:09:37.000000000 -0400
33435 @@ -23,6 +23,7 @@
33436 #include <asm/errno.h>
33437 #include <linux/delay.h>
33438 #include <linux/slab.h>
33439 +#include <linux/sched.h>
33440 #include <linux/mtd/mtd.h>
33441 #include <linux/mtd/nand.h>
33442 #include <linux/mtd/nftl.h>
33443 @@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
33444 struct mtd_info *mtd = nftl->mbd.mtd;
33445 unsigned int i;
33446
33447 + pax_track_stack();
33448 +
33449 /* Assume logical EraseSize == physical erasesize for starting the scan.
33450 We'll sort it out later if we find a MediaHeader which says otherwise */
33451 /* Actually, we won't. The new DiskOnChip driver has already scanned
33452 diff -urNp linux-2.6.32.46/drivers/mtd/ubi/build.c linux-2.6.32.46/drivers/mtd/ubi/build.c
33453 --- linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-03-27 14:31:47.000000000 -0400
33454 +++ linux-2.6.32.46/drivers/mtd/ubi/build.c 2011-04-17 15:56:46.000000000 -0400
33455 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
33456 static int __init bytes_str_to_int(const char *str)
33457 {
33458 char *endp;
33459 - unsigned long result;
33460 + unsigned long result, scale = 1;
33461
33462 result = simple_strtoul(str, &endp, 0);
33463 if (str == endp || result >= INT_MAX) {
33464 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
33465
33466 switch (*endp) {
33467 case 'G':
33468 - result *= 1024;
33469 + scale *= 1024;
33470 case 'M':
33471 - result *= 1024;
33472 + scale *= 1024;
33473 case 'K':
33474 - result *= 1024;
33475 + scale *= 1024;
33476 if (endp[1] == 'i' && endp[2] == 'B')
33477 endp += 2;
33478 case '\0':
33479 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
33480 return -EINVAL;
33481 }
33482
33483 - return result;
33484 + if ((intoverflow_t)result*scale >= INT_MAX) {
33485 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
33486 + str);
33487 + return -EINVAL;
33488 + }
33489 +
33490 + return result*scale;
33491 }
33492
33493 /**
33494 diff -urNp linux-2.6.32.46/drivers/net/bnx2.c linux-2.6.32.46/drivers/net/bnx2.c
33495 --- linux-2.6.32.46/drivers/net/bnx2.c 2011-03-27 14:31:47.000000000 -0400
33496 +++ linux-2.6.32.46/drivers/net/bnx2.c 2011-05-16 21:46:57.000000000 -0400
33497 @@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
33498 int rc = 0;
33499 u32 magic, csum;
33500
33501 + pax_track_stack();
33502 +
33503 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
33504 goto test_nvram_done;
33505
33506 diff -urNp linux-2.6.32.46/drivers/net/cxgb3/l2t.h linux-2.6.32.46/drivers/net/cxgb3/l2t.h
33507 --- linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-03-27 14:31:47.000000000 -0400
33508 +++ linux-2.6.32.46/drivers/net/cxgb3/l2t.h 2011-08-05 20:33:55.000000000 -0400
33509 @@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
33510 */
33511 struct l2t_skb_cb {
33512 arp_failure_handler_func arp_failure_handler;
33513 -};
33514 +} __no_const;
33515
33516 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
33517
33518 diff -urNp linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c
33519 --- linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-03-27 14:31:47.000000000 -0400
33520 +++ linux-2.6.32.46/drivers/net/cxgb3/t3_hw.c 2011-05-16 21:46:57.000000000 -0400
33521 @@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
33522 int i, addr, ret;
33523 struct t3_vpd vpd;
33524
33525 + pax_track_stack();
33526 +
33527 /*
33528 * Card information is normally at VPD_BASE but some early cards had
33529 * it at 0.
33530 diff -urNp linux-2.6.32.46/drivers/net/e1000e/82571.c linux-2.6.32.46/drivers/net/e1000e/82571.c
33531 --- linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-03-27 14:31:47.000000000 -0400
33532 +++ linux-2.6.32.46/drivers/net/e1000e/82571.c 2011-08-23 21:22:32.000000000 -0400
33533 @@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(s
33534 {
33535 struct e1000_hw *hw = &adapter->hw;
33536 struct e1000_mac_info *mac = &hw->mac;
33537 - struct e1000_mac_operations *func = &mac->ops;
33538 + e1000_mac_operations_no_const *func = &mac->ops;
33539 u32 swsm = 0;
33540 u32 swsm2 = 0;
33541 bool force_clear_smbi = false;
33542 @@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
33543 temp = er32(ICRXDMTC);
33544 }
33545
33546 -static struct e1000_mac_operations e82571_mac_ops = {
33547 +static const struct e1000_mac_operations e82571_mac_ops = {
33548 /* .check_mng_mode: mac type dependent */
33549 /* .check_for_link: media type dependent */
33550 .id_led_init = e1000e_id_led_init,
33551 @@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
33552 .setup_led = e1000e_setup_led_generic,
33553 };
33554
33555 -static struct e1000_phy_operations e82_phy_ops_igp = {
33556 +static const struct e1000_phy_operations e82_phy_ops_igp = {
33557 .acquire_phy = e1000_get_hw_semaphore_82571,
33558 .check_reset_block = e1000e_check_reset_block_generic,
33559 .commit_phy = NULL,
33560 @@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
33561 .cfg_on_link_up = NULL,
33562 };
33563
33564 -static struct e1000_phy_operations e82_phy_ops_m88 = {
33565 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
33566 .acquire_phy = e1000_get_hw_semaphore_82571,
33567 .check_reset_block = e1000e_check_reset_block_generic,
33568 .commit_phy = e1000e_phy_sw_reset,
33569 @@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
33570 .cfg_on_link_up = NULL,
33571 };
33572
33573 -static struct e1000_phy_operations e82_phy_ops_bm = {
33574 +static const struct e1000_phy_operations e82_phy_ops_bm = {
33575 .acquire_phy = e1000_get_hw_semaphore_82571,
33576 .check_reset_block = e1000e_check_reset_block_generic,
33577 .commit_phy = e1000e_phy_sw_reset,
33578 @@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
33579 .cfg_on_link_up = NULL,
33580 };
33581
33582 -static struct e1000_nvm_operations e82571_nvm_ops = {
33583 +static const struct e1000_nvm_operations e82571_nvm_ops = {
33584 .acquire_nvm = e1000_acquire_nvm_82571,
33585 .read_nvm = e1000e_read_nvm_eerd,
33586 .release_nvm = e1000_release_nvm_82571,
33587 diff -urNp linux-2.6.32.46/drivers/net/e1000e/e1000.h linux-2.6.32.46/drivers/net/e1000e/e1000.h
33588 --- linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-03-27 14:31:47.000000000 -0400
33589 +++ linux-2.6.32.46/drivers/net/e1000e/e1000.h 2011-04-17 15:56:46.000000000 -0400
33590 @@ -375,9 +375,9 @@ struct e1000_info {
33591 u32 pba;
33592 u32 max_hw_frame_size;
33593 s32 (*get_variants)(struct e1000_adapter *);
33594 - struct e1000_mac_operations *mac_ops;
33595 - struct e1000_phy_operations *phy_ops;
33596 - struct e1000_nvm_operations *nvm_ops;
33597 + const struct e1000_mac_operations *mac_ops;
33598 + const struct e1000_phy_operations *phy_ops;
33599 + const struct e1000_nvm_operations *nvm_ops;
33600 };
33601
33602 /* hardware capability, feature, and workaround flags */
33603 diff -urNp linux-2.6.32.46/drivers/net/e1000e/es2lan.c linux-2.6.32.46/drivers/net/e1000e/es2lan.c
33604 --- linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-03-27 14:31:47.000000000 -0400
33605 +++ linux-2.6.32.46/drivers/net/e1000e/es2lan.c 2011-08-23 21:22:32.000000000 -0400
33606 @@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es
33607 {
33608 struct e1000_hw *hw = &adapter->hw;
33609 struct e1000_mac_info *mac = &hw->mac;
33610 - struct e1000_mac_operations *func = &mac->ops;
33611 + e1000_mac_operations_no_const *func = &mac->ops;
33612
33613 /* Set media type */
33614 switch (adapter->pdev->device) {
33615 @@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
33616 temp = er32(ICRXDMTC);
33617 }
33618
33619 -static struct e1000_mac_operations es2_mac_ops = {
33620 +static const struct e1000_mac_operations es2_mac_ops = {
33621 .id_led_init = e1000e_id_led_init,
33622 .check_mng_mode = e1000e_check_mng_mode_generic,
33623 /* check_for_link dependent on media type */
33624 @@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
33625 .setup_led = e1000e_setup_led_generic,
33626 };
33627
33628 -static struct e1000_phy_operations es2_phy_ops = {
33629 +static const struct e1000_phy_operations es2_phy_ops = {
33630 .acquire_phy = e1000_acquire_phy_80003es2lan,
33631 .check_reset_block = e1000e_check_reset_block_generic,
33632 .commit_phy = e1000e_phy_sw_reset,
33633 @@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
33634 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
33635 };
33636
33637 -static struct e1000_nvm_operations es2_nvm_ops = {
33638 +static const struct e1000_nvm_operations es2_nvm_ops = {
33639 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
33640 .read_nvm = e1000e_read_nvm_eerd,
33641 .release_nvm = e1000_release_nvm_80003es2lan,
33642 diff -urNp linux-2.6.32.46/drivers/net/e1000e/hw.h linux-2.6.32.46/drivers/net/e1000e/hw.h
33643 --- linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-03-27 14:31:47.000000000 -0400
33644 +++ linux-2.6.32.46/drivers/net/e1000e/hw.h 2011-08-23 21:27:38.000000000 -0400
33645 @@ -753,6 +753,7 @@ struct e1000_mac_operations {
33646 s32 (*setup_physical_interface)(struct e1000_hw *);
33647 s32 (*setup_led)(struct e1000_hw *);
33648 };
33649 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
33650
33651 /* Function pointers for the PHY. */
33652 struct e1000_phy_operations {
33653 @@ -774,6 +775,7 @@ struct e1000_phy_operations {
33654 s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
33655 s32 (*cfg_on_link_up)(struct e1000_hw *);
33656 };
33657 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
33658
33659 /* Function pointers for the NVM. */
33660 struct e1000_nvm_operations {
33661 @@ -785,9 +787,10 @@ struct e1000_nvm_operations {
33662 s32 (*validate_nvm)(struct e1000_hw *);
33663 s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
33664 };
33665 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
33666
33667 struct e1000_mac_info {
33668 - struct e1000_mac_operations ops;
33669 + e1000_mac_operations_no_const ops;
33670
33671 u8 addr[6];
33672 u8 perm_addr[6];
33673 @@ -823,7 +826,7 @@ struct e1000_mac_info {
33674 };
33675
33676 struct e1000_phy_info {
33677 - struct e1000_phy_operations ops;
33678 + e1000_phy_operations_no_const ops;
33679
33680 enum e1000_phy_type type;
33681
33682 @@ -857,7 +860,7 @@ struct e1000_phy_info {
33683 };
33684
33685 struct e1000_nvm_info {
33686 - struct e1000_nvm_operations ops;
33687 + e1000_nvm_operations_no_const ops;
33688
33689 enum e1000_nvm_type type;
33690 enum e1000_nvm_override override;
33691 diff -urNp linux-2.6.32.46/drivers/net/e1000e/ich8lan.c linux-2.6.32.46/drivers/net/e1000e/ich8lan.c
33692 --- linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:01.000000000 -0400
33693 +++ linux-2.6.32.46/drivers/net/e1000e/ich8lan.c 2011-08-23 21:22:32.000000000 -0400
33694 @@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
33695 }
33696 }
33697
33698 -static struct e1000_mac_operations ich8_mac_ops = {
33699 +static const struct e1000_mac_operations ich8_mac_ops = {
33700 .id_led_init = e1000e_id_led_init,
33701 .check_mng_mode = e1000_check_mng_mode_ich8lan,
33702 .check_for_link = e1000_check_for_copper_link_ich8lan,
33703 @@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
33704 /* id_led_init dependent on mac type */
33705 };
33706
33707 -static struct e1000_phy_operations ich8_phy_ops = {
33708 +static const struct e1000_phy_operations ich8_phy_ops = {
33709 .acquire_phy = e1000_acquire_swflag_ich8lan,
33710 .check_reset_block = e1000_check_reset_block_ich8lan,
33711 .commit_phy = NULL,
33712 @@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
33713 .write_phy_reg = e1000e_write_phy_reg_igp,
33714 };
33715
33716 -static struct e1000_nvm_operations ich8_nvm_ops = {
33717 +static const struct e1000_nvm_operations ich8_nvm_ops = {
33718 .acquire_nvm = e1000_acquire_nvm_ich8lan,
33719 .read_nvm = e1000_read_nvm_ich8lan,
33720 .release_nvm = e1000_release_nvm_ich8lan,
33721 diff -urNp linux-2.6.32.46/drivers/net/hamradio/6pack.c linux-2.6.32.46/drivers/net/hamradio/6pack.c
33722 --- linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:04.000000000 -0400
33723 +++ linux-2.6.32.46/drivers/net/hamradio/6pack.c 2011-07-13 17:23:18.000000000 -0400
33724 @@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
33725 unsigned char buf[512];
33726 int count1;
33727
33728 + pax_track_stack();
33729 +
33730 if (!count)
33731 return;
33732
33733 diff -urNp linux-2.6.32.46/drivers/net/ibmveth.c linux-2.6.32.46/drivers/net/ibmveth.c
33734 --- linux-2.6.32.46/drivers/net/ibmveth.c 2011-03-27 14:31:47.000000000 -0400
33735 +++ linux-2.6.32.46/drivers/net/ibmveth.c 2011-04-17 15:56:46.000000000 -0400
33736 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
33737 NULL,
33738 };
33739
33740 -static struct sysfs_ops veth_pool_ops = {
33741 +static const struct sysfs_ops veth_pool_ops = {
33742 .show = veth_pool_show,
33743 .store = veth_pool_store,
33744 };
33745 diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_82575.c linux-2.6.32.46/drivers/net/igb/e1000_82575.c
33746 --- linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:24:44.000000000 -0400
33747 +++ linux-2.6.32.46/drivers/net/igb/e1000_82575.c 2011-08-29 22:25:07.000000000 -0400
33748 @@ -1411,7 +1411,7 @@ void igb_vmdq_set_replication_pf(struct
33749 wr32(E1000_VT_CTL, vt_ctl);
33750 }
33751
33752 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
33753 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
33754 .reset_hw = igb_reset_hw_82575,
33755 .init_hw = igb_init_hw_82575,
33756 .check_for_link = igb_check_for_link_82575,
33757 @@ -1420,13 +1420,13 @@ static struct e1000_mac_operations e1000
33758 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
33759 };
33760
33761 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
33762 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
33763 .acquire = igb_acquire_phy_82575,
33764 .get_cfg_done = igb_get_cfg_done_82575,
33765 .release = igb_release_phy_82575,
33766 };
33767
33768 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
33769 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
33770 .acquire = igb_acquire_nvm_82575,
33771 .read = igb_read_nvm_eerd,
33772 .release = igb_release_nvm_82575,
33773 diff -urNp linux-2.6.32.46/drivers/net/igb/e1000_hw.h linux-2.6.32.46/drivers/net/igb/e1000_hw.h
33774 --- linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-03-27 14:31:47.000000000 -0400
33775 +++ linux-2.6.32.46/drivers/net/igb/e1000_hw.h 2011-08-23 21:28:01.000000000 -0400
33776 @@ -288,6 +288,7 @@ struct e1000_mac_operations {
33777 s32 (*read_mac_addr)(struct e1000_hw *);
33778 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
33779 };
33780 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
33781
33782 struct e1000_phy_operations {
33783 s32 (*acquire)(struct e1000_hw *);
33784 @@ -303,6 +304,7 @@ struct e1000_phy_operations {
33785 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
33786 s32 (*write_reg)(struct e1000_hw *, u32, u16);
33787 };
33788 +typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
33789
33790 struct e1000_nvm_operations {
33791 s32 (*acquire)(struct e1000_hw *);
33792 @@ -310,6 +312,7 @@ struct e1000_nvm_operations {
33793 void (*release)(struct e1000_hw *);
33794 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
33795 };
33796 +typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
33797
33798 struct e1000_info {
33799 s32 (*get_invariants)(struct e1000_hw *);
33800 @@ -321,7 +324,7 @@ struct e1000_info {
33801 extern const struct e1000_info e1000_82575_info;
33802
33803 struct e1000_mac_info {
33804 - struct e1000_mac_operations ops;
33805 + e1000_mac_operations_no_const ops;
33806
33807 u8 addr[6];
33808 u8 perm_addr[6];
33809 @@ -365,7 +368,7 @@ struct e1000_mac_info {
33810 };
33811
33812 struct e1000_phy_info {
33813 - struct e1000_phy_operations ops;
33814 + e1000_phy_operations_no_const ops;
33815
33816 enum e1000_phy_type type;
33817
33818 @@ -400,7 +403,7 @@ struct e1000_phy_info {
33819 };
33820
33821 struct e1000_nvm_info {
33822 - struct e1000_nvm_operations ops;
33823 + e1000_nvm_operations_no_const ops;
33824
33825 enum e1000_nvm_type type;
33826 enum e1000_nvm_override override;
33827 @@ -446,6 +449,7 @@ struct e1000_mbx_operations {
33828 s32 (*check_for_ack)(struct e1000_hw *, u16);
33829 s32 (*check_for_rst)(struct e1000_hw *, u16);
33830 };
33831 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
33832
33833 struct e1000_mbx_stats {
33834 u32 msgs_tx;
33835 @@ -457,7 +461,7 @@ struct e1000_mbx_stats {
33836 };
33837
33838 struct e1000_mbx_info {
33839 - struct e1000_mbx_operations ops;
33840 + e1000_mbx_operations_no_const ops;
33841 struct e1000_mbx_stats stats;
33842 u32 timeout;
33843 u32 usec_delay;
33844 diff -urNp linux-2.6.32.46/drivers/net/igbvf/vf.h linux-2.6.32.46/drivers/net/igbvf/vf.h
33845 --- linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-03-27 14:31:47.000000000 -0400
33846 +++ linux-2.6.32.46/drivers/net/igbvf/vf.h 2011-08-23 21:22:38.000000000 -0400
33847 @@ -187,9 +187,10 @@ struct e1000_mac_operations {
33848 s32 (*read_mac_addr)(struct e1000_hw *);
33849 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
33850 };
33851 +typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
33852
33853 struct e1000_mac_info {
33854 - struct e1000_mac_operations ops;
33855 + e1000_mac_operations_no_const ops;
33856 u8 addr[6];
33857 u8 perm_addr[6];
33858
33859 @@ -211,6 +212,7 @@ struct e1000_mbx_operations {
33860 s32 (*check_for_ack)(struct e1000_hw *);
33861 s32 (*check_for_rst)(struct e1000_hw *);
33862 };
33863 +typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
33864
33865 struct e1000_mbx_stats {
33866 u32 msgs_tx;
33867 @@ -222,7 +224,7 @@ struct e1000_mbx_stats {
33868 };
33869
33870 struct e1000_mbx_info {
33871 - struct e1000_mbx_operations ops;
33872 + e1000_mbx_operations_no_const ops;
33873 struct e1000_mbx_stats stats;
33874 u32 timeout;
33875 u32 usec_delay;
33876 diff -urNp linux-2.6.32.46/drivers/net/iseries_veth.c linux-2.6.32.46/drivers/net/iseries_veth.c
33877 --- linux-2.6.32.46/drivers/net/iseries_veth.c 2011-03-27 14:31:47.000000000 -0400
33878 +++ linux-2.6.32.46/drivers/net/iseries_veth.c 2011-04-17 15:56:46.000000000 -0400
33879 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
33880 NULL
33881 };
33882
33883 -static struct sysfs_ops veth_cnx_sysfs_ops = {
33884 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
33885 .show = veth_cnx_attribute_show
33886 };
33887
33888 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
33889 NULL
33890 };
33891
33892 -static struct sysfs_ops veth_port_sysfs_ops = {
33893 +static const struct sysfs_ops veth_port_sysfs_ops = {
33894 .show = veth_port_attribute_show
33895 };
33896
33897 diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c
33898 --- linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-03-27 14:31:47.000000000 -0400
33899 +++ linux-2.6.32.46/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:46:57.000000000 -0400
33900 @@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
33901 u32 rctl;
33902 int i;
33903
33904 + pax_track_stack();
33905 +
33906 /* Check for Promiscuous and All Multicast modes */
33907
33908 rctl = IXGB_READ_REG(hw, RCTL);
33909 diff -urNp linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c
33910 --- linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-03-27 14:31:47.000000000 -0400
33911 +++ linux-2.6.32.46/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:46:57.000000000 -0400
33912 @@ -260,6 +260,9 @@ void __devinit
33913 ixgb_check_options(struct ixgb_adapter *adapter)
33914 {
33915 int bd = adapter->bd_number;
33916 +
33917 + pax_track_stack();
33918 +
33919 if (bd >= IXGB_MAX_NIC) {
33920 printk(KERN_NOTICE
33921 "Warning: no configuration for board #%i\n", bd);
33922 diff -urNp linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h
33923 --- linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-03-27 14:31:47.000000000 -0400
33924 +++ linux-2.6.32.46/drivers/net/ixgbe/ixgbe_type.h 2011-08-23 21:22:38.000000000 -0400
33925 @@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations {
33926 s32 (*validate_checksum)(struct ixgbe_hw *, u16 *);
33927 s32 (*update_checksum)(struct ixgbe_hw *);
33928 };
33929 +typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
33930
33931 struct ixgbe_mac_operations {
33932 s32 (*init_hw)(struct ixgbe_hw *);
33933 @@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations {
33934 /* Flow Control */
33935 s32 (*fc_enable)(struct ixgbe_hw *, s32);
33936 };
33937 +typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
33938
33939 struct ixgbe_phy_operations {
33940 s32 (*identify)(struct ixgbe_hw *);
33941 @@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations {
33942 s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
33943 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
33944 };
33945 +typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
33946
33947 struct ixgbe_eeprom_info {
33948 - struct ixgbe_eeprom_operations ops;
33949 + ixgbe_eeprom_operations_no_const ops;
33950 enum ixgbe_eeprom_type type;
33951 u32 semaphore_delay;
33952 u16 word_size;
33953 @@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info {
33954 };
33955
33956 struct ixgbe_mac_info {
33957 - struct ixgbe_mac_operations ops;
33958 + ixgbe_mac_operations_no_const ops;
33959 enum ixgbe_mac_type type;
33960 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
33961 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
33962 @@ -2423,7 +2426,7 @@ struct ixgbe_mac_info {
33963 };
33964
33965 struct ixgbe_phy_info {
33966 - struct ixgbe_phy_operations ops;
33967 + ixgbe_phy_operations_no_const ops;
33968 struct mdio_if_info mdio;
33969 enum ixgbe_phy_type type;
33970 u32 id;
33971 diff -urNp linux-2.6.32.46/drivers/net/mlx4/main.c linux-2.6.32.46/drivers/net/mlx4/main.c
33972 --- linux-2.6.32.46/drivers/net/mlx4/main.c 2011-03-27 14:31:47.000000000 -0400
33973 +++ linux-2.6.32.46/drivers/net/mlx4/main.c 2011-05-18 20:09:37.000000000 -0400
33974 @@ -38,6 +38,7 @@
33975 #include <linux/errno.h>
33976 #include <linux/pci.h>
33977 #include <linux/dma-mapping.h>
33978 +#include <linux/sched.h>
33979
33980 #include <linux/mlx4/device.h>
33981 #include <linux/mlx4/doorbell.h>
33982 @@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
33983 u64 icm_size;
33984 int err;
33985
33986 + pax_track_stack();
33987 +
33988 err = mlx4_QUERY_FW(dev);
33989 if (err) {
33990 if (err == -EACCES)
33991 diff -urNp linux-2.6.32.46/drivers/net/niu.c linux-2.6.32.46/drivers/net/niu.c
33992 --- linux-2.6.32.46/drivers/net/niu.c 2011-05-10 22:12:01.000000000 -0400
33993 +++ linux-2.6.32.46/drivers/net/niu.c 2011-05-16 21:46:57.000000000 -0400
33994 @@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
33995 int i, num_irqs, err;
33996 u8 first_ldg;
33997
33998 + pax_track_stack();
33999 +
34000 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
34001 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
34002 ldg_num_map[i] = first_ldg + i;
34003 diff -urNp linux-2.6.32.46/drivers/net/pcnet32.c linux-2.6.32.46/drivers/net/pcnet32.c
34004 --- linux-2.6.32.46/drivers/net/pcnet32.c 2011-03-27 14:31:47.000000000 -0400
34005 +++ linux-2.6.32.46/drivers/net/pcnet32.c 2011-08-05 20:33:55.000000000 -0400
34006 @@ -79,7 +79,7 @@ static int cards_found;
34007 /*
34008 * VLB I/O addresses
34009 */
34010 -static unsigned int pcnet32_portlist[] __initdata =
34011 +static unsigned int pcnet32_portlist[] __devinitdata =
34012 { 0x300, 0x320, 0x340, 0x360, 0 };
34013
34014 static int pcnet32_debug = 0;
34015 @@ -267,7 +267,7 @@ struct pcnet32_private {
34016 struct sk_buff **rx_skbuff;
34017 dma_addr_t *tx_dma_addr;
34018 dma_addr_t *rx_dma_addr;
34019 - struct pcnet32_access a;
34020 + struct pcnet32_access *a;
34021 spinlock_t lock; /* Guard lock */
34022 unsigned int cur_rx, cur_tx; /* The next free ring entry */
34023 unsigned int rx_ring_size; /* current rx ring size */
34024 @@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
34025 u16 val;
34026
34027 netif_wake_queue(dev);
34028 - val = lp->a.read_csr(ioaddr, CSR3);
34029 + val = lp->a->read_csr(ioaddr, CSR3);
34030 val &= 0x00ff;
34031 - lp->a.write_csr(ioaddr, CSR3, val);
34032 + lp->a->write_csr(ioaddr, CSR3, val);
34033 napi_enable(&lp->napi);
34034 }
34035
34036 @@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
34037 r = mii_link_ok(&lp->mii_if);
34038 } else if (lp->chip_version >= PCNET32_79C970A) {
34039 ulong ioaddr = dev->base_addr; /* card base I/O address */
34040 - r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
34041 + r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
34042 } else { /* can not detect link on really old chips */
34043 r = 1;
34044 }
34045 @@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
34046 pcnet32_netif_stop(dev);
34047
34048 spin_lock_irqsave(&lp->lock, flags);
34049 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34050 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34051
34052 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
34053
34054 @@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
34055 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
34056 {
34057 struct pcnet32_private *lp = netdev_priv(dev);
34058 - struct pcnet32_access *a = &lp->a; /* access to registers */
34059 + struct pcnet32_access *a = lp->a; /* access to registers */
34060 ulong ioaddr = dev->base_addr; /* card base I/O address */
34061 struct sk_buff *skb; /* sk buff */
34062 int x, i; /* counters */
34063 @@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
34064 pcnet32_netif_stop(dev);
34065
34066 spin_lock_irqsave(&lp->lock, flags);
34067 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34068 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
34069
34070 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
34071
34072 /* Reset the PCNET32 */
34073 - lp->a.reset(ioaddr);
34074 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34075 + lp->a->reset(ioaddr);
34076 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34077
34078 /* switch pcnet32 to 32bit mode */
34079 - lp->a.write_bcr(ioaddr, 20, 2);
34080 + lp->a->write_bcr(ioaddr, 20, 2);
34081
34082 /* purge & init rings but don't actually restart */
34083 pcnet32_restart(dev, 0x0000);
34084
34085 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34086 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34087
34088 /* Initialize Transmit buffers. */
34089 size = data_len + 15;
34090 @@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
34091
34092 /* set int loopback in CSR15 */
34093 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
34094 - lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
34095 + lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
34096
34097 teststatus = cpu_to_le16(0x8000);
34098 - lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34099 + lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
34100
34101 /* Check status of descriptors */
34102 for (x = 0; x < numbuffs; x++) {
34103 @@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
34104 }
34105 }
34106
34107 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34108 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
34109 wmb();
34110 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
34111 printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
34112 @@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
34113 pcnet32_restart(dev, CSR0_NORMAL);
34114 } else {
34115 pcnet32_purge_rx_ring(dev);
34116 - lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34117 + lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
34118 }
34119 spin_unlock_irqrestore(&lp->lock, flags);
34120
34121 @@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
34122 static void pcnet32_led_blink_callback(struct net_device *dev)
34123 {
34124 struct pcnet32_private *lp = netdev_priv(dev);
34125 - struct pcnet32_access *a = &lp->a;
34126 + struct pcnet32_access *a = lp->a;
34127 ulong ioaddr = dev->base_addr;
34128 unsigned long flags;
34129 int i;
34130 @@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
34131 static int pcnet32_phys_id(struct net_device *dev, u32 data)
34132 {
34133 struct pcnet32_private *lp = netdev_priv(dev);
34134 - struct pcnet32_access *a = &lp->a;
34135 + struct pcnet32_access *a = lp->a;
34136 ulong ioaddr = dev->base_addr;
34137 unsigned long flags;
34138 int i, regs[4];
34139 @@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
34140 {
34141 int csr5;
34142 struct pcnet32_private *lp = netdev_priv(dev);
34143 - struct pcnet32_access *a = &lp->a;
34144 + struct pcnet32_access *a = lp->a;
34145 ulong ioaddr = dev->base_addr;
34146 int ticks;
34147
34148 @@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
34149 spin_lock_irqsave(&lp->lock, flags);
34150 if (pcnet32_tx(dev)) {
34151 /* reset the chip to clear the error condition, then restart */
34152 - lp->a.reset(ioaddr);
34153 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34154 + lp->a->reset(ioaddr);
34155 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34156 pcnet32_restart(dev, CSR0_START);
34157 netif_wake_queue(dev);
34158 }
34159 @@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
34160 __napi_complete(napi);
34161
34162 /* clear interrupt masks */
34163 - val = lp->a.read_csr(ioaddr, CSR3);
34164 + val = lp->a->read_csr(ioaddr, CSR3);
34165 val &= 0x00ff;
34166 - lp->a.write_csr(ioaddr, CSR3, val);
34167 + lp->a->write_csr(ioaddr, CSR3, val);
34168
34169 /* Set interrupt enable. */
34170 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
34171 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
34172
34173 spin_unlock_irqrestore(&lp->lock, flags);
34174 }
34175 @@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
34176 int i, csr0;
34177 u16 *buff = ptr;
34178 struct pcnet32_private *lp = netdev_priv(dev);
34179 - struct pcnet32_access *a = &lp->a;
34180 + struct pcnet32_access *a = lp->a;
34181 ulong ioaddr = dev->base_addr;
34182 unsigned long flags;
34183
34184 @@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
34185 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
34186 if (lp->phymask & (1 << j)) {
34187 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
34188 - lp->a.write_bcr(ioaddr, 33,
34189 + lp->a->write_bcr(ioaddr, 33,
34190 (j << 5) | i);
34191 - *buff++ = lp->a.read_bcr(ioaddr, 34);
34192 + *buff++ = lp->a->read_bcr(ioaddr, 34);
34193 }
34194 }
34195 }
34196 @@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34197 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
34198 lp->options |= PCNET32_PORT_FD;
34199
34200 - lp->a = *a;
34201 + lp->a = a;
34202
34203 /* prior to register_netdev, dev->name is not yet correct */
34204 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
34205 @@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34206 if (lp->mii) {
34207 /* lp->phycount and lp->phymask are set to 0 by memset above */
34208
34209 - lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
34210 + lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
34211 /* scan for PHYs */
34212 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
34213 unsigned short id1, id2;
34214 @@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
34215 "Found PHY %04x:%04x at address %d.\n",
34216 id1, id2, i);
34217 }
34218 - lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
34219 + lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
34220 if (lp->phycount > 1) {
34221 lp->options |= PCNET32_PORT_MII;
34222 }
34223 @@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
34224 }
34225
34226 /* Reset the PCNET32 */
34227 - lp->a.reset(ioaddr);
34228 + lp->a->reset(ioaddr);
34229
34230 /* switch pcnet32 to 32bit mode */
34231 - lp->a.write_bcr(ioaddr, 20, 2);
34232 + lp->a->write_bcr(ioaddr, 20, 2);
34233
34234 if (netif_msg_ifup(lp))
34235 printk(KERN_DEBUG
34236 @@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
34237 (u32) (lp->init_dma_addr));
34238
34239 /* set/reset autoselect bit */
34240 - val = lp->a.read_bcr(ioaddr, 2) & ~2;
34241 + val = lp->a->read_bcr(ioaddr, 2) & ~2;
34242 if (lp->options & PCNET32_PORT_ASEL)
34243 val |= 2;
34244 - lp->a.write_bcr(ioaddr, 2, val);
34245 + lp->a->write_bcr(ioaddr, 2, val);
34246
34247 /* handle full duplex setting */
34248 if (lp->mii_if.full_duplex) {
34249 - val = lp->a.read_bcr(ioaddr, 9) & ~3;
34250 + val = lp->a->read_bcr(ioaddr, 9) & ~3;
34251 if (lp->options & PCNET32_PORT_FD) {
34252 val |= 1;
34253 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
34254 @@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
34255 if (lp->chip_version == 0x2627)
34256 val |= 3;
34257 }
34258 - lp->a.write_bcr(ioaddr, 9, val);
34259 + lp->a->write_bcr(ioaddr, 9, val);
34260 }
34261
34262 /* set/reset GPSI bit in test register */
34263 - val = lp->a.read_csr(ioaddr, 124) & ~0x10;
34264 + val = lp->a->read_csr(ioaddr, 124) & ~0x10;
34265 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
34266 val |= 0x10;
34267 - lp->a.write_csr(ioaddr, 124, val);
34268 + lp->a->write_csr(ioaddr, 124, val);
34269
34270 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
34271 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
34272 @@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
34273 * duplex, and/or enable auto negotiation, and clear DANAS
34274 */
34275 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
34276 - lp->a.write_bcr(ioaddr, 32,
34277 - lp->a.read_bcr(ioaddr, 32) | 0x0080);
34278 + lp->a->write_bcr(ioaddr, 32,
34279 + lp->a->read_bcr(ioaddr, 32) | 0x0080);
34280 /* disable Auto Negotiation, set 10Mpbs, HD */
34281 - val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
34282 + val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
34283 if (lp->options & PCNET32_PORT_FD)
34284 val |= 0x10;
34285 if (lp->options & PCNET32_PORT_100)
34286 val |= 0x08;
34287 - lp->a.write_bcr(ioaddr, 32, val);
34288 + lp->a->write_bcr(ioaddr, 32, val);
34289 } else {
34290 if (lp->options & PCNET32_PORT_ASEL) {
34291 - lp->a.write_bcr(ioaddr, 32,
34292 - lp->a.read_bcr(ioaddr,
34293 + lp->a->write_bcr(ioaddr, 32,
34294 + lp->a->read_bcr(ioaddr,
34295 32) | 0x0080);
34296 /* enable auto negotiate, setup, disable fd */
34297 - val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
34298 + val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
34299 val |= 0x20;
34300 - lp->a.write_bcr(ioaddr, 32, val);
34301 + lp->a->write_bcr(ioaddr, 32, val);
34302 }
34303 }
34304 } else {
34305 @@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
34306 * There is really no good other way to handle multiple PHYs
34307 * other than turning off all automatics
34308 */
34309 - val = lp->a.read_bcr(ioaddr, 2);
34310 - lp->a.write_bcr(ioaddr, 2, val & ~2);
34311 - val = lp->a.read_bcr(ioaddr, 32);
34312 - lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
34313 + val = lp->a->read_bcr(ioaddr, 2);
34314 + lp->a->write_bcr(ioaddr, 2, val & ~2);
34315 + val = lp->a->read_bcr(ioaddr, 32);
34316 + lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
34317
34318 if (!(lp->options & PCNET32_PORT_ASEL)) {
34319 /* setup ecmd */
34320 @@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
34321 ecmd.speed =
34322 lp->
34323 options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
34324 - bcr9 = lp->a.read_bcr(ioaddr, 9);
34325 + bcr9 = lp->a->read_bcr(ioaddr, 9);
34326
34327 if (lp->options & PCNET32_PORT_FD) {
34328 ecmd.duplex = DUPLEX_FULL;
34329 @@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
34330 ecmd.duplex = DUPLEX_HALF;
34331 bcr9 |= ~(1 << 0);
34332 }
34333 - lp->a.write_bcr(ioaddr, 9, bcr9);
34334 + lp->a->write_bcr(ioaddr, 9, bcr9);
34335 }
34336
34337 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
34338 @@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
34339
34340 #ifdef DO_DXSUFLO
34341 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
34342 - val = lp->a.read_csr(ioaddr, CSR3);
34343 + val = lp->a->read_csr(ioaddr, CSR3);
34344 val |= 0x40;
34345 - lp->a.write_csr(ioaddr, CSR3, val);
34346 + lp->a->write_csr(ioaddr, CSR3, val);
34347 }
34348 #endif
34349
34350 @@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
34351 napi_enable(&lp->napi);
34352
34353 /* Re-initialize the PCNET32, and start it when done. */
34354 - lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
34355 - lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
34356 + lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
34357 + lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
34358
34359 - lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34360 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
34361 + lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
34362 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
34363
34364 netif_start_queue(dev);
34365
34366 @@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
34367
34368 i = 0;
34369 while (i++ < 100)
34370 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
34371 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
34372 break;
34373 /*
34374 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
34375 * reports that doing so triggers a bug in the '974.
34376 */
34377 - lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
34378 + lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
34379
34380 if (netif_msg_ifup(lp))
34381 printk(KERN_DEBUG
34382 "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
34383 dev->name, i,
34384 (u32) (lp->init_dma_addr),
34385 - lp->a.read_csr(ioaddr, CSR0));
34386 + lp->a->read_csr(ioaddr, CSR0));
34387
34388 spin_unlock_irqrestore(&lp->lock, flags);
34389
34390 @@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
34391 * Switch back to 16bit mode to avoid problems with dumb
34392 * DOS packet driver after a warm reboot
34393 */
34394 - lp->a.write_bcr(ioaddr, 20, 4);
34395 + lp->a->write_bcr(ioaddr, 20, 4);
34396
34397 err_free_irq:
34398 spin_unlock_irqrestore(&lp->lock, flags);
34399 @@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
34400
34401 /* wait for stop */
34402 for (i = 0; i < 100; i++)
34403 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
34404 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
34405 break;
34406
34407 if (i >= 100 && netif_msg_drv(lp))
34408 @@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
34409 return;
34410
34411 /* ReInit Ring */
34412 - lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
34413 + lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
34414 i = 0;
34415 while (i++ < 1000)
34416 - if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
34417 + if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
34418 break;
34419
34420 - lp->a.write_csr(ioaddr, CSR0, csr0_bits);
34421 + lp->a->write_csr(ioaddr, CSR0, csr0_bits);
34422 }
34423
34424 static void pcnet32_tx_timeout(struct net_device *dev)
34425 @@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
34426 if (pcnet32_debug & NETIF_MSG_DRV)
34427 printk(KERN_ERR
34428 "%s: transmit timed out, status %4.4x, resetting.\n",
34429 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34430 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34431 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34432 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34433 dev->stats.tx_errors++;
34434 if (netif_msg_tx_err(lp)) {
34435 int i;
34436 @@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
34437 if (netif_msg_tx_queued(lp)) {
34438 printk(KERN_DEBUG
34439 "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
34440 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34441 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34442 }
34443
34444 /* Default status -- will not enable Successful-TxDone
34445 @@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
34446 dev->stats.tx_bytes += skb->len;
34447
34448 /* Trigger an immediate send poll. */
34449 - lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
34450 + lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
34451
34452 dev->trans_start = jiffies;
34453
34454 @@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
34455
34456 spin_lock(&lp->lock);
34457
34458 - csr0 = lp->a.read_csr(ioaddr, CSR0);
34459 + csr0 = lp->a->read_csr(ioaddr, CSR0);
34460 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
34461 if (csr0 == 0xffff) {
34462 break; /* PCMCIA remove happened */
34463 }
34464 /* Acknowledge all of the current interrupt sources ASAP. */
34465 - lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
34466 + lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
34467
34468 if (netif_msg_intr(lp))
34469 printk(KERN_DEBUG
34470 "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
34471 - dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
34472 + dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
34473
34474 /* Log misc errors. */
34475 if (csr0 & 0x4000)
34476 @@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
34477 if (napi_schedule_prep(&lp->napi)) {
34478 u16 val;
34479 /* set interrupt masks */
34480 - val = lp->a.read_csr(ioaddr, CSR3);
34481 + val = lp->a->read_csr(ioaddr, CSR3);
34482 val |= 0x5f00;
34483 - lp->a.write_csr(ioaddr, CSR3, val);
34484 + lp->a->write_csr(ioaddr, CSR3, val);
34485
34486 __napi_schedule(&lp->napi);
34487 break;
34488 }
34489 - csr0 = lp->a.read_csr(ioaddr, CSR0);
34490 + csr0 = lp->a->read_csr(ioaddr, CSR0);
34491 }
34492
34493 if (netif_msg_intr(lp))
34494 printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
34495 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34496 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34497
34498 spin_unlock(&lp->lock);
34499
34500 @@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
34501
34502 spin_lock_irqsave(&lp->lock, flags);
34503
34504 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
34505 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
34506
34507 if (netif_msg_ifdown(lp))
34508 printk(KERN_DEBUG
34509 "%s: Shutting down ethercard, status was %2.2x.\n",
34510 - dev->name, lp->a.read_csr(ioaddr, CSR0));
34511 + dev->name, lp->a->read_csr(ioaddr, CSR0));
34512
34513 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
34514 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34515 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34516
34517 /*
34518 * Switch back to 16bit mode to avoid problems with dumb
34519 * DOS packet driver after a warm reboot
34520 */
34521 - lp->a.write_bcr(ioaddr, 20, 4);
34522 + lp->a->write_bcr(ioaddr, 20, 4);
34523
34524 spin_unlock_irqrestore(&lp->lock, flags);
34525
34526 @@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
34527 unsigned long flags;
34528
34529 spin_lock_irqsave(&lp->lock, flags);
34530 - dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
34531 + dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
34532 spin_unlock_irqrestore(&lp->lock, flags);
34533
34534 return &dev->stats;
34535 @@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
34536 if (dev->flags & IFF_ALLMULTI) {
34537 ib->filter[0] = cpu_to_le32(~0U);
34538 ib->filter[1] = cpu_to_le32(~0U);
34539 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
34540 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
34541 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
34542 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
34543 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
34544 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
34545 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
34546 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
34547 return;
34548 }
34549 /* clear the multicast filter */
34550 @@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
34551 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
34552 }
34553 for (i = 0; i < 4; i++)
34554 - lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
34555 + lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
34556 le16_to_cpu(mcast_table[i]));
34557 return;
34558 }
34559 @@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
34560
34561 spin_lock_irqsave(&lp->lock, flags);
34562 suspended = pcnet32_suspend(dev, &flags, 0);
34563 - csr15 = lp->a.read_csr(ioaddr, CSR15);
34564 + csr15 = lp->a->read_csr(ioaddr, CSR15);
34565 if (dev->flags & IFF_PROMISC) {
34566 /* Log any net taps. */
34567 if (netif_msg_hw(lp))
34568 @@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
34569 lp->init_block->mode =
34570 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
34571 7);
34572 - lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
34573 + lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
34574 } else {
34575 lp->init_block->mode =
34576 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
34577 - lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
34578 + lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
34579 pcnet32_load_multicast(dev);
34580 }
34581
34582 if (suspended) {
34583 int csr5;
34584 /* clear SUSPEND (SPND) - CSR5 bit 0 */
34585 - csr5 = lp->a.read_csr(ioaddr, CSR5);
34586 - lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
34587 + csr5 = lp->a->read_csr(ioaddr, CSR5);
34588 + lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
34589 } else {
34590 - lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
34591 + lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
34592 pcnet32_restart(dev, CSR0_NORMAL);
34593 netif_wake_queue(dev);
34594 }
34595 @@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
34596 if (!lp->mii)
34597 return 0;
34598
34599 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34600 - val_out = lp->a.read_bcr(ioaddr, 34);
34601 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34602 + val_out = lp->a->read_bcr(ioaddr, 34);
34603
34604 return val_out;
34605 }
34606 @@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
34607 if (!lp->mii)
34608 return;
34609
34610 - lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34611 - lp->a.write_bcr(ioaddr, 34, val);
34612 + lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
34613 + lp->a->write_bcr(ioaddr, 34, val);
34614 }
34615
34616 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
34617 @@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
34618 curr_link = mii_link_ok(&lp->mii_if);
34619 } else {
34620 ulong ioaddr = dev->base_addr; /* card base I/O address */
34621 - curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
34622 + curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
34623 }
34624 if (!curr_link) {
34625 if (prev_link || verbose) {
34626 @@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
34627 (ecmd.duplex ==
34628 DUPLEX_FULL) ? "full" : "half");
34629 }
34630 - bcr9 = lp->a.read_bcr(dev->base_addr, 9);
34631 + bcr9 = lp->a->read_bcr(dev->base_addr, 9);
34632 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
34633 if (lp->mii_if.full_duplex)
34634 bcr9 |= (1 << 0);
34635 else
34636 bcr9 &= ~(1 << 0);
34637 - lp->a.write_bcr(dev->base_addr, 9, bcr9);
34638 + lp->a->write_bcr(dev->base_addr, 9, bcr9);
34639 }
34640 } else {
34641 if (netif_msg_link(lp))
34642 diff -urNp linux-2.6.32.46/drivers/net/tg3.h linux-2.6.32.46/drivers/net/tg3.h
34643 --- linux-2.6.32.46/drivers/net/tg3.h 2011-03-27 14:31:47.000000000 -0400
34644 +++ linux-2.6.32.46/drivers/net/tg3.h 2011-04-17 15:56:46.000000000 -0400
34645 @@ -95,6 +95,7 @@
34646 #define CHIPREV_ID_5750_A0 0x4000
34647 #define CHIPREV_ID_5750_A1 0x4001
34648 #define CHIPREV_ID_5750_A3 0x4003
34649 +#define CHIPREV_ID_5750_C1 0x4201
34650 #define CHIPREV_ID_5750_C2 0x4202
34651 #define CHIPREV_ID_5752_A0_HW 0x5000
34652 #define CHIPREV_ID_5752_A0 0x6000
34653 diff -urNp linux-2.6.32.46/drivers/net/tokenring/abyss.c linux-2.6.32.46/drivers/net/tokenring/abyss.c
34654 --- linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-03-27 14:31:47.000000000 -0400
34655 +++ linux-2.6.32.46/drivers/net/tokenring/abyss.c 2011-08-05 20:33:55.000000000 -0400
34656 @@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
34657
34658 static int __init abyss_init (void)
34659 {
34660 - abyss_netdev_ops = tms380tr_netdev_ops;
34661 + pax_open_kernel();
34662 + memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34663
34664 - abyss_netdev_ops.ndo_open = abyss_open;
34665 - abyss_netdev_ops.ndo_stop = abyss_close;
34666 + *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
34667 + *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
34668 + pax_close_kernel();
34669
34670 return pci_register_driver(&abyss_driver);
34671 }
34672 diff -urNp linux-2.6.32.46/drivers/net/tokenring/madgemc.c linux-2.6.32.46/drivers/net/tokenring/madgemc.c
34673 --- linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-03-27 14:31:47.000000000 -0400
34674 +++ linux-2.6.32.46/drivers/net/tokenring/madgemc.c 2011-08-05 20:33:55.000000000 -0400
34675 @@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
34676
34677 static int __init madgemc_init (void)
34678 {
34679 - madgemc_netdev_ops = tms380tr_netdev_ops;
34680 - madgemc_netdev_ops.ndo_open = madgemc_open;
34681 - madgemc_netdev_ops.ndo_stop = madgemc_close;
34682 + pax_open_kernel();
34683 + memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34684 + *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
34685 + *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
34686 + pax_close_kernel();
34687
34688 return mca_register_driver (&madgemc_driver);
34689 }
34690 diff -urNp linux-2.6.32.46/drivers/net/tokenring/proteon.c linux-2.6.32.46/drivers/net/tokenring/proteon.c
34691 --- linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-03-27 14:31:47.000000000 -0400
34692 +++ linux-2.6.32.46/drivers/net/tokenring/proteon.c 2011-08-05 20:33:55.000000000 -0400
34693 @@ -353,9 +353,11 @@ static int __init proteon_init(void)
34694 struct platform_device *pdev;
34695 int i, num = 0, err = 0;
34696
34697 - proteon_netdev_ops = tms380tr_netdev_ops;
34698 - proteon_netdev_ops.ndo_open = proteon_open;
34699 - proteon_netdev_ops.ndo_stop = tms380tr_close;
34700 + pax_open_kernel();
34701 + memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34702 + *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
34703 + *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
34704 + pax_close_kernel();
34705
34706 err = platform_driver_register(&proteon_driver);
34707 if (err)
34708 diff -urNp linux-2.6.32.46/drivers/net/tokenring/skisa.c linux-2.6.32.46/drivers/net/tokenring/skisa.c
34709 --- linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-03-27 14:31:47.000000000 -0400
34710 +++ linux-2.6.32.46/drivers/net/tokenring/skisa.c 2011-08-05 20:33:55.000000000 -0400
34711 @@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
34712 struct platform_device *pdev;
34713 int i, num = 0, err = 0;
34714
34715 - sk_isa_netdev_ops = tms380tr_netdev_ops;
34716 - sk_isa_netdev_ops.ndo_open = sk_isa_open;
34717 - sk_isa_netdev_ops.ndo_stop = tms380tr_close;
34718 + pax_open_kernel();
34719 + memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
34720 + *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
34721 + *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
34722 + pax_close_kernel();
34723
34724 err = platform_driver_register(&sk_isa_driver);
34725 if (err)
34726 diff -urNp linux-2.6.32.46/drivers/net/tulip/de2104x.c linux-2.6.32.46/drivers/net/tulip/de2104x.c
34727 --- linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-03-27 14:31:47.000000000 -0400
34728 +++ linux-2.6.32.46/drivers/net/tulip/de2104x.c 2011-05-16 21:46:57.000000000 -0400
34729 @@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
34730 struct de_srom_info_leaf *il;
34731 void *bufp;
34732
34733 + pax_track_stack();
34734 +
34735 /* download entire eeprom */
34736 for (i = 0; i < DE_EEPROM_WORDS; i++)
34737 ((__le16 *)ee_data)[i] =
34738 diff -urNp linux-2.6.32.46/drivers/net/tulip/de4x5.c linux-2.6.32.46/drivers/net/tulip/de4x5.c
34739 --- linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-03-27 14:31:47.000000000 -0400
34740 +++ linux-2.6.32.46/drivers/net/tulip/de4x5.c 2011-04-17 15:56:46.000000000 -0400
34741 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
34742 for (i=0; i<ETH_ALEN; i++) {
34743 tmp.addr[i] = dev->dev_addr[i];
34744 }
34745 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
34746 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
34747 break;
34748
34749 case DE4X5_SET_HWADDR: /* Set the hardware address */
34750 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
34751 spin_lock_irqsave(&lp->lock, flags);
34752 memcpy(&statbuf, &lp->pktStats, ioc->len);
34753 spin_unlock_irqrestore(&lp->lock, flags);
34754 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
34755 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
34756 return -EFAULT;
34757 break;
34758 }
34759 diff -urNp linux-2.6.32.46/drivers/net/usb/hso.c linux-2.6.32.46/drivers/net/usb/hso.c
34760 --- linux-2.6.32.46/drivers/net/usb/hso.c 2011-03-27 14:31:47.000000000 -0400
34761 +++ linux-2.6.32.46/drivers/net/usb/hso.c 2011-04-17 15:56:46.000000000 -0400
34762 @@ -71,7 +71,7 @@
34763 #include <asm/byteorder.h>
34764 #include <linux/serial_core.h>
34765 #include <linux/serial.h>
34766 -
34767 +#include <asm/local.h>
34768
34769 #define DRIVER_VERSION "1.2"
34770 #define MOD_AUTHOR "Option Wireless"
34771 @@ -258,7 +258,7 @@ struct hso_serial {
34772
34773 /* from usb_serial_port */
34774 struct tty_struct *tty;
34775 - int open_count;
34776 + local_t open_count;
34777 spinlock_t serial_lock;
34778
34779 int (*write_data) (struct hso_serial *serial);
34780 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
34781 struct urb *urb;
34782
34783 urb = serial->rx_urb[0];
34784 - if (serial->open_count > 0) {
34785 + if (local_read(&serial->open_count) > 0) {
34786 count = put_rxbuf_data(urb, serial);
34787 if (count == -1)
34788 return;
34789 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
34790 DUMP1(urb->transfer_buffer, urb->actual_length);
34791
34792 /* Anyone listening? */
34793 - if (serial->open_count == 0)
34794 + if (local_read(&serial->open_count) == 0)
34795 return;
34796
34797 if (status == 0) {
34798 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
34799 spin_unlock_irq(&serial->serial_lock);
34800
34801 /* check for port already opened, if not set the termios */
34802 - serial->open_count++;
34803 - if (serial->open_count == 1) {
34804 + if (local_inc_return(&serial->open_count) == 1) {
34805 tty->low_latency = 1;
34806 serial->rx_state = RX_IDLE;
34807 /* Force default termio settings */
34808 @@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
34809 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
34810 if (result) {
34811 hso_stop_serial_device(serial->parent);
34812 - serial->open_count--;
34813 + local_dec(&serial->open_count);
34814 kref_put(&serial->parent->ref, hso_serial_ref_free);
34815 }
34816 } else {
34817 @@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
34818
34819 /* reset the rts and dtr */
34820 /* do the actual close */
34821 - serial->open_count--;
34822 + local_dec(&serial->open_count);
34823
34824 - if (serial->open_count <= 0) {
34825 - serial->open_count = 0;
34826 + if (local_read(&serial->open_count) <= 0) {
34827 + local_set(&serial->open_count, 0);
34828 spin_lock_irq(&serial->serial_lock);
34829 if (serial->tty == tty) {
34830 serial->tty->driver_data = NULL;
34831 @@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
34832
34833 /* the actual setup */
34834 spin_lock_irqsave(&serial->serial_lock, flags);
34835 - if (serial->open_count)
34836 + if (local_read(&serial->open_count))
34837 _hso_serial_set_termios(tty, old);
34838 else
34839 tty->termios = old;
34840 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
34841 /* Start all serial ports */
34842 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
34843 if (serial_table[i] && (serial_table[i]->interface == iface)) {
34844 - if (dev2ser(serial_table[i])->open_count) {
34845 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
34846 result =
34847 hso_start_serial_device(serial_table[i], GFP_NOIO);
34848 hso_kick_transmit(dev2ser(serial_table[i]));
34849 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-config.h linux-2.6.32.46/drivers/net/vxge/vxge-config.h
34850 --- linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-03-27 14:31:47.000000000 -0400
34851 +++ linux-2.6.32.46/drivers/net/vxge/vxge-config.h 2011-08-05 20:33:55.000000000 -0400
34852 @@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
34853 void (*link_down)(struct __vxge_hw_device *devh);
34854 void (*crit_err)(struct __vxge_hw_device *devh,
34855 enum vxge_hw_event type, u64 ext_data);
34856 -};
34857 +} __no_const;
34858
34859 /*
34860 * struct __vxge_hw_blockpool_entry - Block private data structure
34861 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-main.c linux-2.6.32.46/drivers/net/vxge/vxge-main.c
34862 --- linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-03-27 14:31:47.000000000 -0400
34863 +++ linux-2.6.32.46/drivers/net/vxge/vxge-main.c 2011-05-16 21:46:57.000000000 -0400
34864 @@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
34865 struct sk_buff *completed[NR_SKB_COMPLETED];
34866 int more;
34867
34868 + pax_track_stack();
34869 +
34870 do {
34871 more = 0;
34872 skb_ptr = completed;
34873 @@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
34874 u8 mtable[256] = {0}; /* CPU to vpath mapping */
34875 int index;
34876
34877 + pax_track_stack();
34878 +
34879 /*
34880 * Filling
34881 * - itable with bucket numbers
34882 diff -urNp linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h
34883 --- linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-03-27 14:31:47.000000000 -0400
34884 +++ linux-2.6.32.46/drivers/net/vxge/vxge-traffic.h 2011-08-05 20:33:55.000000000 -0400
34885 @@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
34886 struct vxge_hw_mempool_dma *dma_object,
34887 u32 index,
34888 u32 is_last);
34889 -};
34890 +} __no_const;
34891
34892 void
34893 __vxge_hw_mempool_destroy(
34894 diff -urNp linux-2.6.32.46/drivers/net/wan/cycx_x25.c linux-2.6.32.46/drivers/net/wan/cycx_x25.c
34895 --- linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-03-27 14:31:47.000000000 -0400
34896 +++ linux-2.6.32.46/drivers/net/wan/cycx_x25.c 2011-05-16 21:46:57.000000000 -0400
34897 @@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
34898 unsigned char hex[1024],
34899 * phex = hex;
34900
34901 + pax_track_stack();
34902 +
34903 if (len >= (sizeof(hex) / 2))
34904 len = (sizeof(hex) / 2) - 1;
34905
34906 diff -urNp linux-2.6.32.46/drivers/net/wan/hdlc_x25.c linux-2.6.32.46/drivers/net/wan/hdlc_x25.c
34907 --- linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-03-27 14:31:47.000000000 -0400
34908 +++ linux-2.6.32.46/drivers/net/wan/hdlc_x25.c 2011-08-05 20:33:55.000000000 -0400
34909 @@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
34910
34911 static int x25_open(struct net_device *dev)
34912 {
34913 - struct lapb_register_struct cb;
34914 + static struct lapb_register_struct cb = {
34915 + .connect_confirmation = x25_connected,
34916 + .connect_indication = x25_connected,
34917 + .disconnect_confirmation = x25_disconnected,
34918 + .disconnect_indication = x25_disconnected,
34919 + .data_indication = x25_data_indication,
34920 + .data_transmit = x25_data_transmit
34921 + };
34922 int result;
34923
34924 - cb.connect_confirmation = x25_connected;
34925 - cb.connect_indication = x25_connected;
34926 - cb.disconnect_confirmation = x25_disconnected;
34927 - cb.disconnect_indication = x25_disconnected;
34928 - cb.data_indication = x25_data_indication;
34929 - cb.data_transmit = x25_data_transmit;
34930 -
34931 result = lapb_register(dev, &cb);
34932 if (result != LAPB_OK)
34933 return result;
34934 diff -urNp linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c
34935 --- linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-03-27 14:31:47.000000000 -0400
34936 +++ linux-2.6.32.46/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:46:57.000000000 -0400
34937 @@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
34938 int do_autopm = 1;
34939 DECLARE_COMPLETION_ONSTACK(notif_completion);
34940
34941 + pax_track_stack();
34942 +
34943 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
34944 i2400m, ack, ack_size);
34945 BUG_ON(_ack == i2400m->bm_ack_buf);
34946 diff -urNp linux-2.6.32.46/drivers/net/wireless/airo.c linux-2.6.32.46/drivers/net/wireless/airo.c
34947 --- linux-2.6.32.46/drivers/net/wireless/airo.c 2011-03-27 14:31:47.000000000 -0400
34948 +++ linux-2.6.32.46/drivers/net/wireless/airo.c 2011-05-16 21:46:57.000000000 -0400
34949 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
34950 BSSListElement * loop_net;
34951 BSSListElement * tmp_net;
34952
34953 + pax_track_stack();
34954 +
34955 /* Blow away current list of scan results */
34956 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
34957 list_move_tail (&loop_net->list, &ai->network_free_list);
34958 @@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
34959 WepKeyRid wkr;
34960 int rc;
34961
34962 + pax_track_stack();
34963 +
34964 memset( &mySsid, 0, sizeof( mySsid ) );
34965 kfree (ai->flash);
34966 ai->flash = NULL;
34967 @@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
34968 __le32 *vals = stats.vals;
34969 int len;
34970
34971 + pax_track_stack();
34972 +
34973 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
34974 return -ENOMEM;
34975 data = (struct proc_data *)file->private_data;
34976 @@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
34977 /* If doLoseSync is not 1, we won't do a Lose Sync */
34978 int doLoseSync = -1;
34979
34980 + pax_track_stack();
34981 +
34982 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
34983 return -ENOMEM;
34984 data = (struct proc_data *)file->private_data;
34985 @@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
34986 int i;
34987 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
34988
34989 + pax_track_stack();
34990 +
34991 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
34992 if (!qual)
34993 return -ENOMEM;
34994 @@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
34995 CapabilityRid cap_rid;
34996 __le32 *vals = stats_rid.vals;
34997
34998 + pax_track_stack();
34999 +
35000 /* Get stats out of the card */
35001 clear_bit(JOB_WSTATS, &local->jobs);
35002 if (local->power.event) {
35003 diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c
35004 --- linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-03-27 14:31:47.000000000 -0400
35005 +++ linux-2.6.32.46/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:46:57.000000000 -0400
35006 @@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
35007 unsigned int v;
35008 u64 tsf;
35009
35010 + pax_track_stack();
35011 +
35012 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
35013 len += snprintf(buf+len, sizeof(buf)-len,
35014 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
35015 @@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
35016 unsigned int len = 0;
35017 unsigned int i;
35018
35019 + pax_track_stack();
35020 +
35021 len += snprintf(buf+len, sizeof(buf)-len,
35022 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
35023
35024 diff -urNp linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c
35025 --- linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-03-27 14:31:47.000000000 -0400
35026 +++ linux-2.6.32.46/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:46:57.000000000 -0400
35027 @@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
35028 char buf[512];
35029 unsigned int len = 0;
35030
35031 + pax_track_stack();
35032 +
35033 len += snprintf(buf + len, sizeof(buf) - len,
35034 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
35035 len += snprintf(buf + len, sizeof(buf) - len,
35036 @@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
35037 int i;
35038 u8 addr[ETH_ALEN];
35039
35040 + pax_track_stack();
35041 +
35042 len += snprintf(buf + len, sizeof(buf) - len,
35043 "primary: %s (%s chan=%d ht=%d)\n",
35044 wiphy_name(sc->pri_wiphy->hw->wiphy),
35045 diff -urNp linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c
35046 --- linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35047 +++ linux-2.6.32.46/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35048 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
35049 struct b43_debugfs_fops {
35050 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
35051 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
35052 - struct file_operations fops;
35053 + const struct file_operations fops;
35054 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
35055 size_t file_struct_offset;
35056 };
35057 diff -urNp linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c
35058 --- linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35059 +++ linux-2.6.32.46/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35060 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
35061 struct b43legacy_debugfs_fops {
35062 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
35063 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
35064 - struct file_operations fops;
35065 + const struct file_operations fops;
35066 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
35067 size_t file_struct_offset;
35068 /* Take wl->irq_lock before calling read/write? */
35069 diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c
35070 --- linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-27 14:31:47.000000000 -0400
35071 +++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:46:57.000000000 -0400
35072 @@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
35073 int err;
35074 DECLARE_SSID_BUF(ssid);
35075
35076 + pax_track_stack();
35077 +
35078 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
35079
35080 if (ssid_len)
35081 @@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
35082 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
35083 int err;
35084
35085 + pax_track_stack();
35086 +
35087 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
35088 idx, keylen, len);
35089
35090 diff -urNp linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c
35091 --- linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-27 14:31:47.000000000 -0400
35092 +++ linux-2.6.32.46/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:46:57.000000000 -0400
35093 @@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
35094 unsigned long flags;
35095 DECLARE_SSID_BUF(ssid);
35096
35097 + pax_track_stack();
35098 +
35099 LIBIPW_DEBUG_SCAN("'%s' (%pM"
35100 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
35101 print_ssid(ssid, info_element->data, info_element->len),
35102 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c
35103 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-03-27 14:31:47.000000000 -0400
35104 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-04-17 15:56:46.000000000 -0400
35105 @@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
35106 },
35107 };
35108
35109 -static struct iwl_ops iwl1000_ops = {
35110 +static const struct iwl_ops iwl1000_ops = {
35111 .ucode = &iwl5000_ucode,
35112 .lib = &iwl1000_lib,
35113 .hcmd = &iwl5000_hcmd,
35114 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c
35115 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-03-27 14:31:47.000000000 -0400
35116 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-08-05 20:33:55.000000000 -0400
35117 @@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
35118 */
35119 if (iwl3945_mod_params.disable_hw_scan) {
35120 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
35121 - iwl3945_hw_ops.hw_scan = NULL;
35122 + pax_open_kernel();
35123 + *(void **)&iwl3945_hw_ops.hw_scan = NULL;
35124 + pax_close_kernel();
35125 }
35126
35127
35128 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c
35129 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-03-27 14:31:47.000000000 -0400
35130 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-04-17 15:56:46.000000000 -0400
35131 @@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
35132 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
35133 };
35134
35135 -static struct iwl_ops iwl3945_ops = {
35136 +static const struct iwl_ops iwl3945_ops = {
35137 .ucode = &iwl3945_ucode,
35138 .lib = &iwl3945_lib,
35139 .hcmd = &iwl3945_hcmd,
35140 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c
35141 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-03-27 14:31:47.000000000 -0400
35142 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-04-17 15:56:46.000000000 -0400
35143 @@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
35144 },
35145 };
35146
35147 -static struct iwl_ops iwl4965_ops = {
35148 +static const struct iwl_ops iwl4965_ops = {
35149 .ucode = &iwl4965_ucode,
35150 .lib = &iwl4965_lib,
35151 .hcmd = &iwl4965_hcmd,
35152 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c
35153 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:55:34.000000000 -0400
35154 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:56:37.000000000 -0400
35155 @@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
35156 },
35157 };
35158
35159 -struct iwl_ops iwl5000_ops = {
35160 +const struct iwl_ops iwl5000_ops = {
35161 .ucode = &iwl5000_ucode,
35162 .lib = &iwl5000_lib,
35163 .hcmd = &iwl5000_hcmd,
35164 .utils = &iwl5000_hcmd_utils,
35165 };
35166
35167 -static struct iwl_ops iwl5150_ops = {
35168 +static const struct iwl_ops iwl5150_ops = {
35169 .ucode = &iwl5000_ucode,
35170 .lib = &iwl5150_lib,
35171 .hcmd = &iwl5000_hcmd,
35172 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c
35173 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-03-27 14:31:47.000000000 -0400
35174 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-04-17 15:56:46.000000000 -0400
35175 @@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
35176 .calc_rssi = iwl5000_calc_rssi,
35177 };
35178
35179 -static struct iwl_ops iwl6000_ops = {
35180 +static const struct iwl_ops iwl6000_ops = {
35181 .ucode = &iwl5000_ucode,
35182 .lib = &iwl6000_lib,
35183 .hcmd = &iwl5000_hcmd,
35184 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c
35185 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-03-27 14:31:47.000000000 -0400
35186 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-08-05 20:33:55.000000000 -0400
35187 @@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
35188 if (iwl_debug_level & IWL_DL_INFO)
35189 dev_printk(KERN_DEBUG, &(pdev->dev),
35190 "Disabling hw_scan\n");
35191 - iwl_hw_ops.hw_scan = NULL;
35192 + pax_open_kernel();
35193 + *(void **)&iwl_hw_ops.hw_scan = NULL;
35194 + pax_close_kernel();
35195 }
35196
35197 hw = iwl_alloc_all(cfg, &iwl_hw_ops);
35198 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
35199 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-27 14:31:47.000000000 -0400
35200 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:46:57.000000000 -0400
35201 @@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
35202 u8 active_index = 0;
35203 s32 tpt = 0;
35204
35205 + pax_track_stack();
35206 +
35207 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
35208
35209 if (!ieee80211_is_data(hdr->frame_control) ||
35210 @@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
35211 u8 valid_tx_ant = 0;
35212 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
35213
35214 + pax_track_stack();
35215 +
35216 /* Override starting rate (index 0) if needed for debug purposes */
35217 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
35218
35219 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c
35220 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-27 14:31:47.000000000 -0400
35221 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:46:57.000000000 -0400
35222 @@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
35223 int pos = 0;
35224 const size_t bufsz = sizeof(buf);
35225
35226 + pax_track_stack();
35227 +
35228 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
35229 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
35230 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
35231 @@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
35232 const size_t bufsz = sizeof(buf);
35233 ssize_t ret;
35234
35235 + pax_track_stack();
35236 +
35237 for (i = 0; i < AC_NUM; i++) {
35238 pos += scnprintf(buf + pos, bufsz - pos,
35239 "\tcw_min\tcw_max\taifsn\ttxop\n");
35240 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h
35241 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-27 14:31:47.000000000 -0400
35242 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:56:46.000000000 -0400
35243 @@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
35244 #endif
35245
35246 #else
35247 -#define IWL_DEBUG(__priv, level, fmt, args...)
35248 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
35249 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
35250 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
35251 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
35252 void *p, u32 len)
35253 {}
35254 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h
35255 --- linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-03-27 14:31:47.000000000 -0400
35256 +++ linux-2.6.32.46/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-04-17 15:56:46.000000000 -0400
35257 @@ -68,7 +68,7 @@ struct iwl_tx_queue;
35258
35259 /* shared structures from iwl-5000.c */
35260 extern struct iwl_mod_params iwl50_mod_params;
35261 -extern struct iwl_ops iwl5000_ops;
35262 +extern const struct iwl_ops iwl5000_ops;
35263 extern struct iwl_ucode_ops iwl5000_ucode;
35264 extern struct iwl_lib_ops iwl5000_lib;
35265 extern struct iwl_hcmd_ops iwl5000_hcmd;
35266 diff -urNp linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c
35267 --- linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35268 +++ linux-2.6.32.46/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:46:57.000000000 -0400
35269 @@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
35270 int buf_len = 512;
35271 size_t len = 0;
35272
35273 + pax_track_stack();
35274 +
35275 if (*ppos != 0)
35276 return 0;
35277 if (count < sizeof(buf))
35278 diff -urNp linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c
35279 --- linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-03-27 14:31:47.000000000 -0400
35280 +++ linux-2.6.32.46/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:56:46.000000000 -0400
35281 @@ -708,7 +708,7 @@ out_unlock:
35282 struct lbs_debugfs_files {
35283 const char *name;
35284 int perm;
35285 - struct file_operations fops;
35286 + const struct file_operations fops;
35287 };
35288
35289 static const struct lbs_debugfs_files debugfs_files[] = {
35290 diff -urNp linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c
35291 --- linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-03-27 14:31:47.000000000 -0400
35292 +++ linux-2.6.32.46/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:56:46.000000000 -0400
35293 @@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
35294
35295 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
35296
35297 - if (rts_threshold < 0 || rts_threshold > 2347)
35298 + if (rts_threshold > 2347)
35299 rts_threshold = 2347;
35300
35301 tmp = cpu_to_le32(rts_threshold);
35302 diff -urNp linux-2.6.32.46/drivers/oprofile/buffer_sync.c linux-2.6.32.46/drivers/oprofile/buffer_sync.c
35303 --- linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-03-27 14:31:47.000000000 -0400
35304 +++ linux-2.6.32.46/drivers/oprofile/buffer_sync.c 2011-04-17 15:56:46.000000000 -0400
35305 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
35306 if (cookie == NO_COOKIE)
35307 offset = pc;
35308 if (cookie == INVALID_COOKIE) {
35309 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
35310 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
35311 offset = pc;
35312 }
35313 if (cookie != last_cookie) {
35314 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
35315 /* add userspace sample */
35316
35317 if (!mm) {
35318 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
35319 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
35320 return 0;
35321 }
35322
35323 cookie = lookup_dcookie(mm, s->eip, &offset);
35324
35325 if (cookie == INVALID_COOKIE) {
35326 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
35327 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
35328 return 0;
35329 }
35330
35331 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
35332 /* ignore backtraces if failed to add a sample */
35333 if (state == sb_bt_start) {
35334 state = sb_bt_ignore;
35335 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
35336 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
35337 }
35338 }
35339 release_mm(mm);
35340 diff -urNp linux-2.6.32.46/drivers/oprofile/event_buffer.c linux-2.6.32.46/drivers/oprofile/event_buffer.c
35341 --- linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-03-27 14:31:47.000000000 -0400
35342 +++ linux-2.6.32.46/drivers/oprofile/event_buffer.c 2011-04-17 15:56:46.000000000 -0400
35343 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
35344 }
35345
35346 if (buffer_pos == buffer_size) {
35347 - atomic_inc(&oprofile_stats.event_lost_overflow);
35348 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
35349 return;
35350 }
35351
35352 diff -urNp linux-2.6.32.46/drivers/oprofile/oprof.c linux-2.6.32.46/drivers/oprofile/oprof.c
35353 --- linux-2.6.32.46/drivers/oprofile/oprof.c 2011-03-27 14:31:47.000000000 -0400
35354 +++ linux-2.6.32.46/drivers/oprofile/oprof.c 2011-04-17 15:56:46.000000000 -0400
35355 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
35356 if (oprofile_ops.switch_events())
35357 return;
35358
35359 - atomic_inc(&oprofile_stats.multiplex_counter);
35360 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
35361 start_switch_worker();
35362 }
35363
35364 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofilefs.c linux-2.6.32.46/drivers/oprofile/oprofilefs.c
35365 --- linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-03-27 14:31:47.000000000 -0400
35366 +++ linux-2.6.32.46/drivers/oprofile/oprofilefs.c 2011-04-17 15:56:46.000000000 -0400
35367 @@ -187,7 +187,7 @@ static const struct file_operations atom
35368
35369
35370 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
35371 - char const *name, atomic_t *val)
35372 + char const *name, atomic_unchecked_t *val)
35373 {
35374 struct dentry *d = __oprofilefs_create_file(sb, root, name,
35375 &atomic_ro_fops, 0444);
35376 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.c linux-2.6.32.46/drivers/oprofile/oprofile_stats.c
35377 --- linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-03-27 14:31:47.000000000 -0400
35378 +++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.c 2011-04-17 15:56:46.000000000 -0400
35379 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
35380 cpu_buf->sample_invalid_eip = 0;
35381 }
35382
35383 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
35384 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
35385 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
35386 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
35387 - atomic_set(&oprofile_stats.multiplex_counter, 0);
35388 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
35389 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
35390 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
35391 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
35392 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
35393 }
35394
35395
35396 diff -urNp linux-2.6.32.46/drivers/oprofile/oprofile_stats.h linux-2.6.32.46/drivers/oprofile/oprofile_stats.h
35397 --- linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-03-27 14:31:47.000000000 -0400
35398 +++ linux-2.6.32.46/drivers/oprofile/oprofile_stats.h 2011-04-17 15:56:46.000000000 -0400
35399 @@ -13,11 +13,11 @@
35400 #include <asm/atomic.h>
35401
35402 struct oprofile_stat_struct {
35403 - atomic_t sample_lost_no_mm;
35404 - atomic_t sample_lost_no_mapping;
35405 - atomic_t bt_lost_no_mapping;
35406 - atomic_t event_lost_overflow;
35407 - atomic_t multiplex_counter;
35408 + atomic_unchecked_t sample_lost_no_mm;
35409 + atomic_unchecked_t sample_lost_no_mapping;
35410 + atomic_unchecked_t bt_lost_no_mapping;
35411 + atomic_unchecked_t event_lost_overflow;
35412 + atomic_unchecked_t multiplex_counter;
35413 };
35414
35415 extern struct oprofile_stat_struct oprofile_stats;
35416 diff -urNp linux-2.6.32.46/drivers/parisc/pdc_stable.c linux-2.6.32.46/drivers/parisc/pdc_stable.c
35417 --- linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-03-27 14:31:47.000000000 -0400
35418 +++ linux-2.6.32.46/drivers/parisc/pdc_stable.c 2011-04-17 15:56:46.000000000 -0400
35419 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
35420 return ret;
35421 }
35422
35423 -static struct sysfs_ops pdcspath_attr_ops = {
35424 +static const struct sysfs_ops pdcspath_attr_ops = {
35425 .show = pdcspath_attr_show,
35426 .store = pdcspath_attr_store,
35427 };
35428 diff -urNp linux-2.6.32.46/drivers/parport/procfs.c linux-2.6.32.46/drivers/parport/procfs.c
35429 --- linux-2.6.32.46/drivers/parport/procfs.c 2011-03-27 14:31:47.000000000 -0400
35430 +++ linux-2.6.32.46/drivers/parport/procfs.c 2011-04-17 15:56:46.000000000 -0400
35431 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
35432
35433 *ppos += len;
35434
35435 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
35436 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
35437 }
35438
35439 #ifdef CONFIG_PARPORT_1284
35440 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
35441
35442 *ppos += len;
35443
35444 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
35445 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
35446 }
35447 #endif /* IEEE1284.3 support. */
35448
35449 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c
35450 --- linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-03-27 14:31:47.000000000 -0400
35451 +++ linux-2.6.32.46/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:56:46.000000000 -0400
35452 @@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
35453 }
35454
35455
35456 -static struct acpi_dock_ops acpiphp_dock_ops = {
35457 +static const struct acpi_dock_ops acpiphp_dock_ops = {
35458 .handler = handle_hotplug_event_func,
35459 };
35460
35461 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h
35462 --- linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-03-27 14:31:47.000000000 -0400
35463 +++ linux-2.6.32.46/drivers/pci/hotplug/cpci_hotplug.h 2011-08-05 20:33:55.000000000 -0400
35464 @@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
35465 int (*hardware_test) (struct slot* slot, u32 value);
35466 u8 (*get_power) (struct slot* slot);
35467 int (*set_power) (struct slot* slot, int value);
35468 -};
35469 +} __no_const;
35470
35471 struct cpci_hp_controller {
35472 unsigned int irq;
35473 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c
35474 --- linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-27 14:31:47.000000000 -0400
35475 +++ linux-2.6.32.46/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:56:46.000000000 -0400
35476 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
35477
35478 void compaq_nvram_init (void __iomem *rom_start)
35479 {
35480 +
35481 +#ifndef CONFIG_PAX_KERNEXEC
35482 if (rom_start) {
35483 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
35484 }
35485 +#endif
35486 +
35487 dbg("int15 entry = %p\n", compaq_int15_entry_point);
35488
35489 /* initialize our int15 lock */
35490 diff -urNp linux-2.6.32.46/drivers/pci/hotplug/fakephp.c linux-2.6.32.46/drivers/pci/hotplug/fakephp.c
35491 --- linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-03-27 14:31:47.000000000 -0400
35492 +++ linux-2.6.32.46/drivers/pci/hotplug/fakephp.c 2011-04-17 15:56:46.000000000 -0400
35493 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
35494 }
35495
35496 static struct kobj_type legacy_ktype = {
35497 - .sysfs_ops = &(struct sysfs_ops){
35498 + .sysfs_ops = &(const struct sysfs_ops){
35499 .store = legacy_store, .show = legacy_show
35500 },
35501 .release = &legacy_release,
35502 diff -urNp linux-2.6.32.46/drivers/pci/intel-iommu.c linux-2.6.32.46/drivers/pci/intel-iommu.c
35503 --- linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:01.000000000 -0400
35504 +++ linux-2.6.32.46/drivers/pci/intel-iommu.c 2011-05-10 22:12:33.000000000 -0400
35505 @@ -2643,7 +2643,7 @@ error:
35506 return 0;
35507 }
35508
35509 -static dma_addr_t intel_map_page(struct device *dev, struct page *page,
35510 +dma_addr_t intel_map_page(struct device *dev, struct page *page,
35511 unsigned long offset, size_t size,
35512 enum dma_data_direction dir,
35513 struct dma_attrs *attrs)
35514 @@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
35515 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
35516 }
35517
35518 -static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
35519 +void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
35520 size_t size, enum dma_data_direction dir,
35521 struct dma_attrs *attrs)
35522 {
35523 @@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
35524 }
35525 }
35526
35527 -static void *intel_alloc_coherent(struct device *hwdev, size_t size,
35528 +void *intel_alloc_coherent(struct device *hwdev, size_t size,
35529 dma_addr_t *dma_handle, gfp_t flags)
35530 {
35531 void *vaddr;
35532 @@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
35533 return NULL;
35534 }
35535
35536 -static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
35537 +void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
35538 dma_addr_t dma_handle)
35539 {
35540 int order;
35541 @@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
35542 free_pages((unsigned long)vaddr, order);
35543 }
35544
35545 -static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
35546 +void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
35547 int nelems, enum dma_data_direction dir,
35548 struct dma_attrs *attrs)
35549 {
35550 @@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
35551 return nelems;
35552 }
35553
35554 -static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
35555 +int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
35556 enum dma_data_direction dir, struct dma_attrs *attrs)
35557 {
35558 int i;
35559 @@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
35560 return nelems;
35561 }
35562
35563 -static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
35564 +int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
35565 {
35566 return !dma_addr;
35567 }
35568
35569 -struct dma_map_ops intel_dma_ops = {
35570 +const struct dma_map_ops intel_dma_ops = {
35571 .alloc_coherent = intel_alloc_coherent,
35572 .free_coherent = intel_free_coherent,
35573 .map_sg = intel_map_sg,
35574 diff -urNp linux-2.6.32.46/drivers/pci/pcie/aspm.c linux-2.6.32.46/drivers/pci/pcie/aspm.c
35575 --- linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-03-27 14:31:47.000000000 -0400
35576 +++ linux-2.6.32.46/drivers/pci/pcie/aspm.c 2011-04-17 15:56:46.000000000 -0400
35577 @@ -27,9 +27,9 @@
35578 #define MODULE_PARAM_PREFIX "pcie_aspm."
35579
35580 /* Note: those are not register definitions */
35581 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
35582 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
35583 -#define ASPM_STATE_L1 (4) /* L1 state */
35584 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
35585 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
35586 +#define ASPM_STATE_L1 (4U) /* L1 state */
35587 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
35588 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
35589
35590 diff -urNp linux-2.6.32.46/drivers/pci/probe.c linux-2.6.32.46/drivers/pci/probe.c
35591 --- linux-2.6.32.46/drivers/pci/probe.c 2011-03-27 14:31:47.000000000 -0400
35592 +++ linux-2.6.32.46/drivers/pci/probe.c 2011-04-17 15:56:46.000000000 -0400
35593 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
35594 return ret;
35595 }
35596
35597 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
35598 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
35599 struct device_attribute *attr,
35600 char *buf)
35601 {
35602 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
35603 }
35604
35605 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
35606 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
35607 struct device_attribute *attr,
35608 char *buf)
35609 {
35610 diff -urNp linux-2.6.32.46/drivers/pci/proc.c linux-2.6.32.46/drivers/pci/proc.c
35611 --- linux-2.6.32.46/drivers/pci/proc.c 2011-03-27 14:31:47.000000000 -0400
35612 +++ linux-2.6.32.46/drivers/pci/proc.c 2011-04-17 15:56:46.000000000 -0400
35613 @@ -480,7 +480,16 @@ static const struct file_operations proc
35614 static int __init pci_proc_init(void)
35615 {
35616 struct pci_dev *dev = NULL;
35617 +
35618 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
35619 +#ifdef CONFIG_GRKERNSEC_PROC_USER
35620 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
35621 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
35622 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
35623 +#endif
35624 +#else
35625 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
35626 +#endif
35627 proc_create("devices", 0, proc_bus_pci_dir,
35628 &proc_bus_pci_dev_operations);
35629 proc_initialized = 1;
35630 diff -urNp linux-2.6.32.46/drivers/pci/slot.c linux-2.6.32.46/drivers/pci/slot.c
35631 --- linux-2.6.32.46/drivers/pci/slot.c 2011-03-27 14:31:47.000000000 -0400
35632 +++ linux-2.6.32.46/drivers/pci/slot.c 2011-04-17 15:56:46.000000000 -0400
35633 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
35634 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
35635 }
35636
35637 -static struct sysfs_ops pci_slot_sysfs_ops = {
35638 +static const struct sysfs_ops pci_slot_sysfs_ops = {
35639 .show = pci_slot_attr_show,
35640 .store = pci_slot_attr_store,
35641 };
35642 diff -urNp linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c
35643 --- linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-03-27 14:31:47.000000000 -0400
35644 +++ linux-2.6.32.46/drivers/pcmcia/pcmcia_ioctl.c 2011-04-17 15:56:46.000000000 -0400
35645 @@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
35646 return -EFAULT;
35647 }
35648 }
35649 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
35650 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
35651 if (!buf)
35652 return -ENOMEM;
35653
35654 diff -urNp linux-2.6.32.46/drivers/platform/x86/acer-wmi.c linux-2.6.32.46/drivers/platform/x86/acer-wmi.c
35655 --- linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-03-27 14:31:47.000000000 -0400
35656 +++ linux-2.6.32.46/drivers/platform/x86/acer-wmi.c 2011-04-17 15:56:46.000000000 -0400
35657 @@ -918,7 +918,7 @@ static int update_bl_status(struct backl
35658 return 0;
35659 }
35660
35661 -static struct backlight_ops acer_bl_ops = {
35662 +static const struct backlight_ops acer_bl_ops = {
35663 .get_brightness = read_brightness,
35664 .update_status = update_bl_status,
35665 };
35666 diff -urNp linux-2.6.32.46/drivers/platform/x86/asus_acpi.c linux-2.6.32.46/drivers/platform/x86/asus_acpi.c
35667 --- linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-03-27 14:31:47.000000000 -0400
35668 +++ linux-2.6.32.46/drivers/platform/x86/asus_acpi.c 2011-04-17 15:56:46.000000000 -0400
35669 @@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
35670 return 0;
35671 }
35672
35673 -static struct backlight_ops asus_backlight_data = {
35674 +static const struct backlight_ops asus_backlight_data = {
35675 .get_brightness = read_brightness,
35676 .update_status = set_brightness_status,
35677 };
35678 diff -urNp linux-2.6.32.46/drivers/platform/x86/asus-laptop.c linux-2.6.32.46/drivers/platform/x86/asus-laptop.c
35679 --- linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-03-27 14:31:47.000000000 -0400
35680 +++ linux-2.6.32.46/drivers/platform/x86/asus-laptop.c 2011-04-17 15:56:46.000000000 -0400
35681 @@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
35682 */
35683 static int read_brightness(struct backlight_device *bd);
35684 static int update_bl_status(struct backlight_device *bd);
35685 -static struct backlight_ops asusbl_ops = {
35686 +static const struct backlight_ops asusbl_ops = {
35687 .get_brightness = read_brightness,
35688 .update_status = update_bl_status,
35689 };
35690 diff -urNp linux-2.6.32.46/drivers/platform/x86/compal-laptop.c linux-2.6.32.46/drivers/platform/x86/compal-laptop.c
35691 --- linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-03-27 14:31:47.000000000 -0400
35692 +++ linux-2.6.32.46/drivers/platform/x86/compal-laptop.c 2011-04-17 15:56:46.000000000 -0400
35693 @@ -163,7 +163,7 @@ static int bl_update_status(struct backl
35694 return set_lcd_level(b->props.brightness);
35695 }
35696
35697 -static struct backlight_ops compalbl_ops = {
35698 +static const struct backlight_ops compalbl_ops = {
35699 .get_brightness = bl_get_brightness,
35700 .update_status = bl_update_status,
35701 };
35702 diff -urNp linux-2.6.32.46/drivers/platform/x86/dell-laptop.c linux-2.6.32.46/drivers/platform/x86/dell-laptop.c
35703 --- linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:01.000000000 -0400
35704 +++ linux-2.6.32.46/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:33.000000000 -0400
35705 @@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
35706 return buffer.output[1];
35707 }
35708
35709 -static struct backlight_ops dell_ops = {
35710 +static const struct backlight_ops dell_ops = {
35711 .get_brightness = dell_get_intensity,
35712 .update_status = dell_send_intensity,
35713 };
35714 diff -urNp linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c
35715 --- linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-03-27 14:31:47.000000000 -0400
35716 +++ linux-2.6.32.46/drivers/platform/x86/eeepc-laptop.c 2011-04-17 15:56:46.000000000 -0400
35717 @@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
35718 */
35719 static int read_brightness(struct backlight_device *bd);
35720 static int update_bl_status(struct backlight_device *bd);
35721 -static struct backlight_ops eeepcbl_ops = {
35722 +static const struct backlight_ops eeepcbl_ops = {
35723 .get_brightness = read_brightness,
35724 .update_status = update_bl_status,
35725 };
35726 diff -urNp linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c
35727 --- linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-03-27 14:31:47.000000000 -0400
35728 +++ linux-2.6.32.46/drivers/platform/x86/fujitsu-laptop.c 2011-04-17 15:56:46.000000000 -0400
35729 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
35730 return ret;
35731 }
35732
35733 -static struct backlight_ops fujitsubl_ops = {
35734 +static const struct backlight_ops fujitsubl_ops = {
35735 .get_brightness = bl_get_brightness,
35736 .update_status = bl_update_status,
35737 };
35738 diff -urNp linux-2.6.32.46/drivers/platform/x86/msi-laptop.c linux-2.6.32.46/drivers/platform/x86/msi-laptop.c
35739 --- linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-03-27 14:31:47.000000000 -0400
35740 +++ linux-2.6.32.46/drivers/platform/x86/msi-laptop.c 2011-04-17 15:56:46.000000000 -0400
35741 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
35742 return set_lcd_level(b->props.brightness);
35743 }
35744
35745 -static struct backlight_ops msibl_ops = {
35746 +static const struct backlight_ops msibl_ops = {
35747 .get_brightness = bl_get_brightness,
35748 .update_status = bl_update_status,
35749 };
35750 diff -urNp linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c
35751 --- linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-03-27 14:31:47.000000000 -0400
35752 +++ linux-2.6.32.46/drivers/platform/x86/panasonic-laptop.c 2011-04-17 15:56:46.000000000 -0400
35753 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
35754 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
35755 }
35756
35757 -static struct backlight_ops pcc_backlight_ops = {
35758 +static const struct backlight_ops pcc_backlight_ops = {
35759 .get_brightness = bl_get,
35760 .update_status = bl_set_status,
35761 };
35762 diff -urNp linux-2.6.32.46/drivers/platform/x86/sony-laptop.c linux-2.6.32.46/drivers/platform/x86/sony-laptop.c
35763 --- linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-03-27 14:31:47.000000000 -0400
35764 +++ linux-2.6.32.46/drivers/platform/x86/sony-laptop.c 2011-04-17 15:56:46.000000000 -0400
35765 @@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
35766 }
35767
35768 static struct backlight_device *sony_backlight_device;
35769 -static struct backlight_ops sony_backlight_ops = {
35770 +static const struct backlight_ops sony_backlight_ops = {
35771 .update_status = sony_backlight_update_status,
35772 .get_brightness = sony_backlight_get_brightness,
35773 };
35774 diff -urNp linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c
35775 --- linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-03-27 14:31:47.000000000 -0400
35776 +++ linux-2.6.32.46/drivers/platform/x86/thinkpad_acpi.c 2011-08-05 20:33:55.000000000 -0400
35777 @@ -2137,7 +2137,7 @@ static int hotkey_mask_get(void)
35778 return 0;
35779 }
35780
35781 -void static hotkey_mask_warn_incomplete_mask(void)
35782 +static void hotkey_mask_warn_incomplete_mask(void)
35783 {
35784 /* log only what the user can fix... */
35785 const u32 wantedmask = hotkey_driver_mask &
35786 @@ -6122,7 +6122,7 @@ static void tpacpi_brightness_notify_cha
35787 BACKLIGHT_UPDATE_HOTKEY);
35788 }
35789
35790 -static struct backlight_ops ibm_backlight_data = {
35791 +static const struct backlight_ops ibm_backlight_data = {
35792 .get_brightness = brightness_get,
35793 .update_status = brightness_update_status,
35794 };
35795 diff -urNp linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c
35796 --- linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-03-27 14:31:47.000000000 -0400
35797 +++ linux-2.6.32.46/drivers/platform/x86/toshiba_acpi.c 2011-04-17 15:56:46.000000000 -0400
35798 @@ -671,7 +671,7 @@ static acpi_status remove_device(void)
35799 return AE_OK;
35800 }
35801
35802 -static struct backlight_ops toshiba_backlight_data = {
35803 +static const struct backlight_ops toshiba_backlight_data = {
35804 .get_brightness = get_lcd,
35805 .update_status = set_lcd_status,
35806 };
35807 diff -urNp linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c
35808 --- linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-03-27 14:31:47.000000000 -0400
35809 +++ linux-2.6.32.46/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:56:46.000000000 -0400
35810 @@ -60,7 +60,7 @@ do { \
35811 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
35812 } while(0)
35813
35814 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
35815 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
35816 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
35817
35818 /*
35819 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
35820
35821 cpu = get_cpu();
35822 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
35823 +
35824 + pax_open_kernel();
35825 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
35826 + pax_close_kernel();
35827
35828 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
35829 spin_lock_irqsave(&pnp_bios_lock, flags);
35830 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
35831 :"memory");
35832 spin_unlock_irqrestore(&pnp_bios_lock, flags);
35833
35834 + pax_open_kernel();
35835 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
35836 + pax_close_kernel();
35837 +
35838 put_cpu();
35839
35840 /* If we get here and this is set then the PnP BIOS faulted on us. */
35841 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
35842 return status;
35843 }
35844
35845 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
35846 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
35847 {
35848 int i;
35849
35850 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
35851 pnp_bios_callpoint.offset = header->fields.pm16offset;
35852 pnp_bios_callpoint.segment = PNP_CS16;
35853
35854 + pax_open_kernel();
35855 +
35856 for_each_possible_cpu(i) {
35857 struct desc_struct *gdt = get_cpu_gdt_table(i);
35858 if (!gdt)
35859 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
35860 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
35861 (unsigned long)__va(header->fields.pm16dseg));
35862 }
35863 +
35864 + pax_close_kernel();
35865 }
35866 diff -urNp linux-2.6.32.46/drivers/pnp/resource.c linux-2.6.32.46/drivers/pnp/resource.c
35867 --- linux-2.6.32.46/drivers/pnp/resource.c 2011-03-27 14:31:47.000000000 -0400
35868 +++ linux-2.6.32.46/drivers/pnp/resource.c 2011-04-17 15:56:46.000000000 -0400
35869 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
35870 return 1;
35871
35872 /* check if the resource is valid */
35873 - if (*irq < 0 || *irq > 15)
35874 + if (*irq > 15)
35875 return 0;
35876
35877 /* check if the resource is reserved */
35878 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
35879 return 1;
35880
35881 /* check if the resource is valid */
35882 - if (*dma < 0 || *dma == 4 || *dma > 7)
35883 + if (*dma == 4 || *dma > 7)
35884 return 0;
35885
35886 /* check if the resource is reserved */
35887 diff -urNp linux-2.6.32.46/drivers/power/bq27x00_battery.c linux-2.6.32.46/drivers/power/bq27x00_battery.c
35888 --- linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-03-27 14:31:47.000000000 -0400
35889 +++ linux-2.6.32.46/drivers/power/bq27x00_battery.c 2011-08-05 20:33:55.000000000 -0400
35890 @@ -44,7 +44,7 @@ struct bq27x00_device_info;
35891 struct bq27x00_access_methods {
35892 int (*read)(u8 reg, int *rt_value, int b_single,
35893 struct bq27x00_device_info *di);
35894 -};
35895 +} __no_const;
35896
35897 struct bq27x00_device_info {
35898 struct device *dev;
35899 diff -urNp linux-2.6.32.46/drivers/rtc/rtc-dev.c linux-2.6.32.46/drivers/rtc/rtc-dev.c
35900 --- linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-03-27 14:31:47.000000000 -0400
35901 +++ linux-2.6.32.46/drivers/rtc/rtc-dev.c 2011-04-17 15:56:46.000000000 -0400
35902 @@ -14,6 +14,7 @@
35903 #include <linux/module.h>
35904 #include <linux/rtc.h>
35905 #include <linux/sched.h>
35906 +#include <linux/grsecurity.h>
35907 #include "rtc-core.h"
35908
35909 static dev_t rtc_devt;
35910 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
35911 if (copy_from_user(&tm, uarg, sizeof(tm)))
35912 return -EFAULT;
35913
35914 + gr_log_timechange();
35915 +
35916 return rtc_set_time(rtc, &tm);
35917
35918 case RTC_PIE_ON:
35919 diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.c linux-2.6.32.46/drivers/s390/cio/qdio_perf.c
35920 --- linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-03-27 14:31:47.000000000 -0400
35921 +++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.c 2011-04-17 15:56:46.000000000 -0400
35922 @@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
35923 static int qdio_perf_proc_show(struct seq_file *m, void *v)
35924 {
35925 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
35926 - (long)atomic_long_read(&perf_stats.qdio_int));
35927 + (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
35928 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
35929 - (long)atomic_long_read(&perf_stats.pci_int));
35930 + (long)atomic_long_read_unchecked(&perf_stats.pci_int));
35931 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
35932 - (long)atomic_long_read(&perf_stats.thin_int));
35933 + (long)atomic_long_read_unchecked(&perf_stats.thin_int));
35934 seq_printf(m, "\n");
35935 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
35936 - (long)atomic_long_read(&perf_stats.tasklet_inbound));
35937 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
35938 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
35939 - (long)atomic_long_read(&perf_stats.tasklet_outbound));
35940 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
35941 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
35942 - (long)atomic_long_read(&perf_stats.tasklet_thinint),
35943 - (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
35944 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
35945 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
35946 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
35947 - (long)atomic_long_read(&perf_stats.thinint_inbound),
35948 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
35949 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
35950 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
35951 seq_printf(m, "\n");
35952 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
35953 - (long)atomic_long_read(&perf_stats.siga_in));
35954 + (long)atomic_long_read_unchecked(&perf_stats.siga_in));
35955 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
35956 - (long)atomic_long_read(&perf_stats.siga_out));
35957 + (long)atomic_long_read_unchecked(&perf_stats.siga_out));
35958 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
35959 - (long)atomic_long_read(&perf_stats.siga_sync));
35960 + (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
35961 seq_printf(m, "\n");
35962 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
35963 - (long)atomic_long_read(&perf_stats.inbound_handler));
35964 + (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
35965 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
35966 - (long)atomic_long_read(&perf_stats.outbound_handler));
35967 + (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
35968 seq_printf(m, "\n");
35969 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
35970 - (long)atomic_long_read(&perf_stats.fast_requeue));
35971 + (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
35972 seq_printf(m, "Number of outbound target full condition\t: %li\n",
35973 - (long)atomic_long_read(&perf_stats.outbound_target_full));
35974 + (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
35975 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
35976 - (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
35977 + (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
35978 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
35979 - (long)atomic_long_read(&perf_stats.debug_stop_polling));
35980 + (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
35981 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
35982 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
35983 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
35984 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
35985 - (long)atomic_long_read(&perf_stats.debug_eqbs_all),
35986 - (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
35987 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
35988 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
35989 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
35990 - (long)atomic_long_read(&perf_stats.debug_sqbs_all),
35991 - (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
35992 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
35993 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
35994 seq_printf(m, "\n");
35995 return 0;
35996 }
35997 diff -urNp linux-2.6.32.46/drivers/s390/cio/qdio_perf.h linux-2.6.32.46/drivers/s390/cio/qdio_perf.h
35998 --- linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-03-27 14:31:47.000000000 -0400
35999 +++ linux-2.6.32.46/drivers/s390/cio/qdio_perf.h 2011-04-17 15:56:46.000000000 -0400
36000 @@ -13,46 +13,46 @@
36001
36002 struct qdio_perf_stats {
36003 /* interrupt handler calls */
36004 - atomic_long_t qdio_int;
36005 - atomic_long_t pci_int;
36006 - atomic_long_t thin_int;
36007 + atomic_long_unchecked_t qdio_int;
36008 + atomic_long_unchecked_t pci_int;
36009 + atomic_long_unchecked_t thin_int;
36010
36011 /* tasklet runs */
36012 - atomic_long_t tasklet_inbound;
36013 - atomic_long_t tasklet_outbound;
36014 - atomic_long_t tasklet_thinint;
36015 - atomic_long_t tasklet_thinint_loop;
36016 - atomic_long_t thinint_inbound;
36017 - atomic_long_t thinint_inbound_loop;
36018 - atomic_long_t thinint_inbound_loop2;
36019 + atomic_long_unchecked_t tasklet_inbound;
36020 + atomic_long_unchecked_t tasklet_outbound;
36021 + atomic_long_unchecked_t tasklet_thinint;
36022 + atomic_long_unchecked_t tasklet_thinint_loop;
36023 + atomic_long_unchecked_t thinint_inbound;
36024 + atomic_long_unchecked_t thinint_inbound_loop;
36025 + atomic_long_unchecked_t thinint_inbound_loop2;
36026
36027 /* signal adapter calls */
36028 - atomic_long_t siga_out;
36029 - atomic_long_t siga_in;
36030 - atomic_long_t siga_sync;
36031 + atomic_long_unchecked_t siga_out;
36032 + atomic_long_unchecked_t siga_in;
36033 + atomic_long_unchecked_t siga_sync;
36034
36035 /* misc */
36036 - atomic_long_t inbound_handler;
36037 - atomic_long_t outbound_handler;
36038 - atomic_long_t fast_requeue;
36039 - atomic_long_t outbound_target_full;
36040 + atomic_long_unchecked_t inbound_handler;
36041 + atomic_long_unchecked_t outbound_handler;
36042 + atomic_long_unchecked_t fast_requeue;
36043 + atomic_long_unchecked_t outbound_target_full;
36044
36045 /* for debugging */
36046 - atomic_long_t debug_tl_out_timer;
36047 - atomic_long_t debug_stop_polling;
36048 - atomic_long_t debug_eqbs_all;
36049 - atomic_long_t debug_eqbs_incomplete;
36050 - atomic_long_t debug_sqbs_all;
36051 - atomic_long_t debug_sqbs_incomplete;
36052 + atomic_long_unchecked_t debug_tl_out_timer;
36053 + atomic_long_unchecked_t debug_stop_polling;
36054 + atomic_long_unchecked_t debug_eqbs_all;
36055 + atomic_long_unchecked_t debug_eqbs_incomplete;
36056 + atomic_long_unchecked_t debug_sqbs_all;
36057 + atomic_long_unchecked_t debug_sqbs_incomplete;
36058 };
36059
36060 extern struct qdio_perf_stats perf_stats;
36061 extern int qdio_performance_stats;
36062
36063 -static inline void qdio_perf_stat_inc(atomic_long_t *count)
36064 +static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
36065 {
36066 if (qdio_performance_stats)
36067 - atomic_long_inc(count);
36068 + atomic_long_inc_unchecked(count);
36069 }
36070
36071 int qdio_setup_perf_stats(void);
36072 diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h
36073 --- linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-03-27 14:31:47.000000000 -0400
36074 +++ linux-2.6.32.46/drivers/scsi/aacraid/aacraid.h 2011-08-05 20:33:55.000000000 -0400
36075 @@ -471,7 +471,7 @@ struct adapter_ops
36076 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
36077 /* Administrative operations */
36078 int (*adapter_comm)(struct aac_dev * dev, int comm);
36079 -};
36080 +} __no_const;
36081
36082 /*
36083 * Define which interrupt handler needs to be installed
36084 diff -urNp linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c
36085 --- linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-03-27 14:31:47.000000000 -0400
36086 +++ linux-2.6.32.46/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:46:57.000000000 -0400
36087 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
36088 u32 actual_fibsize64, actual_fibsize = 0;
36089 int i;
36090
36091 + pax_track_stack();
36092
36093 if (dev->in_reset) {
36094 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
36095 diff -urNp linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c
36096 --- linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-27 14:31:47.000000000 -0400
36097 +++ linux-2.6.32.46/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:56:46.000000000 -0400
36098 @@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
36099 flash_error_table[i].reason);
36100 }
36101
36102 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
36103 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
36104 asd_show_update_bios, asd_store_update_bios);
36105
36106 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
36107 diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h
36108 --- linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-03-27 14:31:47.000000000 -0400
36109 +++ linux-2.6.32.46/drivers/scsi/bfa/bfa_iocfc.h 2011-08-05 20:33:55.000000000 -0400
36110 @@ -61,7 +61,7 @@ struct bfa_hwif_s {
36111 void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
36112 void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
36113 u32 *nvecs, u32 *maxvec);
36114 -};
36115 +} __no_const;
36116 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
36117
36118 struct bfa_iocfc_s {
36119 diff -urNp linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h
36120 --- linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-03-27 14:31:47.000000000 -0400
36121 +++ linux-2.6.32.46/drivers/scsi/bfa/bfa_ioc.h 2011-08-05 20:33:55.000000000 -0400
36122 @@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
36123 bfa_ioc_disable_cbfn_t disable_cbfn;
36124 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
36125 bfa_ioc_reset_cbfn_t reset_cbfn;
36126 -};
36127 +} __no_const;
36128
36129 /**
36130 * Heartbeat failure notification queue element.
36131 diff -urNp linux-2.6.32.46/drivers/scsi/BusLogic.c linux-2.6.32.46/drivers/scsi/BusLogic.c
36132 --- linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-03-27 14:31:47.000000000 -0400
36133 +++ linux-2.6.32.46/drivers/scsi/BusLogic.c 2011-05-16 21:46:57.000000000 -0400
36134 @@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
36135 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
36136 *PrototypeHostAdapter)
36137 {
36138 + pax_track_stack();
36139 +
36140 /*
36141 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
36142 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
36143 diff -urNp linux-2.6.32.46/drivers/scsi/dpt_i2o.c linux-2.6.32.46/drivers/scsi/dpt_i2o.c
36144 --- linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-03-27 14:31:47.000000000 -0400
36145 +++ linux-2.6.32.46/drivers/scsi/dpt_i2o.c 2011-05-16 21:46:57.000000000 -0400
36146 @@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
36147 dma_addr_t addr;
36148 ulong flags = 0;
36149
36150 + pax_track_stack();
36151 +
36152 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
36153 // get user msg size in u32s
36154 if(get_user(size, &user_msg[0])){
36155 @@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
36156 s32 rcode;
36157 dma_addr_t addr;
36158
36159 + pax_track_stack();
36160 +
36161 memset(msg, 0 , sizeof(msg));
36162 len = scsi_bufflen(cmd);
36163 direction = 0x00000000;
36164 diff -urNp linux-2.6.32.46/drivers/scsi/eata.c linux-2.6.32.46/drivers/scsi/eata.c
36165 --- linux-2.6.32.46/drivers/scsi/eata.c 2011-03-27 14:31:47.000000000 -0400
36166 +++ linux-2.6.32.46/drivers/scsi/eata.c 2011-05-16 21:46:57.000000000 -0400
36167 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
36168 struct hostdata *ha;
36169 char name[16];
36170
36171 + pax_track_stack();
36172 +
36173 sprintf(name, "%s%d", driver_name, j);
36174
36175 if (!request_region(port_base, REGION_SIZE, driver_name)) {
36176 diff -urNp linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c
36177 --- linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-03-27 14:31:47.000000000 -0400
36178 +++ linux-2.6.32.46/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:46:57.000000000 -0400
36179 @@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
36180 size_t rlen;
36181 size_t dlen;
36182
36183 + pax_track_stack();
36184 +
36185 fiph = (struct fip_header *)skb->data;
36186 sub = fiph->fip_subcode;
36187 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
36188 diff -urNp linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c
36189 --- linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-03-27 14:31:47.000000000 -0400
36190 +++ linux-2.6.32.46/drivers/scsi/fnic/fnic_main.c 2011-08-05 20:33:55.000000000 -0400
36191 @@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
36192 /* Start local port initiatialization */
36193
36194 lp->link_up = 0;
36195 - lp->tt = fnic_transport_template;
36196 + memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
36197
36198 lp->max_retry_count = fnic->config.flogi_retries;
36199 lp->max_rport_retry_count = fnic->config.plogi_retries;
36200 diff -urNp linux-2.6.32.46/drivers/scsi/gdth.c linux-2.6.32.46/drivers/scsi/gdth.c
36201 --- linux-2.6.32.46/drivers/scsi/gdth.c 2011-03-27 14:31:47.000000000 -0400
36202 +++ linux-2.6.32.46/drivers/scsi/gdth.c 2011-05-16 21:46:57.000000000 -0400
36203 @@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
36204 ulong flags;
36205 gdth_ha_str *ha;
36206
36207 + pax_track_stack();
36208 +
36209 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
36210 return -EFAULT;
36211 ha = gdth_find_ha(ldrv.ionode);
36212 @@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
36213 gdth_ha_str *ha;
36214 int rval;
36215
36216 + pax_track_stack();
36217 +
36218 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
36219 res.number >= MAX_HDRIVES)
36220 return -EFAULT;
36221 @@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
36222 gdth_ha_str *ha;
36223 int rval;
36224
36225 + pax_track_stack();
36226 +
36227 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
36228 return -EFAULT;
36229 ha = gdth_find_ha(gen.ionode);
36230 @@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
36231 int i;
36232 gdth_cmd_str gdtcmd;
36233 char cmnd[MAX_COMMAND_SIZE];
36234 +
36235 + pax_track_stack();
36236 +
36237 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
36238
36239 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
36240 diff -urNp linux-2.6.32.46/drivers/scsi/gdth_proc.c linux-2.6.32.46/drivers/scsi/gdth_proc.c
36241 --- linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-03-27 14:31:47.000000000 -0400
36242 +++ linux-2.6.32.46/drivers/scsi/gdth_proc.c 2011-05-16 21:46:57.000000000 -0400
36243 @@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
36244 ulong64 paddr;
36245
36246 char cmnd[MAX_COMMAND_SIZE];
36247 +
36248 + pax_track_stack();
36249 +
36250 memset(cmnd, 0xff, 12);
36251 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
36252
36253 @@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
36254 gdth_hget_str *phg;
36255 char cmnd[MAX_COMMAND_SIZE];
36256
36257 + pax_track_stack();
36258 +
36259 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
36260 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
36261 if (!gdtcmd || !estr)
36262 diff -urNp linux-2.6.32.46/drivers/scsi/hosts.c linux-2.6.32.46/drivers/scsi/hosts.c
36263 --- linux-2.6.32.46/drivers/scsi/hosts.c 2011-03-27 14:31:47.000000000 -0400
36264 +++ linux-2.6.32.46/drivers/scsi/hosts.c 2011-05-04 17:56:28.000000000 -0400
36265 @@ -40,7 +40,7 @@
36266 #include "scsi_logging.h"
36267
36268
36269 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
36270 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
36271
36272
36273 static void scsi_host_cls_release(struct device *dev)
36274 @@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
36275 * subtract one because we increment first then return, but we need to
36276 * know what the next host number was before increment
36277 */
36278 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
36279 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
36280 shost->dma_channel = 0xff;
36281
36282 /* These three are default values which can be overridden */
36283 diff -urNp linux-2.6.32.46/drivers/scsi/ipr.c linux-2.6.32.46/drivers/scsi/ipr.c
36284 --- linux-2.6.32.46/drivers/scsi/ipr.c 2011-03-27 14:31:47.000000000 -0400
36285 +++ linux-2.6.32.46/drivers/scsi/ipr.c 2011-04-17 15:56:46.000000000 -0400
36286 @@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
36287 return true;
36288 }
36289
36290 -static struct ata_port_operations ipr_sata_ops = {
36291 +static const struct ata_port_operations ipr_sata_ops = {
36292 .phy_reset = ipr_ata_phy_reset,
36293 .hardreset = ipr_sata_reset,
36294 .post_internal_cmd = ipr_ata_post_internal,
36295 diff -urNp linux-2.6.32.46/drivers/scsi/ips.h linux-2.6.32.46/drivers/scsi/ips.h
36296 --- linux-2.6.32.46/drivers/scsi/ips.h 2011-03-27 14:31:47.000000000 -0400
36297 +++ linux-2.6.32.46/drivers/scsi/ips.h 2011-08-05 20:33:55.000000000 -0400
36298 @@ -1027,7 +1027,7 @@ typedef struct {
36299 int (*intr)(struct ips_ha *);
36300 void (*enableint)(struct ips_ha *);
36301 uint32_t (*statupd)(struct ips_ha *);
36302 -} ips_hw_func_t;
36303 +} __no_const ips_hw_func_t;
36304
36305 typedef struct ips_ha {
36306 uint8_t ha_id[IPS_MAX_CHANNELS+1];
36307 diff -urNp linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c
36308 --- linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-03-27 14:31:47.000000000 -0400
36309 +++ linux-2.6.32.46/drivers/scsi/libfc/fc_exch.c 2011-08-23 21:22:32.000000000 -0400
36310 @@ -86,12 +86,12 @@ struct fc_exch_mgr {
36311 * all together if not used XXX
36312 */
36313 struct {
36314 - atomic_t no_free_exch;
36315 - atomic_t no_free_exch_xid;
36316 - atomic_t xid_not_found;
36317 - atomic_t xid_busy;
36318 - atomic_t seq_not_found;
36319 - atomic_t non_bls_resp;
36320 + atomic_unchecked_t no_free_exch;
36321 + atomic_unchecked_t no_free_exch_xid;
36322 + atomic_unchecked_t xid_not_found;
36323 + atomic_unchecked_t xid_busy;
36324 + atomic_unchecked_t seq_not_found;
36325 + atomic_unchecked_t non_bls_resp;
36326 } stats;
36327 };
36328 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
36329 @@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
36330 /* allocate memory for exchange */
36331 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
36332 if (!ep) {
36333 - atomic_inc(&mp->stats.no_free_exch);
36334 + atomic_inc_unchecked(&mp->stats.no_free_exch);
36335 goto out;
36336 }
36337 memset(ep, 0, sizeof(*ep));
36338 @@ -557,7 +557,7 @@ out:
36339 return ep;
36340 err:
36341 spin_unlock_bh(&pool->lock);
36342 - atomic_inc(&mp->stats.no_free_exch_xid);
36343 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
36344 mempool_free(ep, mp->ep_pool);
36345 return NULL;
36346 }
36347 @@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36348 xid = ntohs(fh->fh_ox_id); /* we originated exch */
36349 ep = fc_exch_find(mp, xid);
36350 if (!ep) {
36351 - atomic_inc(&mp->stats.xid_not_found);
36352 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36353 reject = FC_RJT_OX_ID;
36354 goto out;
36355 }
36356 @@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36357 ep = fc_exch_find(mp, xid);
36358 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
36359 if (ep) {
36360 - atomic_inc(&mp->stats.xid_busy);
36361 + atomic_inc_unchecked(&mp->stats.xid_busy);
36362 reject = FC_RJT_RX_ID;
36363 goto rel;
36364 }
36365 @@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36366 }
36367 xid = ep->xid; /* get our XID */
36368 } else if (!ep) {
36369 - atomic_inc(&mp->stats.xid_not_found);
36370 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36371 reject = FC_RJT_RX_ID; /* XID not found */
36372 goto out;
36373 }
36374 @@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
36375 } else {
36376 sp = &ep->seq;
36377 if (sp->id != fh->fh_seq_id) {
36378 - atomic_inc(&mp->stats.seq_not_found);
36379 + atomic_inc_unchecked(&mp->stats.seq_not_found);
36380 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
36381 goto rel;
36382 }
36383 @@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
36384
36385 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
36386 if (!ep) {
36387 - atomic_inc(&mp->stats.xid_not_found);
36388 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36389 goto out;
36390 }
36391 if (ep->esb_stat & ESB_ST_COMPLETE) {
36392 - atomic_inc(&mp->stats.xid_not_found);
36393 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36394 goto out;
36395 }
36396 if (ep->rxid == FC_XID_UNKNOWN)
36397 ep->rxid = ntohs(fh->fh_rx_id);
36398 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
36399 - atomic_inc(&mp->stats.xid_not_found);
36400 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36401 goto rel;
36402 }
36403 if (ep->did != ntoh24(fh->fh_s_id) &&
36404 ep->did != FC_FID_FLOGI) {
36405 - atomic_inc(&mp->stats.xid_not_found);
36406 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36407 goto rel;
36408 }
36409 sof = fr_sof(fp);
36410 @@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
36411 } else {
36412 sp = &ep->seq;
36413 if (sp->id != fh->fh_seq_id) {
36414 - atomic_inc(&mp->stats.seq_not_found);
36415 + atomic_inc_unchecked(&mp->stats.seq_not_found);
36416 goto rel;
36417 }
36418 }
36419 @@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
36420 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
36421
36422 if (!sp)
36423 - atomic_inc(&mp->stats.xid_not_found);
36424 + atomic_inc_unchecked(&mp->stats.xid_not_found);
36425 else
36426 - atomic_inc(&mp->stats.non_bls_resp);
36427 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
36428
36429 fc_frame_free(fp);
36430 }
36431 diff -urNp linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c
36432 --- linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-03-27 14:31:47.000000000 -0400
36433 +++ linux-2.6.32.46/drivers/scsi/libsas/sas_ata.c 2011-04-23 12:56:11.000000000 -0400
36434 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
36435 }
36436 }
36437
36438 -static struct ata_port_operations sas_sata_ops = {
36439 +static const struct ata_port_operations sas_sata_ops = {
36440 .phy_reset = sas_ata_phy_reset,
36441 .post_internal_cmd = sas_ata_post_internal,
36442 .qc_defer = ata_std_qc_defer,
36443 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c
36444 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-27 14:31:47.000000000 -0400
36445 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:46:57.000000000 -0400
36446 @@ -124,7 +124,7 @@ struct lpfc_debug {
36447 int len;
36448 };
36449
36450 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
36451 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
36452 static unsigned long lpfc_debugfs_start_time = 0L;
36453
36454 /**
36455 @@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
36456 lpfc_debugfs_enable = 0;
36457
36458 len = 0;
36459 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
36460 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
36461 (lpfc_debugfs_max_disc_trc - 1);
36462 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
36463 dtp = vport->disc_trc + i;
36464 @@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
36465 lpfc_debugfs_enable = 0;
36466
36467 len = 0;
36468 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
36469 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
36470 (lpfc_debugfs_max_slow_ring_trc - 1);
36471 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
36472 dtp = phba->slow_ring_trc + i;
36473 @@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
36474 uint32_t *ptr;
36475 char buffer[1024];
36476
36477 + pax_track_stack();
36478 +
36479 off = 0;
36480 spin_lock_irq(&phba->hbalock);
36481
36482 @@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
36483 !vport || !vport->disc_trc)
36484 return;
36485
36486 - index = atomic_inc_return(&vport->disc_trc_cnt) &
36487 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
36488 (lpfc_debugfs_max_disc_trc - 1);
36489 dtp = vport->disc_trc + index;
36490 dtp->fmt = fmt;
36491 dtp->data1 = data1;
36492 dtp->data2 = data2;
36493 dtp->data3 = data3;
36494 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
36495 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
36496 dtp->jif = jiffies;
36497 #endif
36498 return;
36499 @@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
36500 !phba || !phba->slow_ring_trc)
36501 return;
36502
36503 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
36504 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
36505 (lpfc_debugfs_max_slow_ring_trc - 1);
36506 dtp = phba->slow_ring_trc + index;
36507 dtp->fmt = fmt;
36508 dtp->data1 = data1;
36509 dtp->data2 = data2;
36510 dtp->data3 = data3;
36511 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
36512 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
36513 dtp->jif = jiffies;
36514 #endif
36515 return;
36516 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
36517 "slow_ring buffer\n");
36518 goto debug_failed;
36519 }
36520 - atomic_set(&phba->slow_ring_trc_cnt, 0);
36521 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
36522 memset(phba->slow_ring_trc, 0,
36523 (sizeof(struct lpfc_debugfs_trc) *
36524 lpfc_debugfs_max_slow_ring_trc));
36525 @@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
36526 "buffer\n");
36527 goto debug_failed;
36528 }
36529 - atomic_set(&vport->disc_trc_cnt, 0);
36530 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
36531
36532 snprintf(name, sizeof(name), "discovery_trace");
36533 vport->debug_disc_trc =
36534 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h
36535 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-03-27 14:31:47.000000000 -0400
36536 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc.h 2011-05-04 17:56:28.000000000 -0400
36537 @@ -400,7 +400,7 @@ struct lpfc_vport {
36538 struct dentry *debug_nodelist;
36539 struct dentry *vport_debugfs_root;
36540 struct lpfc_debugfs_trc *disc_trc;
36541 - atomic_t disc_trc_cnt;
36542 + atomic_unchecked_t disc_trc_cnt;
36543 #endif
36544 uint8_t stat_data_enabled;
36545 uint8_t stat_data_blocked;
36546 @@ -725,8 +725,8 @@ struct lpfc_hba {
36547 struct timer_list fabric_block_timer;
36548 unsigned long bit_flags;
36549 #define FABRIC_COMANDS_BLOCKED 0
36550 - atomic_t num_rsrc_err;
36551 - atomic_t num_cmd_success;
36552 + atomic_unchecked_t num_rsrc_err;
36553 + atomic_unchecked_t num_cmd_success;
36554 unsigned long last_rsrc_error_time;
36555 unsigned long last_ramp_down_time;
36556 unsigned long last_ramp_up_time;
36557 @@ -740,7 +740,7 @@ struct lpfc_hba {
36558 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
36559 struct dentry *debug_slow_ring_trc;
36560 struct lpfc_debugfs_trc *slow_ring_trc;
36561 - atomic_t slow_ring_trc_cnt;
36562 + atomic_unchecked_t slow_ring_trc_cnt;
36563 #endif
36564
36565 /* Used for deferred freeing of ELS data buffers */
36566 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c
36567 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-03-27 14:31:47.000000000 -0400
36568 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_init.c 2011-08-05 20:33:55.000000000 -0400
36569 @@ -8021,8 +8021,10 @@ lpfc_init(void)
36570 printk(LPFC_COPYRIGHT "\n");
36571
36572 if (lpfc_enable_npiv) {
36573 - lpfc_transport_functions.vport_create = lpfc_vport_create;
36574 - lpfc_transport_functions.vport_delete = lpfc_vport_delete;
36575 + pax_open_kernel();
36576 + *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
36577 + *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
36578 + pax_close_kernel();
36579 }
36580 lpfc_transport_template =
36581 fc_attach_transport(&lpfc_transport_functions);
36582 diff -urNp linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c
36583 --- linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-27 14:31:47.000000000 -0400
36584 +++ linux-2.6.32.46/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-04 17:56:28.000000000 -0400
36585 @@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
36586 uint32_t evt_posted;
36587
36588 spin_lock_irqsave(&phba->hbalock, flags);
36589 - atomic_inc(&phba->num_rsrc_err);
36590 + atomic_inc_unchecked(&phba->num_rsrc_err);
36591 phba->last_rsrc_error_time = jiffies;
36592
36593 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
36594 @@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
36595 unsigned long flags;
36596 struct lpfc_hba *phba = vport->phba;
36597 uint32_t evt_posted;
36598 - atomic_inc(&phba->num_cmd_success);
36599 + atomic_inc_unchecked(&phba->num_cmd_success);
36600
36601 if (vport->cfg_lun_queue_depth <= queue_depth)
36602 return;
36603 @@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
36604 int i;
36605 struct lpfc_rport_data *rdata;
36606
36607 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
36608 - num_cmd_success = atomic_read(&phba->num_cmd_success);
36609 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
36610 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
36611
36612 vports = lpfc_create_vport_work_array(phba);
36613 if (vports != NULL)
36614 @@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
36615 }
36616 }
36617 lpfc_destroy_vport_work_array(phba, vports);
36618 - atomic_set(&phba->num_rsrc_err, 0);
36619 - atomic_set(&phba->num_cmd_success, 0);
36620 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
36621 + atomic_set_unchecked(&phba->num_cmd_success, 0);
36622 }
36623
36624 /**
36625 @@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
36626 }
36627 }
36628 lpfc_destroy_vport_work_array(phba, vports);
36629 - atomic_set(&phba->num_rsrc_err, 0);
36630 - atomic_set(&phba->num_cmd_success, 0);
36631 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
36632 + atomic_set_unchecked(&phba->num_cmd_success, 0);
36633 }
36634
36635 /**
36636 diff -urNp linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c
36637 --- linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-27 14:31:47.000000000 -0400
36638 +++ linux-2.6.32.46/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:46:57.000000000 -0400
36639 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
36640 int rval;
36641 int i;
36642
36643 + pax_track_stack();
36644 +
36645 // Allocate memory for the base list of scb for management module.
36646 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
36647
36648 diff -urNp linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c
36649 --- linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-03-27 14:31:47.000000000 -0400
36650 +++ linux-2.6.32.46/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:46:57.000000000 -0400
36651 @@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
36652 int nelem = ARRAY_SIZE(get_attrs), a = 0;
36653 int ret;
36654
36655 + pax_track_stack();
36656 +
36657 or = osd_start_request(od, GFP_KERNEL);
36658 if (!or)
36659 return -ENOMEM;
36660 diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.c linux-2.6.32.46/drivers/scsi/pmcraid.c
36661 --- linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:35:29.000000000 -0400
36662 +++ linux-2.6.32.46/drivers/scsi/pmcraid.c 2011-08-09 18:33:59.000000000 -0400
36663 @@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
36664 res->scsi_dev = scsi_dev;
36665 scsi_dev->hostdata = res;
36666 res->change_detected = 0;
36667 - atomic_set(&res->read_failures, 0);
36668 - atomic_set(&res->write_failures, 0);
36669 + atomic_set_unchecked(&res->read_failures, 0);
36670 + atomic_set_unchecked(&res->write_failures, 0);
36671 rc = 0;
36672 }
36673 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
36674 @@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
36675
36676 /* If this was a SCSI read/write command keep count of errors */
36677 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
36678 - atomic_inc(&res->read_failures);
36679 + atomic_inc_unchecked(&res->read_failures);
36680 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
36681 - atomic_inc(&res->write_failures);
36682 + atomic_inc_unchecked(&res->write_failures);
36683
36684 if (!RES_IS_GSCSI(res->cfg_entry) &&
36685 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
36686 @@ -4116,7 +4116,7 @@ static void pmcraid_worker_function(stru
36687
36688 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
36689 /* add resources only after host is added into system */
36690 - if (!atomic_read(&pinstance->expose_resources))
36691 + if (!atomic_read_unchecked(&pinstance->expose_resources))
36692 return;
36693
36694 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
36695 @@ -4850,7 +4850,7 @@ static int __devinit pmcraid_init_instan
36696 init_waitqueue_head(&pinstance->reset_wait_q);
36697
36698 atomic_set(&pinstance->outstanding_cmds, 0);
36699 - atomic_set(&pinstance->expose_resources, 0);
36700 + atomic_set_unchecked(&pinstance->expose_resources, 0);
36701
36702 INIT_LIST_HEAD(&pinstance->free_res_q);
36703 INIT_LIST_HEAD(&pinstance->used_res_q);
36704 @@ -5502,7 +5502,7 @@ static int __devinit pmcraid_probe(
36705 /* Schedule worker thread to handle CCN and take care of adding and
36706 * removing devices to OS
36707 */
36708 - atomic_set(&pinstance->expose_resources, 1);
36709 + atomic_set_unchecked(&pinstance->expose_resources, 1);
36710 schedule_work(&pinstance->worker_q);
36711 return rc;
36712
36713 diff -urNp linux-2.6.32.46/drivers/scsi/pmcraid.h linux-2.6.32.46/drivers/scsi/pmcraid.h
36714 --- linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-03-27 14:31:47.000000000 -0400
36715 +++ linux-2.6.32.46/drivers/scsi/pmcraid.h 2011-05-04 17:56:28.000000000 -0400
36716 @@ -690,7 +690,7 @@ struct pmcraid_instance {
36717 atomic_t outstanding_cmds;
36718
36719 /* should add/delete resources to mid-layer now ?*/
36720 - atomic_t expose_resources;
36721 + atomic_unchecked_t expose_resources;
36722
36723 /* Tasklet to handle deferred processing */
36724 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
36725 @@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
36726 struct list_head queue; /* link to "to be exposed" resources */
36727 struct pmcraid_config_table_entry cfg_entry;
36728 struct scsi_device *scsi_dev; /* Link scsi_device structure */
36729 - atomic_t read_failures; /* count of failed READ commands */
36730 - atomic_t write_failures; /* count of failed WRITE commands */
36731 + atomic_unchecked_t read_failures; /* count of failed READ commands */
36732 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
36733
36734 /* To indicate add/delete/modify during CCN */
36735 u8 change_detected;
36736 diff -urNp linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h
36737 --- linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-03-27 14:31:47.000000000 -0400
36738 +++ linux-2.6.32.46/drivers/scsi/qla2xxx/qla_def.h 2011-08-05 20:33:55.000000000 -0400
36739 @@ -2089,7 +2089,7 @@ struct isp_operations {
36740
36741 int (*get_flash_version) (struct scsi_qla_host *, void *);
36742 int (*start_scsi) (srb_t *);
36743 -};
36744 +} __no_const;
36745
36746 /* MSI-X Support *************************************************************/
36747
36748 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h
36749 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-03-27 14:31:47.000000000 -0400
36750 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_def.h 2011-05-04 17:56:28.000000000 -0400
36751 @@ -240,7 +240,7 @@ struct ddb_entry {
36752 atomic_t retry_relogin_timer; /* Min Time between relogins
36753 * (4000 only) */
36754 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
36755 - atomic_t relogin_retry_count; /* Num of times relogin has been
36756 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
36757 * retried */
36758
36759 uint16_t port;
36760 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c
36761 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-03-27 14:31:47.000000000 -0400
36762 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_init.c 2011-05-04 17:56:28.000000000 -0400
36763 @@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
36764 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
36765 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
36766 atomic_set(&ddb_entry->relogin_timer, 0);
36767 - atomic_set(&ddb_entry->relogin_retry_count, 0);
36768 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
36769 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
36770 list_add_tail(&ddb_entry->list, &ha->ddb_list);
36771 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
36772 @@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
36773 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
36774 atomic_set(&ddb_entry->port_down_timer,
36775 ha->port_down_retry_count);
36776 - atomic_set(&ddb_entry->relogin_retry_count, 0);
36777 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
36778 atomic_set(&ddb_entry->relogin_timer, 0);
36779 clear_bit(DF_RELOGIN, &ddb_entry->flags);
36780 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
36781 diff -urNp linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c
36782 --- linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-03-27 14:31:47.000000000 -0400
36783 +++ linux-2.6.32.46/drivers/scsi/qla4xxx/ql4_os.c 2011-05-04 17:56:28.000000000 -0400
36784 @@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
36785 ddb_entry->fw_ddb_device_state ==
36786 DDB_DS_SESSION_FAILED) {
36787 /* Reset retry relogin timer */
36788 - atomic_inc(&ddb_entry->relogin_retry_count);
36789 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
36790 DEBUG2(printk("scsi%ld: index[%d] relogin"
36791 " timed out-retrying"
36792 " relogin (%d)\n",
36793 ha->host_no,
36794 ddb_entry->fw_ddb_index,
36795 - atomic_read(&ddb_entry->
36796 + atomic_read_unchecked(&ddb_entry->
36797 relogin_retry_count))
36798 );
36799 start_dpc++;
36800 diff -urNp linux-2.6.32.46/drivers/scsi/scsi.c linux-2.6.32.46/drivers/scsi/scsi.c
36801 --- linux-2.6.32.46/drivers/scsi/scsi.c 2011-03-27 14:31:47.000000000 -0400
36802 +++ linux-2.6.32.46/drivers/scsi/scsi.c 2011-05-04 17:56:28.000000000 -0400
36803 @@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
36804 unsigned long timeout;
36805 int rtn = 0;
36806
36807 - atomic_inc(&cmd->device->iorequest_cnt);
36808 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
36809
36810 /* check if the device is still usable */
36811 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
36812 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_debug.c linux-2.6.32.46/drivers/scsi/scsi_debug.c
36813 --- linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-03-27 14:31:47.000000000 -0400
36814 +++ linux-2.6.32.46/drivers/scsi/scsi_debug.c 2011-05-16 21:46:57.000000000 -0400
36815 @@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
36816 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
36817 unsigned char *cmd = (unsigned char *)scp->cmnd;
36818
36819 + pax_track_stack();
36820 +
36821 if ((errsts = check_readiness(scp, 1, devip)))
36822 return errsts;
36823 memset(arr, 0, sizeof(arr));
36824 @@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
36825 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
36826 unsigned char *cmd = (unsigned char *)scp->cmnd;
36827
36828 + pax_track_stack();
36829 +
36830 if ((errsts = check_readiness(scp, 1, devip)))
36831 return errsts;
36832 memset(arr, 0, sizeof(arr));
36833 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_lib.c linux-2.6.32.46/drivers/scsi/scsi_lib.c
36834 --- linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:01.000000000 -0400
36835 +++ linux-2.6.32.46/drivers/scsi/scsi_lib.c 2011-05-10 22:12:33.000000000 -0400
36836 @@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
36837
36838 scsi_init_cmd_errh(cmd);
36839 cmd->result = DID_NO_CONNECT << 16;
36840 - atomic_inc(&cmd->device->iorequest_cnt);
36841 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
36842
36843 /*
36844 * SCSI request completion path will do scsi_device_unbusy(),
36845 @@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
36846 */
36847 cmd->serial_number = 0;
36848
36849 - atomic_inc(&cmd->device->iodone_cnt);
36850 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
36851 if (cmd->result)
36852 - atomic_inc(&cmd->device->ioerr_cnt);
36853 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
36854
36855 disposition = scsi_decide_disposition(cmd);
36856 if (disposition != SUCCESS &&
36857 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_sysfs.c linux-2.6.32.46/drivers/scsi/scsi_sysfs.c
36858 --- linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:34.000000000 -0400
36859 +++ linux-2.6.32.46/drivers/scsi/scsi_sysfs.c 2011-06-25 12:56:37.000000000 -0400
36860 @@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
36861 char *buf) \
36862 { \
36863 struct scsi_device *sdev = to_scsi_device(dev); \
36864 - unsigned long long count = atomic_read(&sdev->field); \
36865 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
36866 return snprintf(buf, 20, "0x%llx\n", count); \
36867 } \
36868 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
36869 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c
36870 --- linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400
36871 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400
36872 @@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
36873 * Netlink Infrastructure
36874 */
36875
36876 -static atomic_t fc_event_seq;
36877 +static atomic_unchecked_t fc_event_seq;
36878
36879 /**
36880 * fc_get_event_number - Obtain the next sequential FC event number
36881 @@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
36882 u32
36883 fc_get_event_number(void)
36884 {
36885 - return atomic_add_return(1, &fc_event_seq);
36886 + return atomic_add_return_unchecked(1, &fc_event_seq);
36887 }
36888 EXPORT_SYMBOL(fc_get_event_number);
36889
36890 @@ -641,7 +641,7 @@ static __init int fc_transport_init(void
36891 {
36892 int error;
36893
36894 - atomic_set(&fc_event_seq, 0);
36895 + atomic_set_unchecked(&fc_event_seq, 0);
36896
36897 error = transport_class_register(&fc_host_class);
36898 if (error)
36899 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c
36900 --- linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-03-27 14:31:47.000000000 -0400
36901 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_iscsi.c 2011-05-04 17:56:28.000000000 -0400
36902 @@ -81,7 +81,7 @@ struct iscsi_internal {
36903 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
36904 };
36905
36906 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
36907 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
36908 static struct workqueue_struct *iscsi_eh_timer_workq;
36909
36910 /*
36911 @@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
36912 int err;
36913
36914 ihost = shost->shost_data;
36915 - session->sid = atomic_add_return(1, &iscsi_session_nr);
36916 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
36917
36918 if (id == ISCSI_MAX_TARGET) {
36919 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
36920 @@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
36921 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
36922 ISCSI_TRANSPORT_VERSION);
36923
36924 - atomic_set(&iscsi_session_nr, 0);
36925 + atomic_set_unchecked(&iscsi_session_nr, 0);
36926
36927 err = class_register(&iscsi_transport_class);
36928 if (err)
36929 diff -urNp linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c
36930 --- linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-03-27 14:31:47.000000000 -0400
36931 +++ linux-2.6.32.46/drivers/scsi/scsi_transport_srp.c 2011-05-04 17:56:28.000000000 -0400
36932 @@ -33,7 +33,7 @@
36933 #include "scsi_transport_srp_internal.h"
36934
36935 struct srp_host_attrs {
36936 - atomic_t next_port_id;
36937 + atomic_unchecked_t next_port_id;
36938 };
36939 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
36940
36941 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
36942 struct Scsi_Host *shost = dev_to_shost(dev);
36943 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
36944
36945 - atomic_set(&srp_host->next_port_id, 0);
36946 + atomic_set_unchecked(&srp_host->next_port_id, 0);
36947 return 0;
36948 }
36949
36950 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
36951 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
36952 rport->roles = ids->roles;
36953
36954 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
36955 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
36956 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
36957
36958 transport_setup_device(&rport->dev);
36959 diff -urNp linux-2.6.32.46/drivers/scsi/sg.c linux-2.6.32.46/drivers/scsi/sg.c
36960 --- linux-2.6.32.46/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400
36961 +++ linux-2.6.32.46/drivers/scsi/sg.c 2011-04-17 15:56:46.000000000 -0400
36962 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
36963 const struct file_operations * fops;
36964 };
36965
36966 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
36967 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
36968 {"allow_dio", &adio_fops},
36969 {"debug", &debug_fops},
36970 {"def_reserved_size", &dressz_fops},
36971 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
36972 {
36973 int k, mask;
36974 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
36975 - struct sg_proc_leaf * leaf;
36976 + const struct sg_proc_leaf * leaf;
36977
36978 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
36979 if (!sg_proc_sgp)
36980 diff -urNp linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c
36981 --- linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-27 14:31:47.000000000 -0400
36982 +++ linux-2.6.32.46/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:46:57.000000000 -0400
36983 @@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
36984 int do_iounmap = 0;
36985 int do_disable_device = 1;
36986
36987 + pax_track_stack();
36988 +
36989 memset(&sym_dev, 0, sizeof(sym_dev));
36990 memset(&nvram, 0, sizeof(nvram));
36991 sym_dev.pdev = pdev;
36992 diff -urNp linux-2.6.32.46/drivers/serial/kgdboc.c linux-2.6.32.46/drivers/serial/kgdboc.c
36993 --- linux-2.6.32.46/drivers/serial/kgdboc.c 2011-03-27 14:31:47.000000000 -0400
36994 +++ linux-2.6.32.46/drivers/serial/kgdboc.c 2011-04-17 15:56:46.000000000 -0400
36995 @@ -18,7 +18,7 @@
36996
36997 #define MAX_CONFIG_LEN 40
36998
36999 -static struct kgdb_io kgdboc_io_ops;
37000 +static const struct kgdb_io kgdboc_io_ops;
37001
37002 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
37003 static int configured = -1;
37004 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
37005 module_put(THIS_MODULE);
37006 }
37007
37008 -static struct kgdb_io kgdboc_io_ops = {
37009 +static const struct kgdb_io kgdboc_io_ops = {
37010 .name = "kgdboc",
37011 .read_char = kgdboc_get_char,
37012 .write_char = kgdboc_put_char,
37013 diff -urNp linux-2.6.32.46/drivers/spi/spi.c linux-2.6.32.46/drivers/spi/spi.c
37014 --- linux-2.6.32.46/drivers/spi/spi.c 2011-03-27 14:31:47.000000000 -0400
37015 +++ linux-2.6.32.46/drivers/spi/spi.c 2011-05-04 17:56:28.000000000 -0400
37016 @@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
37017 EXPORT_SYMBOL_GPL(spi_sync);
37018
37019 /* portable code must never pass more than 32 bytes */
37020 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
37021 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
37022
37023 static u8 *buf;
37024
37025 diff -urNp linux-2.6.32.46/drivers/staging/android/binder.c linux-2.6.32.46/drivers/staging/android/binder.c
37026 --- linux-2.6.32.46/drivers/staging/android/binder.c 2011-03-27 14:31:47.000000000 -0400
37027 +++ linux-2.6.32.46/drivers/staging/android/binder.c 2011-04-17 15:56:46.000000000 -0400
37028 @@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
37029 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
37030 }
37031
37032 -static struct vm_operations_struct binder_vm_ops = {
37033 +static const struct vm_operations_struct binder_vm_ops = {
37034 .open = binder_vma_open,
37035 .close = binder_vma_close,
37036 };
37037 diff -urNp linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c
37038 --- linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-03-27 14:31:47.000000000 -0400
37039 +++ linux-2.6.32.46/drivers/staging/b3dfg/b3dfg.c 2011-04-17 15:56:46.000000000 -0400
37040 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
37041 return VM_FAULT_NOPAGE;
37042 }
37043
37044 -static struct vm_operations_struct b3dfg_vm_ops = {
37045 +static const struct vm_operations_struct b3dfg_vm_ops = {
37046 .fault = b3dfg_vma_fault,
37047 };
37048
37049 @@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
37050 return r;
37051 }
37052
37053 -static struct file_operations b3dfg_fops = {
37054 +static const struct file_operations b3dfg_fops = {
37055 .owner = THIS_MODULE,
37056 .open = b3dfg_open,
37057 .release = b3dfg_release,
37058 diff -urNp linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c
37059 --- linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:35:29.000000000 -0400
37060 +++ linux-2.6.32.46/drivers/staging/comedi/comedi_fops.c 2011-08-09 18:34:00.000000000 -0400
37061 @@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
37062 mutex_unlock(&dev->mutex);
37063 }
37064
37065 -static struct vm_operations_struct comedi_vm_ops = {
37066 +static const struct vm_operations_struct comedi_vm_ops = {
37067 .close = comedi_unmap,
37068 };
37069
37070 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c
37071 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-03-27 14:31:47.000000000 -0400
37072 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/adsp_driver.c 2011-04-17 15:56:46.000000000 -0400
37073 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
37074 static dev_t adsp_devno;
37075 static struct class *adsp_class;
37076
37077 -static struct file_operations adsp_fops = {
37078 +static const struct file_operations adsp_fops = {
37079 .owner = THIS_MODULE,
37080 .open = adsp_open,
37081 .unlocked_ioctl = adsp_ioctl,
37082 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c
37083 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-03-27 14:31:47.000000000 -0400
37084 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_aac.c 2011-04-17 15:56:46.000000000 -0400
37085 @@ -1022,7 +1022,7 @@ done:
37086 return rc;
37087 }
37088
37089 -static struct file_operations audio_aac_fops = {
37090 +static const struct file_operations audio_aac_fops = {
37091 .owner = THIS_MODULE,
37092 .open = audio_open,
37093 .release = audio_release,
37094 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c
37095 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-03-27 14:31:47.000000000 -0400
37096 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-04-17 15:56:46.000000000 -0400
37097 @@ -833,7 +833,7 @@ done:
37098 return rc;
37099 }
37100
37101 -static struct file_operations audio_amrnb_fops = {
37102 +static const struct file_operations audio_amrnb_fops = {
37103 .owner = THIS_MODULE,
37104 .open = audamrnb_open,
37105 .release = audamrnb_release,
37106 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c
37107 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-03-27 14:31:47.000000000 -0400
37108 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_evrc.c 2011-04-17 15:56:46.000000000 -0400
37109 @@ -805,7 +805,7 @@ dma_fail:
37110 return rc;
37111 }
37112
37113 -static struct file_operations audio_evrc_fops = {
37114 +static const struct file_operations audio_evrc_fops = {
37115 .owner = THIS_MODULE,
37116 .open = audevrc_open,
37117 .release = audevrc_release,
37118 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c
37119 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-03-27 14:31:47.000000000 -0400
37120 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_in.c 2011-04-17 15:56:46.000000000 -0400
37121 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
37122 return 0;
37123 }
37124
37125 -static struct file_operations audio_fops = {
37126 +static const struct file_operations audio_fops = {
37127 .owner = THIS_MODULE,
37128 .open = audio_in_open,
37129 .release = audio_in_release,
37130 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
37131 .unlocked_ioctl = audio_in_ioctl,
37132 };
37133
37134 -static struct file_operations audpre_fops = {
37135 +static const struct file_operations audpre_fops = {
37136 .owner = THIS_MODULE,
37137 .open = audpre_open,
37138 .unlocked_ioctl = audpre_ioctl,
37139 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c
37140 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-03-27 14:31:47.000000000 -0400
37141 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_mp3.c 2011-04-17 15:56:46.000000000 -0400
37142 @@ -941,7 +941,7 @@ done:
37143 return rc;
37144 }
37145
37146 -static struct file_operations audio_mp3_fops = {
37147 +static const struct file_operations audio_mp3_fops = {
37148 .owner = THIS_MODULE,
37149 .open = audio_open,
37150 .release = audio_release,
37151 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c
37152 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-03-27 14:31:47.000000000 -0400
37153 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_out.c 2011-04-17 15:56:46.000000000 -0400
37154 @@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
37155 return 0;
37156 }
37157
37158 -static struct file_operations audio_fops = {
37159 +static const struct file_operations audio_fops = {
37160 .owner = THIS_MODULE,
37161 .open = audio_open,
37162 .release = audio_release,
37163 @@ -819,7 +819,7 @@ static struct file_operations audio_fops
37164 .unlocked_ioctl = audio_ioctl,
37165 };
37166
37167 -static struct file_operations audpp_fops = {
37168 +static const struct file_operations audpp_fops = {
37169 .owner = THIS_MODULE,
37170 .open = audpp_open,
37171 .unlocked_ioctl = audpp_ioctl,
37172 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c
37173 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-03-27 14:31:47.000000000 -0400
37174 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-04-17 15:56:46.000000000 -0400
37175 @@ -816,7 +816,7 @@ err:
37176 return rc;
37177 }
37178
37179 -static struct file_operations audio_qcelp_fops = {
37180 +static const struct file_operations audio_qcelp_fops = {
37181 .owner = THIS_MODULE,
37182 .open = audqcelp_open,
37183 .release = audqcelp_release,
37184 diff -urNp linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c
37185 --- linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-03-27 14:31:47.000000000 -0400
37186 +++ linux-2.6.32.46/drivers/staging/dream/qdsp5/snd.c 2011-04-17 15:56:46.000000000 -0400
37187 @@ -242,7 +242,7 @@ err:
37188 return rc;
37189 }
37190
37191 -static struct file_operations snd_fops = {
37192 +static const struct file_operations snd_fops = {
37193 .owner = THIS_MODULE,
37194 .open = snd_open,
37195 .release = snd_release,
37196 diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c
37197 --- linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-03-27 14:31:47.000000000 -0400
37198 +++ linux-2.6.32.46/drivers/staging/dream/smd/smd_qmi.c 2011-04-17 15:56:46.000000000 -0400
37199 @@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
37200 return 0;
37201 }
37202
37203 -static struct file_operations qmi_fops = {
37204 +static const struct file_operations qmi_fops = {
37205 .owner = THIS_MODULE,
37206 .read = qmi_read,
37207 .write = qmi_write,
37208 diff -urNp linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c
37209 --- linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-03-27 14:31:47.000000000 -0400
37210 +++ linux-2.6.32.46/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-04-17 15:56:46.000000000 -0400
37211 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
37212 return rc;
37213 }
37214
37215 -static struct file_operations rpcrouter_server_fops = {
37216 +static const struct file_operations rpcrouter_server_fops = {
37217 .owner = THIS_MODULE,
37218 .open = rpcrouter_open,
37219 .release = rpcrouter_release,
37220 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
37221 .unlocked_ioctl = rpcrouter_ioctl,
37222 };
37223
37224 -static struct file_operations rpcrouter_router_fops = {
37225 +static const struct file_operations rpcrouter_router_fops = {
37226 .owner = THIS_MODULE,
37227 .open = rpcrouter_open,
37228 .release = rpcrouter_release,
37229 diff -urNp linux-2.6.32.46/drivers/staging/dst/dcore.c linux-2.6.32.46/drivers/staging/dst/dcore.c
37230 --- linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-03-27 14:31:47.000000000 -0400
37231 +++ linux-2.6.32.46/drivers/staging/dst/dcore.c 2011-04-17 15:56:46.000000000 -0400
37232 @@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
37233 return 0;
37234 }
37235
37236 -static struct block_device_operations dst_blk_ops = {
37237 +static const struct block_device_operations dst_blk_ops = {
37238 .open = dst_bdev_open,
37239 .release = dst_bdev_release,
37240 .owner = THIS_MODULE,
37241 @@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
37242 n->size = ctl->size;
37243
37244 atomic_set(&n->refcnt, 1);
37245 - atomic_long_set(&n->gen, 0);
37246 + atomic_long_set_unchecked(&n->gen, 0);
37247 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
37248
37249 err = dst_node_sysfs_init(n);
37250 diff -urNp linux-2.6.32.46/drivers/staging/dst/trans.c linux-2.6.32.46/drivers/staging/dst/trans.c
37251 --- linux-2.6.32.46/drivers/staging/dst/trans.c 2011-03-27 14:31:47.000000000 -0400
37252 +++ linux-2.6.32.46/drivers/staging/dst/trans.c 2011-04-17 15:56:46.000000000 -0400
37253 @@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
37254 t->error = 0;
37255 t->retries = 0;
37256 atomic_set(&t->refcnt, 1);
37257 - t->gen = atomic_long_inc_return(&n->gen);
37258 + t->gen = atomic_long_inc_return_unchecked(&n->gen);
37259
37260 t->enc = bio_data_dir(bio);
37261 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
37262 diff -urNp linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c
37263 --- linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-03-27 14:31:47.000000000 -0400
37264 +++ linux-2.6.32.46/drivers/staging/et131x/et1310_tx.c 2011-05-04 17:56:28.000000000 -0400
37265 @@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
37266 struct net_device_stats *stats = &etdev->net_stats;
37267
37268 if (pMpTcb->Flags & fMP_DEST_BROAD)
37269 - atomic_inc(&etdev->Stats.brdcstxmt);
37270 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
37271 else if (pMpTcb->Flags & fMP_DEST_MULTI)
37272 - atomic_inc(&etdev->Stats.multixmt);
37273 + atomic_inc_unchecked(&etdev->Stats.multixmt);
37274 else
37275 - atomic_inc(&etdev->Stats.unixmt);
37276 + atomic_inc_unchecked(&etdev->Stats.unixmt);
37277
37278 if (pMpTcb->Packet) {
37279 stats->tx_bytes += pMpTcb->Packet->len;
37280 diff -urNp linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h
37281 --- linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-03-27 14:31:47.000000000 -0400
37282 +++ linux-2.6.32.46/drivers/staging/et131x/et131x_adapter.h 2011-05-04 17:56:28.000000000 -0400
37283 @@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
37284 * operations
37285 */
37286 u32 unircv; /* # multicast packets received */
37287 - atomic_t unixmt; /* # multicast packets for Tx */
37288 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
37289 u32 multircv; /* # multicast packets received */
37290 - atomic_t multixmt; /* # multicast packets for Tx */
37291 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
37292 u32 brdcstrcv; /* # broadcast packets received */
37293 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
37294 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
37295 u32 norcvbuf; /* # Rx packets discarded */
37296 u32 noxmtbuf; /* # Tx packets discarded */
37297
37298 diff -urNp linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c
37299 --- linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-03-27 14:31:47.000000000 -0400
37300 +++ linux-2.6.32.46/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:56:46.000000000 -0400
37301 @@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
37302 return 0;
37303 }
37304
37305 -static struct vm_operations_struct go7007_vm_ops = {
37306 +static const struct vm_operations_struct go7007_vm_ops = {
37307 .open = go7007_vm_open,
37308 .close = go7007_vm_close,
37309 .fault = go7007_vm_fault,
37310 diff -urNp linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c
37311 --- linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-03-27 14:31:47.000000000 -0400
37312 +++ linux-2.6.32.46/drivers/staging/hv/blkvsc_drv.c 2011-04-17 15:56:46.000000000 -0400
37313 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
37314 /* The one and only one */
37315 static struct blkvsc_driver_context g_blkvsc_drv;
37316
37317 -static struct block_device_operations block_ops = {
37318 +static const struct block_device_operations block_ops = {
37319 .owner = THIS_MODULE,
37320 .open = blkvsc_open,
37321 .release = blkvsc_release,
37322 diff -urNp linux-2.6.32.46/drivers/staging/hv/Channel.c linux-2.6.32.46/drivers/staging/hv/Channel.c
37323 --- linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-04-17 17:00:52.000000000 -0400
37324 +++ linux-2.6.32.46/drivers/staging/hv/Channel.c 2011-05-04 17:56:28.000000000 -0400
37325 @@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
37326
37327 DPRINT_ENTER(VMBUS);
37328
37329 - nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
37330 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
37331 + nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
37332 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
37333
37334 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
37335 ASSERT(msgInfo != NULL);
37336 diff -urNp linux-2.6.32.46/drivers/staging/hv/Hv.c linux-2.6.32.46/drivers/staging/hv/Hv.c
37337 --- linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-03-27 14:31:47.000000000 -0400
37338 +++ linux-2.6.32.46/drivers/staging/hv/Hv.c 2011-04-17 15:56:46.000000000 -0400
37339 @@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
37340 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
37341 u32 outputAddressHi = outputAddress >> 32;
37342 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
37343 - volatile void *hypercallPage = gHvContext.HypercallPage;
37344 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
37345
37346 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
37347 Control, Input, Output);
37348 diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusApi.h linux-2.6.32.46/drivers/staging/hv/VmbusApi.h
37349 --- linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-03-27 14:31:47.000000000 -0400
37350 +++ linux-2.6.32.46/drivers/staging/hv/VmbusApi.h 2011-08-29 22:32:57.000000000 -0400
37351 @@ -109,7 +109,7 @@ struct vmbus_channel_interface {
37352 u32 *GpadlHandle);
37353 int (*TeardownGpadl)(struct hv_device *device, u32 GpadlHandle);
37354 void (*GetInfo)(struct hv_device *dev, struct hv_device_info *devinfo);
37355 -};
37356 +} __no_const;
37357
37358 /* Base driver object */
37359 struct hv_driver {
37360 diff -urNp linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c
37361 --- linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-03-27 14:31:47.000000000 -0400
37362 +++ linux-2.6.32.46/drivers/staging/hv/vmbus_drv.c 2011-05-04 17:56:28.000000000 -0400
37363 @@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
37364 to_device_context(root_device_obj);
37365 struct device_context *child_device_ctx =
37366 to_device_context(child_device_obj);
37367 - static atomic_t device_num = ATOMIC_INIT(0);
37368 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
37369
37370 DPRINT_ENTER(VMBUS_DRV);
37371
37372 @@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
37373
37374 /* Set the device name. Otherwise, device_register() will fail. */
37375 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
37376 - atomic_inc_return(&device_num));
37377 + atomic_inc_return_unchecked(&device_num));
37378
37379 /* The new device belongs to this bus */
37380 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
37381 diff -urNp linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h
37382 --- linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-04-17 17:00:52.000000000 -0400
37383 +++ linux-2.6.32.46/drivers/staging/hv/VmbusPrivate.h 2011-05-04 17:56:28.000000000 -0400
37384 @@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
37385 struct VMBUS_CONNECTION {
37386 enum VMBUS_CONNECT_STATE ConnectState;
37387
37388 - atomic_t NextGpadlHandle;
37389 + atomic_unchecked_t NextGpadlHandle;
37390
37391 /*
37392 * Represents channel interrupts. Each bit position represents a
37393 diff -urNp linux-2.6.32.46/drivers/staging/iio/ring_generic.h linux-2.6.32.46/drivers/staging/iio/ring_generic.h
37394 --- linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-03-27 14:31:47.000000000 -0400
37395 +++ linux-2.6.32.46/drivers/staging/iio/ring_generic.h 2011-08-23 20:24:26.000000000 -0400
37396 @@ -87,7 +87,7 @@ struct iio_ring_access_funcs {
37397
37398 int (*is_enabled)(struct iio_ring_buffer *ring);
37399 int (*enable)(struct iio_ring_buffer *ring);
37400 -};
37401 +} __no_const;
37402
37403 /**
37404 * struct iio_ring_buffer - general ring buffer structure
37405 diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet.c linux-2.6.32.46/drivers/staging/octeon/ethernet.c
37406 --- linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-03-27 14:31:47.000000000 -0400
37407 +++ linux-2.6.32.46/drivers/staging/octeon/ethernet.c 2011-05-04 17:56:28.000000000 -0400
37408 @@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
37409 * since the RX tasklet also increments it.
37410 */
37411 #ifdef CONFIG_64BIT
37412 - atomic64_add(rx_status.dropped_packets,
37413 - (atomic64_t *)&priv->stats.rx_dropped);
37414 + atomic64_add_unchecked(rx_status.dropped_packets,
37415 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
37416 #else
37417 - atomic_add(rx_status.dropped_packets,
37418 - (atomic_t *)&priv->stats.rx_dropped);
37419 + atomic_add_unchecked(rx_status.dropped_packets,
37420 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
37421 #endif
37422 }
37423
37424 diff -urNp linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c
37425 --- linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-03-27 14:31:47.000000000 -0400
37426 +++ linux-2.6.32.46/drivers/staging/octeon/ethernet-rx.c 2011-05-04 17:56:28.000000000 -0400
37427 @@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
37428 /* Increment RX stats for virtual ports */
37429 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
37430 #ifdef CONFIG_64BIT
37431 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
37432 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
37433 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
37434 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
37435 #else
37436 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
37437 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
37438 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
37439 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
37440 #endif
37441 }
37442 netif_receive_skb(skb);
37443 @@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
37444 dev->name);
37445 */
37446 #ifdef CONFIG_64BIT
37447 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
37448 + atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
37449 #else
37450 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
37451 + atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
37452 #endif
37453 dev_kfree_skb_irq(skb);
37454 }
37455 diff -urNp linux-2.6.32.46/drivers/staging/panel/panel.c linux-2.6.32.46/drivers/staging/panel/panel.c
37456 --- linux-2.6.32.46/drivers/staging/panel/panel.c 2011-03-27 14:31:47.000000000 -0400
37457 +++ linux-2.6.32.46/drivers/staging/panel/panel.c 2011-04-17 15:56:46.000000000 -0400
37458 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
37459 return 0;
37460 }
37461
37462 -static struct file_operations lcd_fops = {
37463 +static const struct file_operations lcd_fops = {
37464 .write = lcd_write,
37465 .open = lcd_open,
37466 .release = lcd_release,
37467 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
37468 return 0;
37469 }
37470
37471 -static struct file_operations keypad_fops = {
37472 +static const struct file_operations keypad_fops = {
37473 .read = keypad_read, /* read */
37474 .open = keypad_open, /* open */
37475 .release = keypad_release, /* close */
37476 diff -urNp linux-2.6.32.46/drivers/staging/phison/phison.c linux-2.6.32.46/drivers/staging/phison/phison.c
37477 --- linux-2.6.32.46/drivers/staging/phison/phison.c 2011-03-27 14:31:47.000000000 -0400
37478 +++ linux-2.6.32.46/drivers/staging/phison/phison.c 2011-04-17 15:56:46.000000000 -0400
37479 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
37480 ATA_BMDMA_SHT(DRV_NAME),
37481 };
37482
37483 -static struct ata_port_operations phison_ops = {
37484 +static const struct ata_port_operations phison_ops = {
37485 .inherits = &ata_bmdma_port_ops,
37486 .prereset = phison_pre_reset,
37487 };
37488 diff -urNp linux-2.6.32.46/drivers/staging/poch/poch.c linux-2.6.32.46/drivers/staging/poch/poch.c
37489 --- linux-2.6.32.46/drivers/staging/poch/poch.c 2011-03-27 14:31:47.000000000 -0400
37490 +++ linux-2.6.32.46/drivers/staging/poch/poch.c 2011-04-17 15:56:46.000000000 -0400
37491 @@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
37492 return 0;
37493 }
37494
37495 -static struct file_operations poch_fops = {
37496 +static const struct file_operations poch_fops = {
37497 .owner = THIS_MODULE,
37498 .open = poch_open,
37499 .release = poch_release,
37500 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/inode.c linux-2.6.32.46/drivers/staging/pohmelfs/inode.c
37501 --- linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-03-27 14:31:47.000000000 -0400
37502 +++ linux-2.6.32.46/drivers/staging/pohmelfs/inode.c 2011-05-04 17:56:20.000000000 -0400
37503 @@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
37504 mutex_init(&psb->mcache_lock);
37505 psb->mcache_root = RB_ROOT;
37506 psb->mcache_timeout = msecs_to_jiffies(5000);
37507 - atomic_long_set(&psb->mcache_gen, 0);
37508 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
37509
37510 psb->trans_max_pages = 100;
37511
37512 @@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
37513 INIT_LIST_HEAD(&psb->crypto_ready_list);
37514 INIT_LIST_HEAD(&psb->crypto_active_list);
37515
37516 - atomic_set(&psb->trans_gen, 1);
37517 + atomic_set_unchecked(&psb->trans_gen, 1);
37518 atomic_long_set(&psb->total_inodes, 0);
37519
37520 mutex_init(&psb->state_lock);
37521 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c
37522 --- linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-03-27 14:31:47.000000000 -0400
37523 +++ linux-2.6.32.46/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:56:46.000000000 -0400
37524 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
37525 m->data = data;
37526 m->start = start;
37527 m->size = size;
37528 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
37529 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
37530
37531 mutex_lock(&psb->mcache_lock);
37532 err = pohmelfs_mcache_insert(psb, m);
37533 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h
37534 --- linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-03-27 14:31:47.000000000 -0400
37535 +++ linux-2.6.32.46/drivers/staging/pohmelfs/netfs.h 2011-05-04 17:56:20.000000000 -0400
37536 @@ -570,14 +570,14 @@ struct pohmelfs_config;
37537 struct pohmelfs_sb {
37538 struct rb_root mcache_root;
37539 struct mutex mcache_lock;
37540 - atomic_long_t mcache_gen;
37541 + atomic_long_unchecked_t mcache_gen;
37542 unsigned long mcache_timeout;
37543
37544 unsigned int idx;
37545
37546 unsigned int trans_retries;
37547
37548 - atomic_t trans_gen;
37549 + atomic_unchecked_t trans_gen;
37550
37551 unsigned int crypto_attached_size;
37552 unsigned int crypto_align_size;
37553 diff -urNp linux-2.6.32.46/drivers/staging/pohmelfs/trans.c linux-2.6.32.46/drivers/staging/pohmelfs/trans.c
37554 --- linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-03-27 14:31:47.000000000 -0400
37555 +++ linux-2.6.32.46/drivers/staging/pohmelfs/trans.c 2011-05-04 17:56:28.000000000 -0400
37556 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
37557 int err;
37558 struct netfs_cmd *cmd = t->iovec.iov_base;
37559
37560 - t->gen = atomic_inc_return(&psb->trans_gen);
37561 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
37562
37563 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
37564 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
37565 diff -urNp linux-2.6.32.46/drivers/staging/sep/sep_driver.c linux-2.6.32.46/drivers/staging/sep/sep_driver.c
37566 --- linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-03-27 14:31:47.000000000 -0400
37567 +++ linux-2.6.32.46/drivers/staging/sep/sep_driver.c 2011-04-17 15:56:46.000000000 -0400
37568 @@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
37569 static dev_t sep_devno;
37570
37571 /* the files operations structure of the driver */
37572 -static struct file_operations sep_file_operations = {
37573 +static const struct file_operations sep_file_operations = {
37574 .owner = THIS_MODULE,
37575 .ioctl = sep_ioctl,
37576 .poll = sep_poll,
37577 diff -urNp linux-2.6.32.46/drivers/staging/usbip/usbip_common.h linux-2.6.32.46/drivers/staging/usbip/usbip_common.h
37578 --- linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-04-17 17:00:52.000000000 -0400
37579 +++ linux-2.6.32.46/drivers/staging/usbip/usbip_common.h 2011-08-23 20:24:26.000000000 -0400
37580 @@ -374,7 +374,7 @@ struct usbip_device {
37581 void (*shutdown)(struct usbip_device *);
37582 void (*reset)(struct usbip_device *);
37583 void (*unusable)(struct usbip_device *);
37584 - } eh_ops;
37585 + } __no_const eh_ops;
37586 };
37587
37588
37589 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci.h linux-2.6.32.46/drivers/staging/usbip/vhci.h
37590 --- linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-03-27 14:31:47.000000000 -0400
37591 +++ linux-2.6.32.46/drivers/staging/usbip/vhci.h 2011-05-04 17:56:28.000000000 -0400
37592 @@ -92,7 +92,7 @@ struct vhci_hcd {
37593 unsigned resuming:1;
37594 unsigned long re_timeout;
37595
37596 - atomic_t seqnum;
37597 + atomic_unchecked_t seqnum;
37598
37599 /*
37600 * NOTE:
37601 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c
37602 --- linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:01.000000000 -0400
37603 +++ linux-2.6.32.46/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:33.000000000 -0400
37604 @@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
37605 return;
37606 }
37607
37608 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
37609 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
37610 if (priv->seqnum == 0xffff)
37611 usbip_uinfo("seqnum max\n");
37612
37613 @@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
37614 return -ENOMEM;
37615 }
37616
37617 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
37618 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
37619 if (unlink->seqnum == 0xffff)
37620 usbip_uinfo("seqnum max\n");
37621
37622 @@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
37623 vdev->rhport = rhport;
37624 }
37625
37626 - atomic_set(&vhci->seqnum, 0);
37627 + atomic_set_unchecked(&vhci->seqnum, 0);
37628 spin_lock_init(&vhci->lock);
37629
37630
37631 diff -urNp linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c
37632 --- linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-04-17 17:00:52.000000000 -0400
37633 +++ linux-2.6.32.46/drivers/staging/usbip/vhci_rx.c 2011-05-04 17:56:28.000000000 -0400
37634 @@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
37635 usbip_uerr("cannot find a urb of seqnum %u\n",
37636 pdu->base.seqnum);
37637 usbip_uinfo("max seqnum %d\n",
37638 - atomic_read(&the_controller->seqnum));
37639 + atomic_read_unchecked(&the_controller->seqnum));
37640 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
37641 return;
37642 }
37643 diff -urNp linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c
37644 --- linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-03-27 14:31:47.000000000 -0400
37645 +++ linux-2.6.32.46/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:56:46.000000000 -0400
37646 @@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
37647 static int __init vme_user_probe(struct device *, int, int);
37648 static int __exit vme_user_remove(struct device *, int, int);
37649
37650 -static struct file_operations vme_user_fops = {
37651 +static const struct file_operations vme_user_fops = {
37652 .open = vme_user_open,
37653 .release = vme_user_release,
37654 .read = vme_user_read,
37655 diff -urNp linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c
37656 --- linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-03-27 14:31:47.000000000 -0400
37657 +++ linux-2.6.32.46/drivers/staging/wlan-ng/hfa384x_usb.c 2011-08-23 20:24:26.000000000 -0400
37658 @@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hf
37659
37660 struct usbctlx_completor {
37661 int (*complete) (struct usbctlx_completor *);
37662 -};
37663 +} __no_const;
37664 typedef struct usbctlx_completor usbctlx_completor_t;
37665
37666 static int
37667 diff -urNp linux-2.6.32.46/drivers/telephony/ixj.c linux-2.6.32.46/drivers/telephony/ixj.c
37668 --- linux-2.6.32.46/drivers/telephony/ixj.c 2011-03-27 14:31:47.000000000 -0400
37669 +++ linux-2.6.32.46/drivers/telephony/ixj.c 2011-05-16 21:46:57.000000000 -0400
37670 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
37671 bool mContinue;
37672 char *pIn, *pOut;
37673
37674 + pax_track_stack();
37675 +
37676 if (!SCI_Prepare(j))
37677 return 0;
37678
37679 diff -urNp linux-2.6.32.46/drivers/uio/uio.c linux-2.6.32.46/drivers/uio/uio.c
37680 --- linux-2.6.32.46/drivers/uio/uio.c 2011-03-27 14:31:47.000000000 -0400
37681 +++ linux-2.6.32.46/drivers/uio/uio.c 2011-05-04 17:56:20.000000000 -0400
37682 @@ -23,6 +23,7 @@
37683 #include <linux/string.h>
37684 #include <linux/kobject.h>
37685 #include <linux/uio_driver.h>
37686 +#include <asm/local.h>
37687
37688 #define UIO_MAX_DEVICES 255
37689
37690 @@ -30,10 +31,10 @@ struct uio_device {
37691 struct module *owner;
37692 struct device *dev;
37693 int minor;
37694 - atomic_t event;
37695 + atomic_unchecked_t event;
37696 struct fasync_struct *async_queue;
37697 wait_queue_head_t wait;
37698 - int vma_count;
37699 + local_t vma_count;
37700 struct uio_info *info;
37701 struct kobject *map_dir;
37702 struct kobject *portio_dir;
37703 @@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
37704 return entry->show(mem, buf);
37705 }
37706
37707 -static struct sysfs_ops map_sysfs_ops = {
37708 +static const struct sysfs_ops map_sysfs_ops = {
37709 .show = map_type_show,
37710 };
37711
37712 @@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
37713 return entry->show(port, buf);
37714 }
37715
37716 -static struct sysfs_ops portio_sysfs_ops = {
37717 +static const struct sysfs_ops portio_sysfs_ops = {
37718 .show = portio_type_show,
37719 };
37720
37721 @@ -255,7 +256,7 @@ static ssize_t show_event(struct device
37722 struct uio_device *idev = dev_get_drvdata(dev);
37723 if (idev)
37724 return sprintf(buf, "%u\n",
37725 - (unsigned int)atomic_read(&idev->event));
37726 + (unsigned int)atomic_read_unchecked(&idev->event));
37727 else
37728 return -ENODEV;
37729 }
37730 @@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
37731 {
37732 struct uio_device *idev = info->uio_dev;
37733
37734 - atomic_inc(&idev->event);
37735 + atomic_inc_unchecked(&idev->event);
37736 wake_up_interruptible(&idev->wait);
37737 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
37738 }
37739 @@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
37740 }
37741
37742 listener->dev = idev;
37743 - listener->event_count = atomic_read(&idev->event);
37744 + listener->event_count = atomic_read_unchecked(&idev->event);
37745 filep->private_data = listener;
37746
37747 if (idev->info->open) {
37748 @@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
37749 return -EIO;
37750
37751 poll_wait(filep, &idev->wait, wait);
37752 - if (listener->event_count != atomic_read(&idev->event))
37753 + if (listener->event_count != atomic_read_unchecked(&idev->event))
37754 return POLLIN | POLLRDNORM;
37755 return 0;
37756 }
37757 @@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
37758 do {
37759 set_current_state(TASK_INTERRUPTIBLE);
37760
37761 - event_count = atomic_read(&idev->event);
37762 + event_count = atomic_read_unchecked(&idev->event);
37763 if (event_count != listener->event_count) {
37764 if (copy_to_user(buf, &event_count, count))
37765 retval = -EFAULT;
37766 @@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
37767 static void uio_vma_open(struct vm_area_struct *vma)
37768 {
37769 struct uio_device *idev = vma->vm_private_data;
37770 - idev->vma_count++;
37771 + local_inc(&idev->vma_count);
37772 }
37773
37774 static void uio_vma_close(struct vm_area_struct *vma)
37775 {
37776 struct uio_device *idev = vma->vm_private_data;
37777 - idev->vma_count--;
37778 + local_dec(&idev->vma_count);
37779 }
37780
37781 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
37782 @@ -840,7 +841,7 @@ int __uio_register_device(struct module
37783 idev->owner = owner;
37784 idev->info = info;
37785 init_waitqueue_head(&idev->wait);
37786 - atomic_set(&idev->event, 0);
37787 + atomic_set_unchecked(&idev->event, 0);
37788
37789 ret = uio_get_minor(idev);
37790 if (ret)
37791 diff -urNp linux-2.6.32.46/drivers/usb/atm/usbatm.c linux-2.6.32.46/drivers/usb/atm/usbatm.c
37792 --- linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-03-27 14:31:47.000000000 -0400
37793 +++ linux-2.6.32.46/drivers/usb/atm/usbatm.c 2011-04-17 15:56:46.000000000 -0400
37794 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
37795 if (printk_ratelimit())
37796 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
37797 __func__, vpi, vci);
37798 - atomic_inc(&vcc->stats->rx_err);
37799 + atomic_inc_unchecked(&vcc->stats->rx_err);
37800 return;
37801 }
37802
37803 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
37804 if (length > ATM_MAX_AAL5_PDU) {
37805 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
37806 __func__, length, vcc);
37807 - atomic_inc(&vcc->stats->rx_err);
37808 + atomic_inc_unchecked(&vcc->stats->rx_err);
37809 goto out;
37810 }
37811
37812 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
37813 if (sarb->len < pdu_length) {
37814 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
37815 __func__, pdu_length, sarb->len, vcc);
37816 - atomic_inc(&vcc->stats->rx_err);
37817 + atomic_inc_unchecked(&vcc->stats->rx_err);
37818 goto out;
37819 }
37820
37821 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
37822 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
37823 __func__, vcc);
37824 - atomic_inc(&vcc->stats->rx_err);
37825 + atomic_inc_unchecked(&vcc->stats->rx_err);
37826 goto out;
37827 }
37828
37829 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
37830 if (printk_ratelimit())
37831 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
37832 __func__, length);
37833 - atomic_inc(&vcc->stats->rx_drop);
37834 + atomic_inc_unchecked(&vcc->stats->rx_drop);
37835 goto out;
37836 }
37837
37838 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
37839
37840 vcc->push(vcc, skb);
37841
37842 - atomic_inc(&vcc->stats->rx);
37843 + atomic_inc_unchecked(&vcc->stats->rx);
37844 out:
37845 skb_trim(sarb, 0);
37846 }
37847 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
37848 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
37849
37850 usbatm_pop(vcc, skb);
37851 - atomic_inc(&vcc->stats->tx);
37852 + atomic_inc_unchecked(&vcc->stats->tx);
37853
37854 skb = skb_dequeue(&instance->sndqueue);
37855 }
37856 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
37857 if (!left--)
37858 return sprintf(page,
37859 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
37860 - atomic_read(&atm_dev->stats.aal5.tx),
37861 - atomic_read(&atm_dev->stats.aal5.tx_err),
37862 - atomic_read(&atm_dev->stats.aal5.rx),
37863 - atomic_read(&atm_dev->stats.aal5.rx_err),
37864 - atomic_read(&atm_dev->stats.aal5.rx_drop));
37865 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
37866 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
37867 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
37868 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
37869 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
37870
37871 if (!left--) {
37872 if (instance->disconnected)
37873 diff -urNp linux-2.6.32.46/drivers/usb/class/cdc-wdm.c linux-2.6.32.46/drivers/usb/class/cdc-wdm.c
37874 --- linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-03-27 14:31:47.000000000 -0400
37875 +++ linux-2.6.32.46/drivers/usb/class/cdc-wdm.c 2011-04-17 15:56:46.000000000 -0400
37876 @@ -314,7 +314,7 @@ static ssize_t wdm_write
37877 if (r < 0)
37878 goto outnp;
37879
37880 - if (!file->f_flags && O_NONBLOCK)
37881 + if (!(file->f_flags & O_NONBLOCK))
37882 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
37883 &desc->flags));
37884 else
37885 diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.c linux-2.6.32.46/drivers/usb/core/hcd.c
37886 --- linux-2.6.32.46/drivers/usb/core/hcd.c 2011-03-27 14:31:47.000000000 -0400
37887 +++ linux-2.6.32.46/drivers/usb/core/hcd.c 2011-04-17 15:56:46.000000000 -0400
37888 @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
37889
37890 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
37891
37892 -struct usb_mon_operations *mon_ops;
37893 +const struct usb_mon_operations *mon_ops;
37894
37895 /*
37896 * The registration is unlocked.
37897 @@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
37898 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
37899 */
37900
37901 -int usb_mon_register (struct usb_mon_operations *ops)
37902 +int usb_mon_register (const struct usb_mon_operations *ops)
37903 {
37904
37905 if (mon_ops)
37906 diff -urNp linux-2.6.32.46/drivers/usb/core/hcd.h linux-2.6.32.46/drivers/usb/core/hcd.h
37907 --- linux-2.6.32.46/drivers/usb/core/hcd.h 2011-03-27 14:31:47.000000000 -0400
37908 +++ linux-2.6.32.46/drivers/usb/core/hcd.h 2011-04-17 15:56:46.000000000 -0400
37909 @@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
37910 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
37911
37912 struct usb_mon_operations {
37913 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
37914 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
37915 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
37916 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
37917 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
37918 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
37919 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
37920 };
37921
37922 -extern struct usb_mon_operations *mon_ops;
37923 +extern const struct usb_mon_operations *mon_ops;
37924
37925 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
37926 {
37927 @@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
37928 (*mon_ops->urb_complete)(bus, urb, status);
37929 }
37930
37931 -int usb_mon_register(struct usb_mon_operations *ops);
37932 +int usb_mon_register(const struct usb_mon_operations *ops);
37933 void usb_mon_deregister(void);
37934
37935 #else
37936 diff -urNp linux-2.6.32.46/drivers/usb/core/message.c linux-2.6.32.46/drivers/usb/core/message.c
37937 --- linux-2.6.32.46/drivers/usb/core/message.c 2011-03-27 14:31:47.000000000 -0400
37938 +++ linux-2.6.32.46/drivers/usb/core/message.c 2011-04-17 15:56:46.000000000 -0400
37939 @@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
37940 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
37941 if (buf) {
37942 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
37943 - if (len > 0) {
37944 - smallbuf = kmalloc(++len, GFP_NOIO);
37945 + if (len++ > 0) {
37946 + smallbuf = kmalloc(len, GFP_NOIO);
37947 if (!smallbuf)
37948 return buf;
37949 memcpy(smallbuf, buf, len);
37950 diff -urNp linux-2.6.32.46/drivers/usb/misc/appledisplay.c linux-2.6.32.46/drivers/usb/misc/appledisplay.c
37951 --- linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-03-27 14:31:47.000000000 -0400
37952 +++ linux-2.6.32.46/drivers/usb/misc/appledisplay.c 2011-04-17 15:56:46.000000000 -0400
37953 @@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
37954 return pdata->msgdata[1];
37955 }
37956
37957 -static struct backlight_ops appledisplay_bl_data = {
37958 +static const struct backlight_ops appledisplay_bl_data = {
37959 .get_brightness = appledisplay_bl_get_brightness,
37960 .update_status = appledisplay_bl_update_status,
37961 };
37962 diff -urNp linux-2.6.32.46/drivers/usb/mon/mon_main.c linux-2.6.32.46/drivers/usb/mon/mon_main.c
37963 --- linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-03-27 14:31:47.000000000 -0400
37964 +++ linux-2.6.32.46/drivers/usb/mon/mon_main.c 2011-04-17 15:56:46.000000000 -0400
37965 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
37966 /*
37967 * Ops
37968 */
37969 -static struct usb_mon_operations mon_ops_0 = {
37970 +static const struct usb_mon_operations mon_ops_0 = {
37971 .urb_submit = mon_submit,
37972 .urb_submit_error = mon_submit_error,
37973 .urb_complete = mon_complete,
37974 diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h
37975 --- linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-03-27 14:31:47.000000000 -0400
37976 +++ linux-2.6.32.46/drivers/usb/wusbcore/wa-hc.h 2011-05-04 17:56:28.000000000 -0400
37977 @@ -192,7 +192,7 @@ struct wahc {
37978 struct list_head xfer_delayed_list;
37979 spinlock_t xfer_list_lock;
37980 struct work_struct xfer_work;
37981 - atomic_t xfer_id_count;
37982 + atomic_unchecked_t xfer_id_count;
37983 };
37984
37985
37986 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
37987 INIT_LIST_HEAD(&wa->xfer_delayed_list);
37988 spin_lock_init(&wa->xfer_list_lock);
37989 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
37990 - atomic_set(&wa->xfer_id_count, 1);
37991 + atomic_set_unchecked(&wa->xfer_id_count, 1);
37992 }
37993
37994 /**
37995 diff -urNp linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c
37996 --- linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-03-27 14:31:47.000000000 -0400
37997 +++ linux-2.6.32.46/drivers/usb/wusbcore/wa-xfer.c 2011-05-04 17:56:28.000000000 -0400
37998 @@ -293,7 +293,7 @@ out:
37999 */
38000 static void wa_xfer_id_init(struct wa_xfer *xfer)
38001 {
38002 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
38003 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
38004 }
38005
38006 /*
38007 diff -urNp linux-2.6.32.46/drivers/uwb/wlp/messages.c linux-2.6.32.46/drivers/uwb/wlp/messages.c
38008 --- linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-03-27 14:31:47.000000000 -0400
38009 +++ linux-2.6.32.46/drivers/uwb/wlp/messages.c 2011-04-17 15:56:46.000000000 -0400
38010 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
38011 size_t len = skb->len;
38012 size_t used;
38013 ssize_t result;
38014 - struct wlp_nonce enonce, rnonce;
38015 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
38016 enum wlp_assc_error assc_err;
38017 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
38018 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
38019 diff -urNp linux-2.6.32.46/drivers/uwb/wlp/sysfs.c linux-2.6.32.46/drivers/uwb/wlp/sysfs.c
38020 --- linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-03-27 14:31:47.000000000 -0400
38021 +++ linux-2.6.32.46/drivers/uwb/wlp/sysfs.c 2011-04-17 15:56:46.000000000 -0400
38022 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
38023 return ret;
38024 }
38025
38026 -static
38027 -struct sysfs_ops wss_sysfs_ops = {
38028 +static const struct sysfs_ops wss_sysfs_ops = {
38029 .show = wlp_wss_attr_show,
38030 .store = wlp_wss_attr_store,
38031 };
38032 diff -urNp linux-2.6.32.46/drivers/video/atmel_lcdfb.c linux-2.6.32.46/drivers/video/atmel_lcdfb.c
38033 --- linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-03-27 14:31:47.000000000 -0400
38034 +++ linux-2.6.32.46/drivers/video/atmel_lcdfb.c 2011-04-17 15:56:46.000000000 -0400
38035 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
38036 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
38037 }
38038
38039 -static struct backlight_ops atmel_lcdc_bl_ops = {
38040 +static const struct backlight_ops atmel_lcdc_bl_ops = {
38041 .update_status = atmel_bl_update_status,
38042 .get_brightness = atmel_bl_get_brightness,
38043 };
38044 diff -urNp linux-2.6.32.46/drivers/video/aty/aty128fb.c linux-2.6.32.46/drivers/video/aty/aty128fb.c
38045 --- linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-03-27 14:31:47.000000000 -0400
38046 +++ linux-2.6.32.46/drivers/video/aty/aty128fb.c 2011-04-17 15:56:46.000000000 -0400
38047 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
38048 return bd->props.brightness;
38049 }
38050
38051 -static struct backlight_ops aty128_bl_data = {
38052 +static const struct backlight_ops aty128_bl_data = {
38053 .get_brightness = aty128_bl_get_brightness,
38054 .update_status = aty128_bl_update_status,
38055 };
38056 diff -urNp linux-2.6.32.46/drivers/video/aty/atyfb_base.c linux-2.6.32.46/drivers/video/aty/atyfb_base.c
38057 --- linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-03-27 14:31:47.000000000 -0400
38058 +++ linux-2.6.32.46/drivers/video/aty/atyfb_base.c 2011-04-17 15:56:46.000000000 -0400
38059 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
38060 return bd->props.brightness;
38061 }
38062
38063 -static struct backlight_ops aty_bl_data = {
38064 +static const struct backlight_ops aty_bl_data = {
38065 .get_brightness = aty_bl_get_brightness,
38066 .update_status = aty_bl_update_status,
38067 };
38068 diff -urNp linux-2.6.32.46/drivers/video/aty/radeon_backlight.c linux-2.6.32.46/drivers/video/aty/radeon_backlight.c
38069 --- linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-03-27 14:31:47.000000000 -0400
38070 +++ linux-2.6.32.46/drivers/video/aty/radeon_backlight.c 2011-04-17 15:56:46.000000000 -0400
38071 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
38072 return bd->props.brightness;
38073 }
38074
38075 -static struct backlight_ops radeon_bl_data = {
38076 +static const struct backlight_ops radeon_bl_data = {
38077 .get_brightness = radeon_bl_get_brightness,
38078 .update_status = radeon_bl_update_status,
38079 };
38080 diff -urNp linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c
38081 --- linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-03-27 14:31:47.000000000 -0400
38082 +++ linux-2.6.32.46/drivers/video/backlight/adp5520_bl.c 2011-04-17 15:56:46.000000000 -0400
38083 @@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
38084 return error ? data->current_brightness : reg_val;
38085 }
38086
38087 -static struct backlight_ops adp5520_bl_ops = {
38088 +static const struct backlight_ops adp5520_bl_ops = {
38089 .update_status = adp5520_bl_update_status,
38090 .get_brightness = adp5520_bl_get_brightness,
38091 };
38092 diff -urNp linux-2.6.32.46/drivers/video/backlight/adx_bl.c linux-2.6.32.46/drivers/video/backlight/adx_bl.c
38093 --- linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-03-27 14:31:47.000000000 -0400
38094 +++ linux-2.6.32.46/drivers/video/backlight/adx_bl.c 2011-04-17 15:56:46.000000000 -0400
38095 @@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
38096 return 1;
38097 }
38098
38099 -static struct backlight_ops adx_backlight_ops = {
38100 +static const struct backlight_ops adx_backlight_ops = {
38101 .options = 0,
38102 .update_status = adx_backlight_update_status,
38103 .get_brightness = adx_backlight_get_brightness,
38104 diff -urNp linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c
38105 --- linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-03-27 14:31:47.000000000 -0400
38106 +++ linux-2.6.32.46/drivers/video/backlight/atmel-pwm-bl.c 2011-04-17 15:56:46.000000000 -0400
38107 @@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
38108 return pwm_channel_enable(&pwmbl->pwmc);
38109 }
38110
38111 -static struct backlight_ops atmel_pwm_bl_ops = {
38112 +static const struct backlight_ops atmel_pwm_bl_ops = {
38113 .get_brightness = atmel_pwm_bl_get_intensity,
38114 .update_status = atmel_pwm_bl_set_intensity,
38115 };
38116 diff -urNp linux-2.6.32.46/drivers/video/backlight/backlight.c linux-2.6.32.46/drivers/video/backlight/backlight.c
38117 --- linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-03-27 14:31:47.000000000 -0400
38118 +++ linux-2.6.32.46/drivers/video/backlight/backlight.c 2011-04-17 15:56:46.000000000 -0400
38119 @@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
38120 * ERR_PTR() or a pointer to the newly allocated device.
38121 */
38122 struct backlight_device *backlight_device_register(const char *name,
38123 - struct device *parent, void *devdata, struct backlight_ops *ops)
38124 + struct device *parent, void *devdata, const struct backlight_ops *ops)
38125 {
38126 struct backlight_device *new_bd;
38127 int rc;
38128 diff -urNp linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c
38129 --- linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-03-27 14:31:47.000000000 -0400
38130 +++ linux-2.6.32.46/drivers/video/backlight/corgi_lcd.c 2011-04-17 15:56:46.000000000 -0400
38131 @@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
38132 }
38133 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
38134
38135 -static struct backlight_ops corgi_bl_ops = {
38136 +static const struct backlight_ops corgi_bl_ops = {
38137 .get_brightness = corgi_bl_get_intensity,
38138 .update_status = corgi_bl_update_status,
38139 };
38140 diff -urNp linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c
38141 --- linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-03-27 14:31:47.000000000 -0400
38142 +++ linux-2.6.32.46/drivers/video/backlight/cr_bllcd.c 2011-04-17 15:56:46.000000000 -0400
38143 @@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
38144 return intensity;
38145 }
38146
38147 -static struct backlight_ops cr_backlight_ops = {
38148 +static const struct backlight_ops cr_backlight_ops = {
38149 .get_brightness = cr_backlight_get_intensity,
38150 .update_status = cr_backlight_set_intensity,
38151 };
38152 diff -urNp linux-2.6.32.46/drivers/video/backlight/da903x_bl.c linux-2.6.32.46/drivers/video/backlight/da903x_bl.c
38153 --- linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-03-27 14:31:47.000000000 -0400
38154 +++ linux-2.6.32.46/drivers/video/backlight/da903x_bl.c 2011-04-17 15:56:46.000000000 -0400
38155 @@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
38156 return data->current_brightness;
38157 }
38158
38159 -static struct backlight_ops da903x_backlight_ops = {
38160 +static const struct backlight_ops da903x_backlight_ops = {
38161 .update_status = da903x_backlight_update_status,
38162 .get_brightness = da903x_backlight_get_brightness,
38163 };
38164 diff -urNp linux-2.6.32.46/drivers/video/backlight/generic_bl.c linux-2.6.32.46/drivers/video/backlight/generic_bl.c
38165 --- linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-03-27 14:31:47.000000000 -0400
38166 +++ linux-2.6.32.46/drivers/video/backlight/generic_bl.c 2011-04-17 15:56:46.000000000 -0400
38167 @@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
38168 }
38169 EXPORT_SYMBOL(corgibl_limit_intensity);
38170
38171 -static struct backlight_ops genericbl_ops = {
38172 +static const struct backlight_ops genericbl_ops = {
38173 .options = BL_CORE_SUSPENDRESUME,
38174 .get_brightness = genericbl_get_intensity,
38175 .update_status = genericbl_send_intensity,
38176 diff -urNp linux-2.6.32.46/drivers/video/backlight/hp680_bl.c linux-2.6.32.46/drivers/video/backlight/hp680_bl.c
38177 --- linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-03-27 14:31:47.000000000 -0400
38178 +++ linux-2.6.32.46/drivers/video/backlight/hp680_bl.c 2011-04-17 15:56:46.000000000 -0400
38179 @@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
38180 return current_intensity;
38181 }
38182
38183 -static struct backlight_ops hp680bl_ops = {
38184 +static const struct backlight_ops hp680bl_ops = {
38185 .get_brightness = hp680bl_get_intensity,
38186 .update_status = hp680bl_set_intensity,
38187 };
38188 diff -urNp linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c
38189 --- linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-03-27 14:31:47.000000000 -0400
38190 +++ linux-2.6.32.46/drivers/video/backlight/jornada720_bl.c 2011-04-17 15:56:46.000000000 -0400
38191 @@ -93,7 +93,7 @@ out:
38192 return ret;
38193 }
38194
38195 -static struct backlight_ops jornada_bl_ops = {
38196 +static const struct backlight_ops jornada_bl_ops = {
38197 .get_brightness = jornada_bl_get_brightness,
38198 .update_status = jornada_bl_update_status,
38199 .options = BL_CORE_SUSPENDRESUME,
38200 diff -urNp linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c
38201 --- linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-03-27 14:31:47.000000000 -0400
38202 +++ linux-2.6.32.46/drivers/video/backlight/kb3886_bl.c 2011-04-17 15:56:46.000000000 -0400
38203 @@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
38204 return kb3886bl_intensity;
38205 }
38206
38207 -static struct backlight_ops kb3886bl_ops = {
38208 +static const struct backlight_ops kb3886bl_ops = {
38209 .get_brightness = kb3886bl_get_intensity,
38210 .update_status = kb3886bl_send_intensity,
38211 };
38212 diff -urNp linux-2.6.32.46/drivers/video/backlight/locomolcd.c linux-2.6.32.46/drivers/video/backlight/locomolcd.c
38213 --- linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-03-27 14:31:47.000000000 -0400
38214 +++ linux-2.6.32.46/drivers/video/backlight/locomolcd.c 2011-04-17 15:56:46.000000000 -0400
38215 @@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
38216 return current_intensity;
38217 }
38218
38219 -static struct backlight_ops locomobl_data = {
38220 +static const struct backlight_ops locomobl_data = {
38221 .get_brightness = locomolcd_get_intensity,
38222 .update_status = locomolcd_set_intensity,
38223 };
38224 diff -urNp linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c
38225 --- linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:01.000000000 -0400
38226 +++ linux-2.6.32.46/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:33.000000000 -0400
38227 @@ -33,7 +33,7 @@ struct dmi_match_data {
38228 unsigned long iostart;
38229 unsigned long iolen;
38230 /* Backlight operations structure. */
38231 - struct backlight_ops backlight_ops;
38232 + const struct backlight_ops backlight_ops;
38233 };
38234
38235 /* Module parameters. */
38236 diff -urNp linux-2.6.32.46/drivers/video/backlight/omap1_bl.c linux-2.6.32.46/drivers/video/backlight/omap1_bl.c
38237 --- linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-03-27 14:31:47.000000000 -0400
38238 +++ linux-2.6.32.46/drivers/video/backlight/omap1_bl.c 2011-04-17 15:56:46.000000000 -0400
38239 @@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
38240 return bl->current_intensity;
38241 }
38242
38243 -static struct backlight_ops omapbl_ops = {
38244 +static const struct backlight_ops omapbl_ops = {
38245 .get_brightness = omapbl_get_intensity,
38246 .update_status = omapbl_update_status,
38247 };
38248 diff -urNp linux-2.6.32.46/drivers/video/backlight/progear_bl.c linux-2.6.32.46/drivers/video/backlight/progear_bl.c
38249 --- linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-03-27 14:31:47.000000000 -0400
38250 +++ linux-2.6.32.46/drivers/video/backlight/progear_bl.c 2011-04-17 15:56:46.000000000 -0400
38251 @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
38252 return intensity - HW_LEVEL_MIN;
38253 }
38254
38255 -static struct backlight_ops progearbl_ops = {
38256 +static const struct backlight_ops progearbl_ops = {
38257 .get_brightness = progearbl_get_intensity,
38258 .update_status = progearbl_set_intensity,
38259 };
38260 diff -urNp linux-2.6.32.46/drivers/video/backlight/pwm_bl.c linux-2.6.32.46/drivers/video/backlight/pwm_bl.c
38261 --- linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-03-27 14:31:47.000000000 -0400
38262 +++ linux-2.6.32.46/drivers/video/backlight/pwm_bl.c 2011-04-17 15:56:46.000000000 -0400
38263 @@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
38264 return bl->props.brightness;
38265 }
38266
38267 -static struct backlight_ops pwm_backlight_ops = {
38268 +static const struct backlight_ops pwm_backlight_ops = {
38269 .update_status = pwm_backlight_update_status,
38270 .get_brightness = pwm_backlight_get_brightness,
38271 };
38272 diff -urNp linux-2.6.32.46/drivers/video/backlight/tosa_bl.c linux-2.6.32.46/drivers/video/backlight/tosa_bl.c
38273 --- linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-03-27 14:31:47.000000000 -0400
38274 +++ linux-2.6.32.46/drivers/video/backlight/tosa_bl.c 2011-04-17 15:56:46.000000000 -0400
38275 @@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
38276 return props->brightness;
38277 }
38278
38279 -static struct backlight_ops bl_ops = {
38280 +static const struct backlight_ops bl_ops = {
38281 .get_brightness = tosa_bl_get_brightness,
38282 .update_status = tosa_bl_update_status,
38283 };
38284 diff -urNp linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c
38285 --- linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-03-27 14:31:47.000000000 -0400
38286 +++ linux-2.6.32.46/drivers/video/backlight/wm831x_bl.c 2011-04-17 15:56:46.000000000 -0400
38287 @@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
38288 return data->current_brightness;
38289 }
38290
38291 -static struct backlight_ops wm831x_backlight_ops = {
38292 +static const struct backlight_ops wm831x_backlight_ops = {
38293 .options = BL_CORE_SUSPENDRESUME,
38294 .update_status = wm831x_backlight_update_status,
38295 .get_brightness = wm831x_backlight_get_brightness,
38296 diff -urNp linux-2.6.32.46/drivers/video/bf54x-lq043fb.c linux-2.6.32.46/drivers/video/bf54x-lq043fb.c
38297 --- linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-03-27 14:31:47.000000000 -0400
38298 +++ linux-2.6.32.46/drivers/video/bf54x-lq043fb.c 2011-04-17 15:56:46.000000000 -0400
38299 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
38300 return 0;
38301 }
38302
38303 -static struct backlight_ops bfin_lq043fb_bl_ops = {
38304 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
38305 .get_brightness = bl_get_brightness,
38306 };
38307
38308 diff -urNp linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c
38309 --- linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-03-27 14:31:47.000000000 -0400
38310 +++ linux-2.6.32.46/drivers/video/bfin-t350mcqb-fb.c 2011-04-17 15:56:46.000000000 -0400
38311 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
38312 return 0;
38313 }
38314
38315 -static struct backlight_ops bfin_lq043fb_bl_ops = {
38316 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
38317 .get_brightness = bl_get_brightness,
38318 };
38319
38320 diff -urNp linux-2.6.32.46/drivers/video/fbcmap.c linux-2.6.32.46/drivers/video/fbcmap.c
38321 --- linux-2.6.32.46/drivers/video/fbcmap.c 2011-03-27 14:31:47.000000000 -0400
38322 +++ linux-2.6.32.46/drivers/video/fbcmap.c 2011-04-17 15:56:46.000000000 -0400
38323 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
38324 rc = -ENODEV;
38325 goto out;
38326 }
38327 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
38328 - !info->fbops->fb_setcmap)) {
38329 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
38330 rc = -EINVAL;
38331 goto out1;
38332 }
38333 diff -urNp linux-2.6.32.46/drivers/video/fbmem.c linux-2.6.32.46/drivers/video/fbmem.c
38334 --- linux-2.6.32.46/drivers/video/fbmem.c 2011-03-27 14:31:47.000000000 -0400
38335 +++ linux-2.6.32.46/drivers/video/fbmem.c 2011-05-16 21:46:57.000000000 -0400
38336 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
38337 image->dx += image->width + 8;
38338 }
38339 } else if (rotate == FB_ROTATE_UD) {
38340 - for (x = 0; x < num && image->dx >= 0; x++) {
38341 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
38342 info->fbops->fb_imageblit(info, image);
38343 image->dx -= image->width + 8;
38344 }
38345 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
38346 image->dy += image->height + 8;
38347 }
38348 } else if (rotate == FB_ROTATE_CCW) {
38349 - for (x = 0; x < num && image->dy >= 0; x++) {
38350 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
38351 info->fbops->fb_imageblit(info, image);
38352 image->dy -= image->height + 8;
38353 }
38354 @@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
38355 int flags = info->flags;
38356 int ret = 0;
38357
38358 + pax_track_stack();
38359 +
38360 if (var->activate & FB_ACTIVATE_INV_MODE) {
38361 struct fb_videomode mode1, mode2;
38362
38363 @@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
38364 void __user *argp = (void __user *)arg;
38365 long ret = 0;
38366
38367 + pax_track_stack();
38368 +
38369 switch (cmd) {
38370 case FBIOGET_VSCREENINFO:
38371 if (!lock_fb_info(info))
38372 @@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
38373 return -EFAULT;
38374 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
38375 return -EINVAL;
38376 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
38377 + if (con2fb.framebuffer >= FB_MAX)
38378 return -EINVAL;
38379 if (!registered_fb[con2fb.framebuffer])
38380 request_module("fb%d", con2fb.framebuffer);
38381 diff -urNp linux-2.6.32.46/drivers/video/i810/i810_accel.c linux-2.6.32.46/drivers/video/i810/i810_accel.c
38382 --- linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-03-27 14:31:47.000000000 -0400
38383 +++ linux-2.6.32.46/drivers/video/i810/i810_accel.c 2011-04-17 15:56:46.000000000 -0400
38384 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
38385 }
38386 }
38387 printk("ringbuffer lockup!!!\n");
38388 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
38389 i810_report_error(mmio);
38390 par->dev_flags |= LOCKUP;
38391 info->pixmap.scan_align = 1;
38392 diff -urNp linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm
38393 --- linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-03-27 14:31:47.000000000 -0400
38394 +++ linux-2.6.32.46/drivers/video/logo/logo_linux_clut224.ppm 2011-08-29 23:49:24.000000000 -0400
38395 @@ -1,1604 +1,1123 @@
38396 P3
38397 -# Standard 224-color Linux logo
38398 80 80
38399 255
38400 - 0 0 0 0 0 0 0 0 0 0 0 0
38401 - 0 0 0 0 0 0 0 0 0 0 0 0
38402 - 0 0 0 0 0 0 0 0 0 0 0 0
38403 - 0 0 0 0 0 0 0 0 0 0 0 0
38404 - 0 0 0 0 0 0 0 0 0 0 0 0
38405 - 0 0 0 0 0 0 0 0 0 0 0 0
38406 - 0 0 0 0 0 0 0 0 0 0 0 0
38407 - 0 0 0 0 0 0 0 0 0 0 0 0
38408 - 0 0 0 0 0 0 0 0 0 0 0 0
38409 - 6 6 6 6 6 6 10 10 10 10 10 10
38410 - 10 10 10 6 6 6 6 6 6 6 6 6
38411 - 0 0 0 0 0 0 0 0 0 0 0 0
38412 - 0 0 0 0 0 0 0 0 0 0 0 0
38413 - 0 0 0 0 0 0 0 0 0 0 0 0
38414 - 0 0 0 0 0 0 0 0 0 0 0 0
38415 - 0 0 0 0 0 0 0 0 0 0 0 0
38416 - 0 0 0 0 0 0 0 0 0 0 0 0
38417 - 0 0 0 0 0 0 0 0 0 0 0 0
38418 - 0 0 0 0 0 0 0 0 0 0 0 0
38419 - 0 0 0 0 0 0 0 0 0 0 0 0
38420 - 0 0 0 0 0 0 0 0 0 0 0 0
38421 - 0 0 0 0 0 0 0 0 0 0 0 0
38422 - 0 0 0 0 0 0 0 0 0 0 0 0
38423 - 0 0 0 0 0 0 0 0 0 0 0 0
38424 - 0 0 0 0 0 0 0 0 0 0 0 0
38425 - 0 0 0 0 0 0 0 0 0 0 0 0
38426 - 0 0 0 0 0 0 0 0 0 0 0 0
38427 - 0 0 0 0 0 0 0 0 0 0 0 0
38428 - 0 0 0 6 6 6 10 10 10 14 14 14
38429 - 22 22 22 26 26 26 30 30 30 34 34 34
38430 - 30 30 30 30 30 30 26 26 26 18 18 18
38431 - 14 14 14 10 10 10 6 6 6 0 0 0
38432 - 0 0 0 0 0 0 0 0 0 0 0 0
38433 - 0 0 0 0 0 0 0 0 0 0 0 0
38434 - 0 0 0 0 0 0 0 0 0 0 0 0
38435 - 0 0 0 0 0 0 0 0 0 0 0 0
38436 - 0 0 0 0 0 0 0 0 0 0 0 0
38437 - 0 0 0 0 0 0 0 0 0 0 0 0
38438 - 0 0 0 0 0 0 0 0 0 0 0 0
38439 - 0 0 0 0 0 0 0 0 0 0 0 0
38440 - 0 0 0 0 0 0 0 0 0 0 0 0
38441 - 0 0 0 0 0 1 0 0 1 0 0 0
38442 - 0 0 0 0 0 0 0 0 0 0 0 0
38443 - 0 0 0 0 0 0 0 0 0 0 0 0
38444 - 0 0 0 0 0 0 0 0 0 0 0 0
38445 - 0 0 0 0 0 0 0 0 0 0 0 0
38446 - 0 0 0 0 0 0 0 0 0 0 0 0
38447 - 0 0 0 0 0 0 0 0 0 0 0 0
38448 - 6 6 6 14 14 14 26 26 26 42 42 42
38449 - 54 54 54 66 66 66 78 78 78 78 78 78
38450 - 78 78 78 74 74 74 66 66 66 54 54 54
38451 - 42 42 42 26 26 26 18 18 18 10 10 10
38452 - 6 6 6 0 0 0 0 0 0 0 0 0
38453 - 0 0 0 0 0 0 0 0 0 0 0 0
38454 - 0 0 0 0 0 0 0 0 0 0 0 0
38455 - 0 0 0 0 0 0 0 0 0 0 0 0
38456 - 0 0 0 0 0 0 0 0 0 0 0 0
38457 - 0 0 0 0 0 0 0 0 0 0 0 0
38458 - 0 0 0 0 0 0 0 0 0 0 0 0
38459 - 0 0 0 0 0 0 0 0 0 0 0 0
38460 - 0 0 0 0 0 0 0 0 0 0 0 0
38461 - 0 0 1 0 0 0 0 0 0 0 0 0
38462 - 0 0 0 0 0 0 0 0 0 0 0 0
38463 - 0 0 0 0 0 0 0 0 0 0 0 0
38464 - 0 0 0 0 0 0 0 0 0 0 0 0
38465 - 0 0 0 0 0 0 0 0 0 0 0 0
38466 - 0 0 0 0 0 0 0 0 0 0 0 0
38467 - 0 0 0 0 0 0 0 0 0 10 10 10
38468 - 22 22 22 42 42 42 66 66 66 86 86 86
38469 - 66 66 66 38 38 38 38 38 38 22 22 22
38470 - 26 26 26 34 34 34 54 54 54 66 66 66
38471 - 86 86 86 70 70 70 46 46 46 26 26 26
38472 - 14 14 14 6 6 6 0 0 0 0 0 0
38473 - 0 0 0 0 0 0 0 0 0 0 0 0
38474 - 0 0 0 0 0 0 0 0 0 0 0 0
38475 - 0 0 0 0 0 0 0 0 0 0 0 0
38476 - 0 0 0 0 0 0 0 0 0 0 0 0
38477 - 0 0 0 0 0 0 0 0 0 0 0 0
38478 - 0 0 0 0 0 0 0 0 0 0 0 0
38479 - 0 0 0 0 0 0 0 0 0 0 0 0
38480 - 0 0 0 0 0 0 0 0 0 0 0 0
38481 - 0 0 1 0 0 1 0 0 1 0 0 0
38482 - 0 0 0 0 0 0 0 0 0 0 0 0
38483 - 0 0 0 0 0 0 0 0 0 0 0 0
38484 - 0 0 0 0 0 0 0 0 0 0 0 0
38485 - 0 0 0 0 0 0 0 0 0 0 0 0
38486 - 0 0 0 0 0 0 0 0 0 0 0 0
38487 - 0 0 0 0 0 0 10 10 10 26 26 26
38488 - 50 50 50 82 82 82 58 58 58 6 6 6
38489 - 2 2 6 2 2 6 2 2 6 2 2 6
38490 - 2 2 6 2 2 6 2 2 6 2 2 6
38491 - 6 6 6 54 54 54 86 86 86 66 66 66
38492 - 38 38 38 18 18 18 6 6 6 0 0 0
38493 - 0 0 0 0 0 0 0 0 0 0 0 0
38494 - 0 0 0 0 0 0 0 0 0 0 0 0
38495 - 0 0 0 0 0 0 0 0 0 0 0 0
38496 - 0 0 0 0 0 0 0 0 0 0 0 0
38497 - 0 0 0 0 0 0 0 0 0 0 0 0
38498 - 0 0 0 0 0 0 0 0 0 0 0 0
38499 - 0 0 0 0 0 0 0 0 0 0 0 0
38500 - 0 0 0 0 0 0 0 0 0 0 0 0
38501 - 0 0 0 0 0 0 0 0 0 0 0 0
38502 - 0 0 0 0 0 0 0 0 0 0 0 0
38503 - 0 0 0 0 0 0 0 0 0 0 0 0
38504 - 0 0 0 0 0 0 0 0 0 0 0 0
38505 - 0 0 0 0 0 0 0 0 0 0 0 0
38506 - 0 0 0 0 0 0 0 0 0 0 0 0
38507 - 0 0 0 6 6 6 22 22 22 50 50 50
38508 - 78 78 78 34 34 34 2 2 6 2 2 6
38509 - 2 2 6 2 2 6 2 2 6 2 2 6
38510 - 2 2 6 2 2 6 2 2 6 2 2 6
38511 - 2 2 6 2 2 6 6 6 6 70 70 70
38512 - 78 78 78 46 46 46 22 22 22 6 6 6
38513 - 0 0 0 0 0 0 0 0 0 0 0 0
38514 - 0 0 0 0 0 0 0 0 0 0 0 0
38515 - 0 0 0 0 0 0 0 0 0 0 0 0
38516 - 0 0 0 0 0 0 0 0 0 0 0 0
38517 - 0 0 0 0 0 0 0 0 0 0 0 0
38518 - 0 0 0 0 0 0 0 0 0 0 0 0
38519 - 0 0 0 0 0 0 0 0 0 0 0 0
38520 - 0 0 0 0 0 0 0 0 0 0 0 0
38521 - 0 0 1 0 0 1 0 0 1 0 0 0
38522 - 0 0 0 0 0 0 0 0 0 0 0 0
38523 - 0 0 0 0 0 0 0 0 0 0 0 0
38524 - 0 0 0 0 0 0 0 0 0 0 0 0
38525 - 0 0 0 0 0 0 0 0 0 0 0 0
38526 - 0 0 0 0 0 0 0 0 0 0 0 0
38527 - 6 6 6 18 18 18 42 42 42 82 82 82
38528 - 26 26 26 2 2 6 2 2 6 2 2 6
38529 - 2 2 6 2 2 6 2 2 6 2 2 6
38530 - 2 2 6 2 2 6 2 2 6 14 14 14
38531 - 46 46 46 34 34 34 6 6 6 2 2 6
38532 - 42 42 42 78 78 78 42 42 42 18 18 18
38533 - 6 6 6 0 0 0 0 0 0 0 0 0
38534 - 0 0 0 0 0 0 0 0 0 0 0 0
38535 - 0 0 0 0 0 0 0 0 0 0 0 0
38536 - 0 0 0 0 0 0 0 0 0 0 0 0
38537 - 0 0 0 0 0 0 0 0 0 0 0 0
38538 - 0 0 0 0 0 0 0 0 0 0 0 0
38539 - 0 0 0 0 0 0 0 0 0 0 0 0
38540 - 0 0 0 0 0 0 0 0 0 0 0 0
38541 - 0 0 1 0 0 0 0 0 1 0 0 0
38542 - 0 0 0 0 0 0 0 0 0 0 0 0
38543 - 0 0 0 0 0 0 0 0 0 0 0 0
38544 - 0 0 0 0 0 0 0 0 0 0 0 0
38545 - 0 0 0 0 0 0 0 0 0 0 0 0
38546 - 0 0 0 0 0 0 0 0 0 0 0 0
38547 - 10 10 10 30 30 30 66 66 66 58 58 58
38548 - 2 2 6 2 2 6 2 2 6 2 2 6
38549 - 2 2 6 2 2 6 2 2 6 2 2 6
38550 - 2 2 6 2 2 6 2 2 6 26 26 26
38551 - 86 86 86 101 101 101 46 46 46 10 10 10
38552 - 2 2 6 58 58 58 70 70 70 34 34 34
38553 - 10 10 10 0 0 0 0 0 0 0 0 0
38554 - 0 0 0 0 0 0 0 0 0 0 0 0
38555 - 0 0 0 0 0 0 0 0 0 0 0 0
38556 - 0 0 0 0 0 0 0 0 0 0 0 0
38557 - 0 0 0 0 0 0 0 0 0 0 0 0
38558 - 0 0 0 0 0 0 0 0 0 0 0 0
38559 - 0 0 0 0 0 0 0 0 0 0 0 0
38560 - 0 0 0 0 0 0 0 0 0 0 0 0
38561 - 0 0 1 0 0 1 0 0 1 0 0 0
38562 - 0 0 0 0 0 0 0 0 0 0 0 0
38563 - 0 0 0 0 0 0 0 0 0 0 0 0
38564 - 0 0 0 0 0 0 0 0 0 0 0 0
38565 - 0 0 0 0 0 0 0 0 0 0 0 0
38566 - 0 0 0 0 0 0 0 0 0 0 0 0
38567 - 14 14 14 42 42 42 86 86 86 10 10 10
38568 - 2 2 6 2 2 6 2 2 6 2 2 6
38569 - 2 2 6 2 2 6 2 2 6 2 2 6
38570 - 2 2 6 2 2 6 2 2 6 30 30 30
38571 - 94 94 94 94 94 94 58 58 58 26 26 26
38572 - 2 2 6 6 6 6 78 78 78 54 54 54
38573 - 22 22 22 6 6 6 0 0 0 0 0 0
38574 - 0 0 0 0 0 0 0 0 0 0 0 0
38575 - 0 0 0 0 0 0 0 0 0 0 0 0
38576 - 0 0 0 0 0 0 0 0 0 0 0 0
38577 - 0 0 0 0 0 0 0 0 0 0 0 0
38578 - 0 0 0 0 0 0 0 0 0 0 0 0
38579 - 0 0 0 0 0 0 0 0 0 0 0 0
38580 - 0 0 0 0 0 0 0 0 0 0 0 0
38581 - 0 0 0 0 0 0 0 0 0 0 0 0
38582 - 0 0 0 0 0 0 0 0 0 0 0 0
38583 - 0 0 0 0 0 0 0 0 0 0 0 0
38584 - 0 0 0 0 0 0 0 0 0 0 0 0
38585 - 0 0 0 0 0 0 0 0 0 0 0 0
38586 - 0 0 0 0 0 0 0 0 0 6 6 6
38587 - 22 22 22 62 62 62 62 62 62 2 2 6
38588 - 2 2 6 2 2 6 2 2 6 2 2 6
38589 - 2 2 6 2 2 6 2 2 6 2 2 6
38590 - 2 2 6 2 2 6 2 2 6 26 26 26
38591 - 54 54 54 38 38 38 18 18 18 10 10 10
38592 - 2 2 6 2 2 6 34 34 34 82 82 82
38593 - 38 38 38 14 14 14 0 0 0 0 0 0
38594 - 0 0 0 0 0 0 0 0 0 0 0 0
38595 - 0 0 0 0 0 0 0 0 0 0 0 0
38596 - 0 0 0 0 0 0 0 0 0 0 0 0
38597 - 0 0 0 0 0 0 0 0 0 0 0 0
38598 - 0 0 0 0 0 0 0 0 0 0 0 0
38599 - 0 0 0 0 0 0 0 0 0 0 0 0
38600 - 0 0 0 0 0 0 0 0 0 0 0 0
38601 - 0 0 0 0 0 1 0 0 1 0 0 0
38602 - 0 0 0 0 0 0 0 0 0 0 0 0
38603 - 0 0 0 0 0 0 0 0 0 0 0 0
38604 - 0 0 0 0 0 0 0 0 0 0 0 0
38605 - 0 0 0 0 0 0 0 0 0 0 0 0
38606 - 0 0 0 0 0 0 0 0 0 6 6 6
38607 - 30 30 30 78 78 78 30 30 30 2 2 6
38608 - 2 2 6 2 2 6 2 2 6 2 2 6
38609 - 2 2 6 2 2 6 2 2 6 2 2 6
38610 - 2 2 6 2 2 6 2 2 6 10 10 10
38611 - 10 10 10 2 2 6 2 2 6 2 2 6
38612 - 2 2 6 2 2 6 2 2 6 78 78 78
38613 - 50 50 50 18 18 18 6 6 6 0 0 0
38614 - 0 0 0 0 0 0 0 0 0 0 0 0
38615 - 0 0 0 0 0 0 0 0 0 0 0 0
38616 - 0 0 0 0 0 0 0 0 0 0 0 0
38617 - 0 0 0 0 0 0 0 0 0 0 0 0
38618 - 0 0 0 0 0 0 0 0 0 0 0 0
38619 - 0 0 0 0 0 0 0 0 0 0 0 0
38620 - 0 0 0 0 0 0 0 0 0 0 0 0
38621 - 0 0 1 0 0 0 0 0 0 0 0 0
38622 - 0 0 0 0 0 0 0 0 0 0 0 0
38623 - 0 0 0 0 0 0 0 0 0 0 0 0
38624 - 0 0 0 0 0 0 0 0 0 0 0 0
38625 - 0 0 0 0 0 0 0 0 0 0 0 0
38626 - 0 0 0 0 0 0 0 0 0 10 10 10
38627 - 38 38 38 86 86 86 14 14 14 2 2 6
38628 - 2 2 6 2 2 6 2 2 6 2 2 6
38629 - 2 2 6 2 2 6 2 2 6 2 2 6
38630 - 2 2 6 2 2 6 2 2 6 2 2 6
38631 - 2 2 6 2 2 6 2 2 6 2 2 6
38632 - 2 2 6 2 2 6 2 2 6 54 54 54
38633 - 66 66 66 26 26 26 6 6 6 0 0 0
38634 - 0 0 0 0 0 0 0 0 0 0 0 0
38635 - 0 0 0 0 0 0 0 0 0 0 0 0
38636 - 0 0 0 0 0 0 0 0 0 0 0 0
38637 - 0 0 0 0 0 0 0 0 0 0 0 0
38638 - 0 0 0 0 0 0 0 0 0 0 0 0
38639 - 0 0 0 0 0 0 0 0 0 0 0 0
38640 - 0 0 0 0 0 0 0 0 0 0 0 0
38641 - 0 0 0 0 0 1 0 0 1 0 0 0
38642 - 0 0 0 0 0 0 0 0 0 0 0 0
38643 - 0 0 0 0 0 0 0 0 0 0 0 0
38644 - 0 0 0 0 0 0 0 0 0 0 0 0
38645 - 0 0 0 0 0 0 0 0 0 0 0 0
38646 - 0 0 0 0 0 0 0 0 0 14 14 14
38647 - 42 42 42 82 82 82 2 2 6 2 2 6
38648 - 2 2 6 6 6 6 10 10 10 2 2 6
38649 - 2 2 6 2 2 6 2 2 6 2 2 6
38650 - 2 2 6 2 2 6 2 2 6 6 6 6
38651 - 14 14 14 10 10 10 2 2 6 2 2 6
38652 - 2 2 6 2 2 6 2 2 6 18 18 18
38653 - 82 82 82 34 34 34 10 10 10 0 0 0
38654 - 0 0 0 0 0 0 0 0 0 0 0 0
38655 - 0 0 0 0 0 0 0 0 0 0 0 0
38656 - 0 0 0 0 0 0 0 0 0 0 0 0
38657 - 0 0 0 0 0 0 0 0 0 0 0 0
38658 - 0 0 0 0 0 0 0 0 0 0 0 0
38659 - 0 0 0 0 0 0 0 0 0 0 0 0
38660 - 0 0 0 0 0 0 0 0 0 0 0 0
38661 - 0 0 1 0 0 0 0 0 0 0 0 0
38662 - 0 0 0 0 0 0 0 0 0 0 0 0
38663 - 0 0 0 0 0 0 0 0 0 0 0 0
38664 - 0 0 0 0 0 0 0 0 0 0 0 0
38665 - 0 0 0 0 0 0 0 0 0 0 0 0
38666 - 0 0 0 0 0 0 0 0 0 14 14 14
38667 - 46 46 46 86 86 86 2 2 6 2 2 6
38668 - 6 6 6 6 6 6 22 22 22 34 34 34
38669 - 6 6 6 2 2 6 2 2 6 2 2 6
38670 - 2 2 6 2 2 6 18 18 18 34 34 34
38671 - 10 10 10 50 50 50 22 22 22 2 2 6
38672 - 2 2 6 2 2 6 2 2 6 10 10 10
38673 - 86 86 86 42 42 42 14 14 14 0 0 0
38674 - 0 0 0 0 0 0 0 0 0 0 0 0
38675 - 0 0 0 0 0 0 0 0 0 0 0 0
38676 - 0 0 0 0 0 0 0 0 0 0 0 0
38677 - 0 0 0 0 0 0 0 0 0 0 0 0
38678 - 0 0 0 0 0 0 0 0 0 0 0 0
38679 - 0 0 0 0 0 0 0 0 0 0 0 0
38680 - 0 0 0 0 0 0 0 0 0 0 0 0
38681 - 0 0 1 0 0 1 0 0 1 0 0 0
38682 - 0 0 0 0 0 0 0 0 0 0 0 0
38683 - 0 0 0 0 0 0 0 0 0 0 0 0
38684 - 0 0 0 0 0 0 0 0 0 0 0 0
38685 - 0 0 0 0 0 0 0 0 0 0 0 0
38686 - 0 0 0 0 0 0 0 0 0 14 14 14
38687 - 46 46 46 86 86 86 2 2 6 2 2 6
38688 - 38 38 38 116 116 116 94 94 94 22 22 22
38689 - 22 22 22 2 2 6 2 2 6 2 2 6
38690 - 14 14 14 86 86 86 138 138 138 162 162 162
38691 -154 154 154 38 38 38 26 26 26 6 6 6
38692 - 2 2 6 2 2 6 2 2 6 2 2 6
38693 - 86 86 86 46 46 46 14 14 14 0 0 0
38694 - 0 0 0 0 0 0 0 0 0 0 0 0
38695 - 0 0 0 0 0 0 0 0 0 0 0 0
38696 - 0 0 0 0 0 0 0 0 0 0 0 0
38697 - 0 0 0 0 0 0 0 0 0 0 0 0
38698 - 0 0 0 0 0 0 0 0 0 0 0 0
38699 - 0 0 0 0 0 0 0 0 0 0 0 0
38700 - 0 0 0 0 0 0 0 0 0 0 0 0
38701 - 0 0 0 0 0 0 0 0 0 0 0 0
38702 - 0 0 0 0 0 0 0 0 0 0 0 0
38703 - 0 0 0 0 0 0 0 0 0 0 0 0
38704 - 0 0 0 0 0 0 0 0 0 0 0 0
38705 - 0 0 0 0 0 0 0 0 0 0 0 0
38706 - 0 0 0 0 0 0 0 0 0 14 14 14
38707 - 46 46 46 86 86 86 2 2 6 14 14 14
38708 -134 134 134 198 198 198 195 195 195 116 116 116
38709 - 10 10 10 2 2 6 2 2 6 6 6 6
38710 -101 98 89 187 187 187 210 210 210 218 218 218
38711 -214 214 214 134 134 134 14 14 14 6 6 6
38712 - 2 2 6 2 2 6 2 2 6 2 2 6
38713 - 86 86 86 50 50 50 18 18 18 6 6 6
38714 - 0 0 0 0 0 0 0 0 0 0 0 0
38715 - 0 0 0 0 0 0 0 0 0 0 0 0
38716 - 0 0 0 0 0 0 0 0 0 0 0 0
38717 - 0 0 0 0 0 0 0 0 0 0 0 0
38718 - 0 0 0 0 0 0 0 0 0 0 0 0
38719 - 0 0 0 0 0 0 0 0 0 0 0 0
38720 - 0 0 0 0 0 0 0 0 1 0 0 0
38721 - 0 0 1 0 0 1 0 0 1 0 0 0
38722 - 0 0 0 0 0 0 0 0 0 0 0 0
38723 - 0 0 0 0 0 0 0 0 0 0 0 0
38724 - 0 0 0 0 0 0 0 0 0 0 0 0
38725 - 0 0 0 0 0 0 0 0 0 0 0 0
38726 - 0 0 0 0 0 0 0 0 0 14 14 14
38727 - 46 46 46 86 86 86 2 2 6 54 54 54
38728 -218 218 218 195 195 195 226 226 226 246 246 246
38729 - 58 58 58 2 2 6 2 2 6 30 30 30
38730 -210 210 210 253 253 253 174 174 174 123 123 123
38731 -221 221 221 234 234 234 74 74 74 2 2 6
38732 - 2 2 6 2 2 6 2 2 6 2 2 6
38733 - 70 70 70 58 58 58 22 22 22 6 6 6
38734 - 0 0 0 0 0 0 0 0 0 0 0 0
38735 - 0 0 0 0 0 0 0 0 0 0 0 0
38736 - 0 0 0 0 0 0 0 0 0 0 0 0
38737 - 0 0 0 0 0 0 0 0 0 0 0 0
38738 - 0 0 0 0 0 0 0 0 0 0 0 0
38739 - 0 0 0 0 0 0 0 0 0 0 0 0
38740 - 0 0 0 0 0 0 0 0 0 0 0 0
38741 - 0 0 0 0 0 0 0 0 0 0 0 0
38742 - 0 0 0 0 0 0 0 0 0 0 0 0
38743 - 0 0 0 0 0 0 0 0 0 0 0 0
38744 - 0 0 0 0 0 0 0 0 0 0 0 0
38745 - 0 0 0 0 0 0 0 0 0 0 0 0
38746 - 0 0 0 0 0 0 0 0 0 14 14 14
38747 - 46 46 46 82 82 82 2 2 6 106 106 106
38748 -170 170 170 26 26 26 86 86 86 226 226 226
38749 -123 123 123 10 10 10 14 14 14 46 46 46
38750 -231 231 231 190 190 190 6 6 6 70 70 70
38751 - 90 90 90 238 238 238 158 158 158 2 2 6
38752 - 2 2 6 2 2 6 2 2 6 2 2 6
38753 - 70 70 70 58 58 58 22 22 22 6 6 6
38754 - 0 0 0 0 0 0 0 0 0 0 0 0
38755 - 0 0 0 0 0 0 0 0 0 0 0 0
38756 - 0 0 0 0 0 0 0 0 0 0 0 0
38757 - 0 0 0 0 0 0 0 0 0 0 0 0
38758 - 0 0 0 0 0 0 0 0 0 0 0 0
38759 - 0 0 0 0 0 0 0 0 0 0 0 0
38760 - 0 0 0 0 0 0 0 0 1 0 0 0
38761 - 0 0 1 0 0 1 0 0 1 0 0 0
38762 - 0 0 0 0 0 0 0 0 0 0 0 0
38763 - 0 0 0 0 0 0 0 0 0 0 0 0
38764 - 0 0 0 0 0 0 0 0 0 0 0 0
38765 - 0 0 0 0 0 0 0 0 0 0 0 0
38766 - 0 0 0 0 0 0 0 0 0 14 14 14
38767 - 42 42 42 86 86 86 6 6 6 116 116 116
38768 -106 106 106 6 6 6 70 70 70 149 149 149
38769 -128 128 128 18 18 18 38 38 38 54 54 54
38770 -221 221 221 106 106 106 2 2 6 14 14 14
38771 - 46 46 46 190 190 190 198 198 198 2 2 6
38772 - 2 2 6 2 2 6 2 2 6 2 2 6
38773 - 74 74 74 62 62 62 22 22 22 6 6 6
38774 - 0 0 0 0 0 0 0 0 0 0 0 0
38775 - 0 0 0 0 0 0 0 0 0 0 0 0
38776 - 0 0 0 0 0 0 0 0 0 0 0 0
38777 - 0 0 0 0 0 0 0 0 0 0 0 0
38778 - 0 0 0 0 0 0 0 0 0 0 0 0
38779 - 0 0 0 0 0 0 0 0 0 0 0 0
38780 - 0 0 0 0 0 0 0 0 1 0 0 0
38781 - 0 0 1 0 0 0 0 0 1 0 0 0
38782 - 0 0 0 0 0 0 0 0 0 0 0 0
38783 - 0 0 0 0 0 0 0 0 0 0 0 0
38784 - 0 0 0 0 0 0 0 0 0 0 0 0
38785 - 0 0 0 0 0 0 0 0 0 0 0 0
38786 - 0 0 0 0 0 0 0 0 0 14 14 14
38787 - 42 42 42 94 94 94 14 14 14 101 101 101
38788 -128 128 128 2 2 6 18 18 18 116 116 116
38789 -118 98 46 121 92 8 121 92 8 98 78 10
38790 -162 162 162 106 106 106 2 2 6 2 2 6
38791 - 2 2 6 195 195 195 195 195 195 6 6 6
38792 - 2 2 6 2 2 6 2 2 6 2 2 6
38793 - 74 74 74 62 62 62 22 22 22 6 6 6
38794 - 0 0 0 0 0 0 0 0 0 0 0 0
38795 - 0 0 0 0 0 0 0 0 0 0 0 0
38796 - 0 0 0 0 0 0 0 0 0 0 0 0
38797 - 0 0 0 0 0 0 0 0 0 0 0 0
38798 - 0 0 0 0 0 0 0 0 0 0 0 0
38799 - 0 0 0 0 0 0 0 0 0 0 0 0
38800 - 0 0 0 0 0 0 0 0 1 0 0 1
38801 - 0 0 1 0 0 0 0 0 1 0 0 0
38802 - 0 0 0 0 0 0 0 0 0 0 0 0
38803 - 0 0 0 0 0 0 0 0 0 0 0 0
38804 - 0 0 0 0 0 0 0 0 0 0 0 0
38805 - 0 0 0 0 0 0 0 0 0 0 0 0
38806 - 0 0 0 0 0 0 0 0 0 10 10 10
38807 - 38 38 38 90 90 90 14 14 14 58 58 58
38808 -210 210 210 26 26 26 54 38 6 154 114 10
38809 -226 170 11 236 186 11 225 175 15 184 144 12
38810 -215 174 15 175 146 61 37 26 9 2 2 6
38811 - 70 70 70 246 246 246 138 138 138 2 2 6
38812 - 2 2 6 2 2 6 2 2 6 2 2 6
38813 - 70 70 70 66 66 66 26 26 26 6 6 6
38814 - 0 0 0 0 0 0 0 0 0 0 0 0
38815 - 0 0 0 0 0 0 0 0 0 0 0 0
38816 - 0 0 0 0 0 0 0 0 0 0 0 0
38817 - 0 0 0 0 0 0 0 0 0 0 0 0
38818 - 0 0 0 0 0 0 0 0 0 0 0 0
38819 - 0 0 0 0 0 0 0 0 0 0 0 0
38820 - 0 0 0 0 0 0 0 0 0 0 0 0
38821 - 0 0 0 0 0 0 0 0 0 0 0 0
38822 - 0 0 0 0 0 0 0 0 0 0 0 0
38823 - 0 0 0 0 0 0 0 0 0 0 0 0
38824 - 0 0 0 0 0 0 0 0 0 0 0 0
38825 - 0 0 0 0 0 0 0 0 0 0 0 0
38826 - 0 0 0 0 0 0 0 0 0 10 10 10
38827 - 38 38 38 86 86 86 14 14 14 10 10 10
38828 -195 195 195 188 164 115 192 133 9 225 175 15
38829 -239 182 13 234 190 10 232 195 16 232 200 30
38830 -245 207 45 241 208 19 232 195 16 184 144 12
38831 -218 194 134 211 206 186 42 42 42 2 2 6
38832 - 2 2 6 2 2 6 2 2 6 2 2 6
38833 - 50 50 50 74 74 74 30 30 30 6 6 6
38834 - 0 0 0 0 0 0 0 0 0 0 0 0
38835 - 0 0 0 0 0 0 0 0 0 0 0 0
38836 - 0 0 0 0 0 0 0 0 0 0 0 0
38837 - 0 0 0 0 0 0 0 0 0 0 0 0
38838 - 0 0 0 0 0 0 0 0 0 0 0 0
38839 - 0 0 0 0 0 0 0 0 0 0 0 0
38840 - 0 0 0 0 0 0 0 0 0 0 0 0
38841 - 0 0 0 0 0 0 0 0 0 0 0 0
38842 - 0 0 0 0 0 0 0 0 0 0 0 0
38843 - 0 0 0 0 0 0 0 0 0 0 0 0
38844 - 0 0 0 0 0 0 0 0 0 0 0 0
38845 - 0 0 0 0 0 0 0 0 0 0 0 0
38846 - 0 0 0 0 0 0 0 0 0 10 10 10
38847 - 34 34 34 86 86 86 14 14 14 2 2 6
38848 -121 87 25 192 133 9 219 162 10 239 182 13
38849 -236 186 11 232 195 16 241 208 19 244 214 54
38850 -246 218 60 246 218 38 246 215 20 241 208 19
38851 -241 208 19 226 184 13 121 87 25 2 2 6
38852 - 2 2 6 2 2 6 2 2 6 2 2 6
38853 - 50 50 50 82 82 82 34 34 34 10 10 10
38854 - 0 0 0 0 0 0 0 0 0 0 0 0
38855 - 0 0 0 0 0 0 0 0 0 0 0 0
38856 - 0 0 0 0 0 0 0 0 0 0 0 0
38857 - 0 0 0 0 0 0 0 0 0 0 0 0
38858 - 0 0 0 0 0 0 0 0 0 0 0 0
38859 - 0 0 0 0 0 0 0 0 0 0 0 0
38860 - 0 0 0 0 0 0 0 0 0 0 0 0
38861 - 0 0 0 0 0 0 0 0 0 0 0 0
38862 - 0 0 0 0 0 0 0 0 0 0 0 0
38863 - 0 0 0 0 0 0 0 0 0 0 0 0
38864 - 0 0 0 0 0 0 0 0 0 0 0 0
38865 - 0 0 0 0 0 0 0 0 0 0 0 0
38866 - 0 0 0 0 0 0 0 0 0 10 10 10
38867 - 34 34 34 82 82 82 30 30 30 61 42 6
38868 -180 123 7 206 145 10 230 174 11 239 182 13
38869 -234 190 10 238 202 15 241 208 19 246 218 74
38870 -246 218 38 246 215 20 246 215 20 246 215 20
38871 -226 184 13 215 174 15 184 144 12 6 6 6
38872 - 2 2 6 2 2 6 2 2 6 2 2 6
38873 - 26 26 26 94 94 94 42 42 42 14 14 14
38874 - 0 0 0 0 0 0 0 0 0 0 0 0
38875 - 0 0 0 0 0 0 0 0 0 0 0 0
38876 - 0 0 0 0 0 0 0 0 0 0 0 0
38877 - 0 0 0 0 0 0 0 0 0 0 0 0
38878 - 0 0 0 0 0 0 0 0 0 0 0 0
38879 - 0 0 0 0 0 0 0 0 0 0 0 0
38880 - 0 0 0 0 0 0 0 0 0 0 0 0
38881 - 0 0 0 0 0 0 0 0 0 0 0 0
38882 - 0 0 0 0 0 0 0 0 0 0 0 0
38883 - 0 0 0 0 0 0 0 0 0 0 0 0
38884 - 0 0 0 0 0 0 0 0 0 0 0 0
38885 - 0 0 0 0 0 0 0 0 0 0 0 0
38886 - 0 0 0 0 0 0 0 0 0 10 10 10
38887 - 30 30 30 78 78 78 50 50 50 104 69 6
38888 -192 133 9 216 158 10 236 178 12 236 186 11
38889 -232 195 16 241 208 19 244 214 54 245 215 43
38890 -246 215 20 246 215 20 241 208 19 198 155 10
38891 -200 144 11 216 158 10 156 118 10 2 2 6
38892 - 2 2 6 2 2 6 2 2 6 2 2 6
38893 - 6 6 6 90 90 90 54 54 54 18 18 18
38894 - 6 6 6 0 0 0 0 0 0 0 0 0
38895 - 0 0 0 0 0 0 0 0 0 0 0 0
38896 - 0 0 0 0 0 0 0 0 0 0 0 0
38897 - 0 0 0 0 0 0 0 0 0 0 0 0
38898 - 0 0 0 0 0 0 0 0 0 0 0 0
38899 - 0 0 0 0 0 0 0 0 0 0 0 0
38900 - 0 0 0 0 0 0 0 0 0 0 0 0
38901 - 0 0 0 0 0 0 0 0 0 0 0 0
38902 - 0 0 0 0 0 0 0 0 0 0 0 0
38903 - 0 0 0 0 0 0 0 0 0 0 0 0
38904 - 0 0 0 0 0 0 0 0 0 0 0 0
38905 - 0 0 0 0 0 0 0 0 0 0 0 0
38906 - 0 0 0 0 0 0 0 0 0 10 10 10
38907 - 30 30 30 78 78 78 46 46 46 22 22 22
38908 -137 92 6 210 162 10 239 182 13 238 190 10
38909 -238 202 15 241 208 19 246 215 20 246 215 20
38910 -241 208 19 203 166 17 185 133 11 210 150 10
38911 -216 158 10 210 150 10 102 78 10 2 2 6
38912 - 6 6 6 54 54 54 14 14 14 2 2 6
38913 - 2 2 6 62 62 62 74 74 74 30 30 30
38914 - 10 10 10 0 0 0 0 0 0 0 0 0
38915 - 0 0 0 0 0 0 0 0 0 0 0 0
38916 - 0 0 0 0 0 0 0 0 0 0 0 0
38917 - 0 0 0 0 0 0 0 0 0 0 0 0
38918 - 0 0 0 0 0 0 0 0 0 0 0 0
38919 - 0 0 0 0 0 0 0 0 0 0 0 0
38920 - 0 0 0 0 0 0 0 0 0 0 0 0
38921 - 0 0 0 0 0 0 0 0 0 0 0 0
38922 - 0 0 0 0 0 0 0 0 0 0 0 0
38923 - 0 0 0 0 0 0 0 0 0 0 0 0
38924 - 0 0 0 0 0 0 0 0 0 0 0 0
38925 - 0 0 0 0 0 0 0 0 0 0 0 0
38926 - 0 0 0 0 0 0 0 0 0 10 10 10
38927 - 34 34 34 78 78 78 50 50 50 6 6 6
38928 - 94 70 30 139 102 15 190 146 13 226 184 13
38929 -232 200 30 232 195 16 215 174 15 190 146 13
38930 -168 122 10 192 133 9 210 150 10 213 154 11
38931 -202 150 34 182 157 106 101 98 89 2 2 6
38932 - 2 2 6 78 78 78 116 116 116 58 58 58
38933 - 2 2 6 22 22 22 90 90 90 46 46 46
38934 - 18 18 18 6 6 6 0 0 0 0 0 0
38935 - 0 0 0 0 0 0 0 0 0 0 0 0
38936 - 0 0 0 0 0 0 0 0 0 0 0 0
38937 - 0 0 0 0 0 0 0 0 0 0 0 0
38938 - 0 0 0 0 0 0 0 0 0 0 0 0
38939 - 0 0 0 0 0 0 0 0 0 0 0 0
38940 - 0 0 0 0 0 0 0 0 0 0 0 0
38941 - 0 0 0 0 0 0 0 0 0 0 0 0
38942 - 0 0 0 0 0 0 0 0 0 0 0 0
38943 - 0 0 0 0 0 0 0 0 0 0 0 0
38944 - 0 0 0 0 0 0 0 0 0 0 0 0
38945 - 0 0 0 0 0 0 0 0 0 0 0 0
38946 - 0 0 0 0 0 0 0 0 0 10 10 10
38947 - 38 38 38 86 86 86 50 50 50 6 6 6
38948 -128 128 128 174 154 114 156 107 11 168 122 10
38949 -198 155 10 184 144 12 197 138 11 200 144 11
38950 -206 145 10 206 145 10 197 138 11 188 164 115
38951 -195 195 195 198 198 198 174 174 174 14 14 14
38952 - 2 2 6 22 22 22 116 116 116 116 116 116
38953 - 22 22 22 2 2 6 74 74 74 70 70 70
38954 - 30 30 30 10 10 10 0 0 0 0 0 0
38955 - 0 0 0 0 0 0 0 0 0 0 0 0
38956 - 0 0 0 0 0 0 0 0 0 0 0 0
38957 - 0 0 0 0 0 0 0 0 0 0 0 0
38958 - 0 0 0 0 0 0 0 0 0 0 0 0
38959 - 0 0 0 0 0 0 0 0 0 0 0 0
38960 - 0 0 0 0 0 0 0 0 0 0 0 0
38961 - 0 0 0 0 0 0 0 0 0 0 0 0
38962 - 0 0 0 0 0 0 0 0 0 0 0 0
38963 - 0 0 0 0 0 0 0 0 0 0 0 0
38964 - 0 0 0 0 0 0 0 0 0 0 0 0
38965 - 0 0 0 0 0 0 0 0 0 0 0 0
38966 - 0 0 0 0 0 0 6 6 6 18 18 18
38967 - 50 50 50 101 101 101 26 26 26 10 10 10
38968 -138 138 138 190 190 190 174 154 114 156 107 11
38969 -197 138 11 200 144 11 197 138 11 192 133 9
38970 -180 123 7 190 142 34 190 178 144 187 187 187
38971 -202 202 202 221 221 221 214 214 214 66 66 66
38972 - 2 2 6 2 2 6 50 50 50 62 62 62
38973 - 6 6 6 2 2 6 10 10 10 90 90 90
38974 - 50 50 50 18 18 18 6 6 6 0 0 0
38975 - 0 0 0 0 0 0 0 0 0 0 0 0
38976 - 0 0 0 0 0 0 0 0 0 0 0 0
38977 - 0 0 0 0 0 0 0 0 0 0 0 0
38978 - 0 0 0 0 0 0 0 0 0 0 0 0
38979 - 0 0 0 0 0 0 0 0 0 0 0 0
38980 - 0 0 0 0 0 0 0 0 0 0 0 0
38981 - 0 0 0 0 0 0 0 0 0 0 0 0
38982 - 0 0 0 0 0 0 0 0 0 0 0 0
38983 - 0 0 0 0 0 0 0 0 0 0 0 0
38984 - 0 0 0 0 0 0 0 0 0 0 0 0
38985 - 0 0 0 0 0 0 0 0 0 0 0 0
38986 - 0 0 0 0 0 0 10 10 10 34 34 34
38987 - 74 74 74 74 74 74 2 2 6 6 6 6
38988 -144 144 144 198 198 198 190 190 190 178 166 146
38989 -154 121 60 156 107 11 156 107 11 168 124 44
38990 -174 154 114 187 187 187 190 190 190 210 210 210
38991 -246 246 246 253 253 253 253 253 253 182 182 182
38992 - 6 6 6 2 2 6 2 2 6 2 2 6
38993 - 2 2 6 2 2 6 2 2 6 62 62 62
38994 - 74 74 74 34 34 34 14 14 14 0 0 0
38995 - 0 0 0 0 0 0 0 0 0 0 0 0
38996 - 0 0 0 0 0 0 0 0 0 0 0 0
38997 - 0 0 0 0 0 0 0 0 0 0 0 0
38998 - 0 0 0 0 0 0 0 0 0 0 0 0
38999 - 0 0 0 0 0 0 0 0 0 0 0 0
39000 - 0 0 0 0 0 0 0 0 0 0 0 0
39001 - 0 0 0 0 0 0 0 0 0 0 0 0
39002 - 0 0 0 0 0 0 0 0 0 0 0 0
39003 - 0 0 0 0 0 0 0 0 0 0 0 0
39004 - 0 0 0 0 0 0 0 0 0 0 0 0
39005 - 0 0 0 0 0 0 0 0 0 0 0 0
39006 - 0 0 0 10 10 10 22 22 22 54 54 54
39007 - 94 94 94 18 18 18 2 2 6 46 46 46
39008 -234 234 234 221 221 221 190 190 190 190 190 190
39009 -190 190 190 187 187 187 187 187 187 190 190 190
39010 -190 190 190 195 195 195 214 214 214 242 242 242
39011 -253 253 253 253 253 253 253 253 253 253 253 253
39012 - 82 82 82 2 2 6 2 2 6 2 2 6
39013 - 2 2 6 2 2 6 2 2 6 14 14 14
39014 - 86 86 86 54 54 54 22 22 22 6 6 6
39015 - 0 0 0 0 0 0 0 0 0 0 0 0
39016 - 0 0 0 0 0 0 0 0 0 0 0 0
39017 - 0 0 0 0 0 0 0 0 0 0 0 0
39018 - 0 0 0 0 0 0 0 0 0 0 0 0
39019 - 0 0 0 0 0 0 0 0 0 0 0 0
39020 - 0 0 0 0 0 0 0 0 0 0 0 0
39021 - 0 0 0 0 0 0 0 0 0 0 0 0
39022 - 0 0 0 0 0 0 0 0 0 0 0 0
39023 - 0 0 0 0 0 0 0 0 0 0 0 0
39024 - 0 0 0 0 0 0 0 0 0 0 0 0
39025 - 0 0 0 0 0 0 0 0 0 0 0 0
39026 - 6 6 6 18 18 18 46 46 46 90 90 90
39027 - 46 46 46 18 18 18 6 6 6 182 182 182
39028 -253 253 253 246 246 246 206 206 206 190 190 190
39029 -190 190 190 190 190 190 190 190 190 190 190 190
39030 -206 206 206 231 231 231 250 250 250 253 253 253
39031 -253 253 253 253 253 253 253 253 253 253 253 253
39032 -202 202 202 14 14 14 2 2 6 2 2 6
39033 - 2 2 6 2 2 6 2 2 6 2 2 6
39034 - 42 42 42 86 86 86 42 42 42 18 18 18
39035 - 6 6 6 0 0 0 0 0 0 0 0 0
39036 - 0 0 0 0 0 0 0 0 0 0 0 0
39037 - 0 0 0 0 0 0 0 0 0 0 0 0
39038 - 0 0 0 0 0 0 0 0 0 0 0 0
39039 - 0 0 0 0 0 0 0 0 0 0 0 0
39040 - 0 0 0 0 0 0 0 0 0 0 0 0
39041 - 0 0 0 0 0 0 0 0 0 0 0 0
39042 - 0 0 0 0 0 0 0 0 0 0 0 0
39043 - 0 0 0 0 0 0 0 0 0 0 0 0
39044 - 0 0 0 0 0 0 0 0 0 0 0 0
39045 - 0 0 0 0 0 0 0 0 0 6 6 6
39046 - 14 14 14 38 38 38 74 74 74 66 66 66
39047 - 2 2 6 6 6 6 90 90 90 250 250 250
39048 -253 253 253 253 253 253 238 238 238 198 198 198
39049 -190 190 190 190 190 190 195 195 195 221 221 221
39050 -246 246 246 253 253 253 253 253 253 253 253 253
39051 -253 253 253 253 253 253 253 253 253 253 253 253
39052 -253 253 253 82 82 82 2 2 6 2 2 6
39053 - 2 2 6 2 2 6 2 2 6 2 2 6
39054 - 2 2 6 78 78 78 70 70 70 34 34 34
39055 - 14 14 14 6 6 6 0 0 0 0 0 0
39056 - 0 0 0 0 0 0 0 0 0 0 0 0
39057 - 0 0 0 0 0 0 0 0 0 0 0 0
39058 - 0 0 0 0 0 0 0 0 0 0 0 0
39059 - 0 0 0 0 0 0 0 0 0 0 0 0
39060 - 0 0 0 0 0 0 0 0 0 0 0 0
39061 - 0 0 0 0 0 0 0 0 0 0 0 0
39062 - 0 0 0 0 0 0 0 0 0 0 0 0
39063 - 0 0 0 0 0 0 0 0 0 0 0 0
39064 - 0 0 0 0 0 0 0 0 0 0 0 0
39065 - 0 0 0 0 0 0 0 0 0 14 14 14
39066 - 34 34 34 66 66 66 78 78 78 6 6 6
39067 - 2 2 6 18 18 18 218 218 218 253 253 253
39068 -253 253 253 253 253 253 253 253 253 246 246 246
39069 -226 226 226 231 231 231 246 246 246 253 253 253
39070 -253 253 253 253 253 253 253 253 253 253 253 253
39071 -253 253 253 253 253 253 253 253 253 253 253 253
39072 -253 253 253 178 178 178 2 2 6 2 2 6
39073 - 2 2 6 2 2 6 2 2 6 2 2 6
39074 - 2 2 6 18 18 18 90 90 90 62 62 62
39075 - 30 30 30 10 10 10 0 0 0 0 0 0
39076 - 0 0 0 0 0 0 0 0 0 0 0 0
39077 - 0 0 0 0 0 0 0 0 0 0 0 0
39078 - 0 0 0 0 0 0 0 0 0 0 0 0
39079 - 0 0 0 0 0 0 0 0 0 0 0 0
39080 - 0 0 0 0 0 0 0 0 0 0 0 0
39081 - 0 0 0 0 0 0 0 0 0 0 0 0
39082 - 0 0 0 0 0 0 0 0 0 0 0 0
39083 - 0 0 0 0 0 0 0 0 0 0 0 0
39084 - 0 0 0 0 0 0 0 0 0 0 0 0
39085 - 0 0 0 0 0 0 10 10 10 26 26 26
39086 - 58 58 58 90 90 90 18 18 18 2 2 6
39087 - 2 2 6 110 110 110 253 253 253 253 253 253
39088 -253 253 253 253 253 253 253 253 253 253 253 253
39089 -250 250 250 253 253 253 253 253 253 253 253 253
39090 -253 253 253 253 253 253 253 253 253 253 253 253
39091 -253 253 253 253 253 253 253 253 253 253 253 253
39092 -253 253 253 231 231 231 18 18 18 2 2 6
39093 - 2 2 6 2 2 6 2 2 6 2 2 6
39094 - 2 2 6 2 2 6 18 18 18 94 94 94
39095 - 54 54 54 26 26 26 10 10 10 0 0 0
39096 - 0 0 0 0 0 0 0 0 0 0 0 0
39097 - 0 0 0 0 0 0 0 0 0 0 0 0
39098 - 0 0 0 0 0 0 0 0 0 0 0 0
39099 - 0 0 0 0 0 0 0 0 0 0 0 0
39100 - 0 0 0 0 0 0 0 0 0 0 0 0
39101 - 0 0 0 0 0 0 0 0 0 0 0 0
39102 - 0 0 0 0 0 0 0 0 0 0 0 0
39103 - 0 0 0 0 0 0 0 0 0 0 0 0
39104 - 0 0 0 0 0 0 0 0 0 0 0 0
39105 - 0 0 0 6 6 6 22 22 22 50 50 50
39106 - 90 90 90 26 26 26 2 2 6 2 2 6
39107 - 14 14 14 195 195 195 250 250 250 253 253 253
39108 -253 253 253 253 253 253 253 253 253 253 253 253
39109 -253 253 253 253 253 253 253 253 253 253 253 253
39110 -253 253 253 253 253 253 253 253 253 253 253 253
39111 -253 253 253 253 253 253 253 253 253 253 253 253
39112 -250 250 250 242 242 242 54 54 54 2 2 6
39113 - 2 2 6 2 2 6 2 2 6 2 2 6
39114 - 2 2 6 2 2 6 2 2 6 38 38 38
39115 - 86 86 86 50 50 50 22 22 22 6 6 6
39116 - 0 0 0 0 0 0 0 0 0 0 0 0
39117 - 0 0 0 0 0 0 0 0 0 0 0 0
39118 - 0 0 0 0 0 0 0 0 0 0 0 0
39119 - 0 0 0 0 0 0 0 0 0 0 0 0
39120 - 0 0 0 0 0 0 0 0 0 0 0 0
39121 - 0 0 0 0 0 0 0 0 0 0 0 0
39122 - 0 0 0 0 0 0 0 0 0 0 0 0
39123 - 0 0 0 0 0 0 0 0 0 0 0 0
39124 - 0 0 0 0 0 0 0 0 0 0 0 0
39125 - 6 6 6 14 14 14 38 38 38 82 82 82
39126 - 34 34 34 2 2 6 2 2 6 2 2 6
39127 - 42 42 42 195 195 195 246 246 246 253 253 253
39128 -253 253 253 253 253 253 253 253 253 250 250 250
39129 -242 242 242 242 242 242 250 250 250 253 253 253
39130 -253 253 253 253 253 253 253 253 253 253 253 253
39131 -253 253 253 250 250 250 246 246 246 238 238 238
39132 -226 226 226 231 231 231 101 101 101 6 6 6
39133 - 2 2 6 2 2 6 2 2 6 2 2 6
39134 - 2 2 6 2 2 6 2 2 6 2 2 6
39135 - 38 38 38 82 82 82 42 42 42 14 14 14
39136 - 6 6 6 0 0 0 0 0 0 0 0 0
39137 - 0 0 0 0 0 0 0 0 0 0 0 0
39138 - 0 0 0 0 0 0 0 0 0 0 0 0
39139 - 0 0 0 0 0 0 0 0 0 0 0 0
39140 - 0 0 0 0 0 0 0 0 0 0 0 0
39141 - 0 0 0 0 0 0 0 0 0 0 0 0
39142 - 0 0 0 0 0 0 0 0 0 0 0 0
39143 - 0 0 0 0 0 0 0 0 0 0 0 0
39144 - 0 0 0 0 0 0 0 0 0 0 0 0
39145 - 10 10 10 26 26 26 62 62 62 66 66 66
39146 - 2 2 6 2 2 6 2 2 6 6 6 6
39147 - 70 70 70 170 170 170 206 206 206 234 234 234
39148 -246 246 246 250 250 250 250 250 250 238 238 238
39149 -226 226 226 231 231 231 238 238 238 250 250 250
39150 -250 250 250 250 250 250 246 246 246 231 231 231
39151 -214 214 214 206 206 206 202 202 202 202 202 202
39152 -198 198 198 202 202 202 182 182 182 18 18 18
39153 - 2 2 6 2 2 6 2 2 6 2 2 6
39154 - 2 2 6 2 2 6 2 2 6 2 2 6
39155 - 2 2 6 62 62 62 66 66 66 30 30 30
39156 - 10 10 10 0 0 0 0 0 0 0 0 0
39157 - 0 0 0 0 0 0 0 0 0 0 0 0
39158 - 0 0 0 0 0 0 0 0 0 0 0 0
39159 - 0 0 0 0 0 0 0 0 0 0 0 0
39160 - 0 0 0 0 0 0 0 0 0 0 0 0
39161 - 0 0 0 0 0 0 0 0 0 0 0 0
39162 - 0 0 0 0 0 0 0 0 0 0 0 0
39163 - 0 0 0 0 0 0 0 0 0 0 0 0
39164 - 0 0 0 0 0 0 0 0 0 0 0 0
39165 - 14 14 14 42 42 42 82 82 82 18 18 18
39166 - 2 2 6 2 2 6 2 2 6 10 10 10
39167 - 94 94 94 182 182 182 218 218 218 242 242 242
39168 -250 250 250 253 253 253 253 253 253 250 250 250
39169 -234 234 234 253 253 253 253 253 253 253 253 253
39170 -253 253 253 253 253 253 253 253 253 246 246 246
39171 -238 238 238 226 226 226 210 210 210 202 202 202
39172 -195 195 195 195 195 195 210 210 210 158 158 158
39173 - 6 6 6 14 14 14 50 50 50 14 14 14
39174 - 2 2 6 2 2 6 2 2 6 2 2 6
39175 - 2 2 6 6 6 6 86 86 86 46 46 46
39176 - 18 18 18 6 6 6 0 0 0 0 0 0
39177 - 0 0 0 0 0 0 0 0 0 0 0 0
39178 - 0 0 0 0 0 0 0 0 0 0 0 0
39179 - 0 0 0 0 0 0 0 0 0 0 0 0
39180 - 0 0 0 0 0 0 0 0 0 0 0 0
39181 - 0 0 0 0 0 0 0 0 0 0 0 0
39182 - 0 0 0 0 0 0 0 0 0 0 0 0
39183 - 0 0 0 0 0 0 0 0 0 0 0 0
39184 - 0 0 0 0 0 0 0 0 0 6 6 6
39185 - 22 22 22 54 54 54 70 70 70 2 2 6
39186 - 2 2 6 10 10 10 2 2 6 22 22 22
39187 -166 166 166 231 231 231 250 250 250 253 253 253
39188 -253 253 253 253 253 253 253 253 253 250 250 250
39189 -242 242 242 253 253 253 253 253 253 253 253 253
39190 -253 253 253 253 253 253 253 253 253 253 253 253
39191 -253 253 253 253 253 253 253 253 253 246 246 246
39192 -231 231 231 206 206 206 198 198 198 226 226 226
39193 - 94 94 94 2 2 6 6 6 6 38 38 38
39194 - 30 30 30 2 2 6 2 2 6 2 2 6
39195 - 2 2 6 2 2 6 62 62 62 66 66 66
39196 - 26 26 26 10 10 10 0 0 0 0 0 0
39197 - 0 0 0 0 0 0 0 0 0 0 0 0
39198 - 0 0 0 0 0 0 0 0 0 0 0 0
39199 - 0 0 0 0 0 0 0 0 0 0 0 0
39200 - 0 0 0 0 0 0 0 0 0 0 0 0
39201 - 0 0 0 0 0 0 0 0 0 0 0 0
39202 - 0 0 0 0 0 0 0 0 0 0 0 0
39203 - 0 0 0 0 0 0 0 0 0 0 0 0
39204 - 0 0 0 0 0 0 0 0 0 10 10 10
39205 - 30 30 30 74 74 74 50 50 50 2 2 6
39206 - 26 26 26 26 26 26 2 2 6 106 106 106
39207 -238 238 238 253 253 253 253 253 253 253 253 253
39208 -253 253 253 253 253 253 253 253 253 253 253 253
39209 -253 253 253 253 253 253 253 253 253 253 253 253
39210 -253 253 253 253 253 253 253 253 253 253 253 253
39211 -253 253 253 253 253 253 253 253 253 253 253 253
39212 -253 253 253 246 246 246 218 218 218 202 202 202
39213 -210 210 210 14 14 14 2 2 6 2 2 6
39214 - 30 30 30 22 22 22 2 2 6 2 2 6
39215 - 2 2 6 2 2 6 18 18 18 86 86 86
39216 - 42 42 42 14 14 14 0 0 0 0 0 0
39217 - 0 0 0 0 0 0 0 0 0 0 0 0
39218 - 0 0 0 0 0 0 0 0 0 0 0 0
39219 - 0 0 0 0 0 0 0 0 0 0 0 0
39220 - 0 0 0 0 0 0 0 0 0 0 0 0
39221 - 0 0 0 0 0 0 0 0 0 0 0 0
39222 - 0 0 0 0 0 0 0 0 0 0 0 0
39223 - 0 0 0 0 0 0 0 0 0 0 0 0
39224 - 0 0 0 0 0 0 0 0 0 14 14 14
39225 - 42 42 42 90 90 90 22 22 22 2 2 6
39226 - 42 42 42 2 2 6 18 18 18 218 218 218
39227 -253 253 253 253 253 253 253 253 253 253 253 253
39228 -253 253 253 253 253 253 253 253 253 253 253 253
39229 -253 253 253 253 253 253 253 253 253 253 253 253
39230 -253 253 253 253 253 253 253 253 253 253 253 253
39231 -253 253 253 253 253 253 253 253 253 253 253 253
39232 -253 253 253 253 253 253 250 250 250 221 221 221
39233 -218 218 218 101 101 101 2 2 6 14 14 14
39234 - 18 18 18 38 38 38 10 10 10 2 2 6
39235 - 2 2 6 2 2 6 2 2 6 78 78 78
39236 - 58 58 58 22 22 22 6 6 6 0 0 0
39237 - 0 0 0 0 0 0 0 0 0 0 0 0
39238 - 0 0 0 0 0 0 0 0 0 0 0 0
39239 - 0 0 0 0 0 0 0 0 0 0 0 0
39240 - 0 0 0 0 0 0 0 0 0 0 0 0
39241 - 0 0 0 0 0 0 0 0 0 0 0 0
39242 - 0 0 0 0 0 0 0 0 0 0 0 0
39243 - 0 0 0 0 0 0 0 0 0 0 0 0
39244 - 0 0 0 0 0 0 6 6 6 18 18 18
39245 - 54 54 54 82 82 82 2 2 6 26 26 26
39246 - 22 22 22 2 2 6 123 123 123 253 253 253
39247 -253 253 253 253 253 253 253 253 253 253 253 253
39248 -253 253 253 253 253 253 253 253 253 253 253 253
39249 -253 253 253 253 253 253 253 253 253 253 253 253
39250 -253 253 253 253 253 253 253 253 253 253 253 253
39251 -253 253 253 253 253 253 253 253 253 253 253 253
39252 -253 253 253 253 253 253 253 253 253 250 250 250
39253 -238 238 238 198 198 198 6 6 6 38 38 38
39254 - 58 58 58 26 26 26 38 38 38 2 2 6
39255 - 2 2 6 2 2 6 2 2 6 46 46 46
39256 - 78 78 78 30 30 30 10 10 10 0 0 0
39257 - 0 0 0 0 0 0 0 0 0 0 0 0
39258 - 0 0 0 0 0 0 0 0 0 0 0 0
39259 - 0 0 0 0 0 0 0 0 0 0 0 0
39260 - 0 0 0 0 0 0 0 0 0 0 0 0
39261 - 0 0 0 0 0 0 0 0 0 0 0 0
39262 - 0 0 0 0 0 0 0 0 0 0 0 0
39263 - 0 0 0 0 0 0 0 0 0 0 0 0
39264 - 0 0 0 0 0 0 10 10 10 30 30 30
39265 - 74 74 74 58 58 58 2 2 6 42 42 42
39266 - 2 2 6 22 22 22 231 231 231 253 253 253
39267 -253 253 253 253 253 253 253 253 253 253 253 253
39268 -253 253 253 253 253 253 253 253 253 250 250 250
39269 -253 253 253 253 253 253 253 253 253 253 253 253
39270 -253 253 253 253 253 253 253 253 253 253 253 253
39271 -253 253 253 253 253 253 253 253 253 253 253 253
39272 -253 253 253 253 253 253 253 253 253 253 253 253
39273 -253 253 253 246 246 246 46 46 46 38 38 38
39274 - 42 42 42 14 14 14 38 38 38 14 14 14
39275 - 2 2 6 2 2 6 2 2 6 6 6 6
39276 - 86 86 86 46 46 46 14 14 14 0 0 0
39277 - 0 0 0 0 0 0 0 0 0 0 0 0
39278 - 0 0 0 0 0 0 0 0 0 0 0 0
39279 - 0 0 0 0 0 0 0 0 0 0 0 0
39280 - 0 0 0 0 0 0 0 0 0 0 0 0
39281 - 0 0 0 0 0 0 0 0 0 0 0 0
39282 - 0 0 0 0 0 0 0 0 0 0 0 0
39283 - 0 0 0 0 0 0 0 0 0 0 0 0
39284 - 0 0 0 6 6 6 14 14 14 42 42 42
39285 - 90 90 90 18 18 18 18 18 18 26 26 26
39286 - 2 2 6 116 116 116 253 253 253 253 253 253
39287 -253 253 253 253 253 253 253 253 253 253 253 253
39288 -253 253 253 253 253 253 250 250 250 238 238 238
39289 -253 253 253 253 253 253 253 253 253 253 253 253
39290 -253 253 253 253 253 253 253 253 253 253 253 253
39291 -253 253 253 253 253 253 253 253 253 253 253 253
39292 -253 253 253 253 253 253 253 253 253 253 253 253
39293 -253 253 253 253 253 253 94 94 94 6 6 6
39294 - 2 2 6 2 2 6 10 10 10 34 34 34
39295 - 2 2 6 2 2 6 2 2 6 2 2 6
39296 - 74 74 74 58 58 58 22 22 22 6 6 6
39297 - 0 0 0 0 0 0 0 0 0 0 0 0
39298 - 0 0 0 0 0 0 0 0 0 0 0 0
39299 - 0 0 0 0 0 0 0 0 0 0 0 0
39300 - 0 0 0 0 0 0 0 0 0 0 0 0
39301 - 0 0 0 0 0 0 0 0 0 0 0 0
39302 - 0 0 0 0 0 0 0 0 0 0 0 0
39303 - 0 0 0 0 0 0 0 0 0 0 0 0
39304 - 0 0 0 10 10 10 26 26 26 66 66 66
39305 - 82 82 82 2 2 6 38 38 38 6 6 6
39306 - 14 14 14 210 210 210 253 253 253 253 253 253
39307 -253 253 253 253 253 253 253 253 253 253 253 253
39308 -253 253 253 253 253 253 246 246 246 242 242 242
39309 -253 253 253 253 253 253 253 253 253 253 253 253
39310 -253 253 253 253 253 253 253 253 253 253 253 253
39311 -253 253 253 253 253 253 253 253 253 253 253 253
39312 -253 253 253 253 253 253 253 253 253 253 253 253
39313 -253 253 253 253 253 253 144 144 144 2 2 6
39314 - 2 2 6 2 2 6 2 2 6 46 46 46
39315 - 2 2 6 2 2 6 2 2 6 2 2 6
39316 - 42 42 42 74 74 74 30 30 30 10 10 10
39317 - 0 0 0 0 0 0 0 0 0 0 0 0
39318 - 0 0 0 0 0 0 0 0 0 0 0 0
39319 - 0 0 0 0 0 0 0 0 0 0 0 0
39320 - 0 0 0 0 0 0 0 0 0 0 0 0
39321 - 0 0 0 0 0 0 0 0 0 0 0 0
39322 - 0 0 0 0 0 0 0 0 0 0 0 0
39323 - 0 0 0 0 0 0 0 0 0 0 0 0
39324 - 6 6 6 14 14 14 42 42 42 90 90 90
39325 - 26 26 26 6 6 6 42 42 42 2 2 6
39326 - 74 74 74 250 250 250 253 253 253 253 253 253
39327 -253 253 253 253 253 253 253 253 253 253 253 253
39328 -253 253 253 253 253 253 242 242 242 242 242 242
39329 -253 253 253 253 253 253 253 253 253 253 253 253
39330 -253 253 253 253 253 253 253 253 253 253 253 253
39331 -253 253 253 253 253 253 253 253 253 253 253 253
39332 -253 253 253 253 253 253 253 253 253 253 253 253
39333 -253 253 253 253 253 253 182 182 182 2 2 6
39334 - 2 2 6 2 2 6 2 2 6 46 46 46
39335 - 2 2 6 2 2 6 2 2 6 2 2 6
39336 - 10 10 10 86 86 86 38 38 38 10 10 10
39337 - 0 0 0 0 0 0 0 0 0 0 0 0
39338 - 0 0 0 0 0 0 0 0 0 0 0 0
39339 - 0 0 0 0 0 0 0 0 0 0 0 0
39340 - 0 0 0 0 0 0 0 0 0 0 0 0
39341 - 0 0 0 0 0 0 0 0 0 0 0 0
39342 - 0 0 0 0 0 0 0 0 0 0 0 0
39343 - 0 0 0 0 0 0 0 0 0 0 0 0
39344 - 10 10 10 26 26 26 66 66 66 82 82 82
39345 - 2 2 6 22 22 22 18 18 18 2 2 6
39346 -149 149 149 253 253 253 253 253 253 253 253 253
39347 -253 253 253 253 253 253 253 253 253 253 253 253
39348 -253 253 253 253 253 253 234 234 234 242 242 242
39349 -253 253 253 253 253 253 253 253 253 253 253 253
39350 -253 253 253 253 253 253 253 253 253 253 253 253
39351 -253 253 253 253 253 253 253 253 253 253 253 253
39352 -253 253 253 253 253 253 253 253 253 253 253 253
39353 -253 253 253 253 253 253 206 206 206 2 2 6
39354 - 2 2 6 2 2 6 2 2 6 38 38 38
39355 - 2 2 6 2 2 6 2 2 6 2 2 6
39356 - 6 6 6 86 86 86 46 46 46 14 14 14
39357 - 0 0 0 0 0 0 0 0 0 0 0 0
39358 - 0 0 0 0 0 0 0 0 0 0 0 0
39359 - 0 0 0 0 0 0 0 0 0 0 0 0
39360 - 0 0 0 0 0 0 0 0 0 0 0 0
39361 - 0 0 0 0 0 0 0 0 0 0 0 0
39362 - 0 0 0 0 0 0 0 0 0 0 0 0
39363 - 0 0 0 0 0 0 0 0 0 6 6 6
39364 - 18 18 18 46 46 46 86 86 86 18 18 18
39365 - 2 2 6 34 34 34 10 10 10 6 6 6
39366 -210 210 210 253 253 253 253 253 253 253 253 253
39367 -253 253 253 253 253 253 253 253 253 253 253 253
39368 -253 253 253 253 253 253 234 234 234 242 242 242
39369 -253 253 253 253 253 253 253 253 253 253 253 253
39370 -253 253 253 253 253 253 253 253 253 253 253 253
39371 -253 253 253 253 253 253 253 253 253 253 253 253
39372 -253 253 253 253 253 253 253 253 253 253 253 253
39373 -253 253 253 253 253 253 221 221 221 6 6 6
39374 - 2 2 6 2 2 6 6 6 6 30 30 30
39375 - 2 2 6 2 2 6 2 2 6 2 2 6
39376 - 2 2 6 82 82 82 54 54 54 18 18 18
39377 - 6 6 6 0 0 0 0 0 0 0 0 0
39378 - 0 0 0 0 0 0 0 0 0 0 0 0
39379 - 0 0 0 0 0 0 0 0 0 0 0 0
39380 - 0 0 0 0 0 0 0 0 0 0 0 0
39381 - 0 0 0 0 0 0 0 0 0 0 0 0
39382 - 0 0 0 0 0 0 0 0 0 0 0 0
39383 - 0 0 0 0 0 0 0 0 0 10 10 10
39384 - 26 26 26 66 66 66 62 62 62 2 2 6
39385 - 2 2 6 38 38 38 10 10 10 26 26 26
39386 -238 238 238 253 253 253 253 253 253 253 253 253
39387 -253 253 253 253 253 253 253 253 253 253 253 253
39388 -253 253 253 253 253 253 231 231 231 238 238 238
39389 -253 253 253 253 253 253 253 253 253 253 253 253
39390 -253 253 253 253 253 253 253 253 253 253 253 253
39391 -253 253 253 253 253 253 253 253 253 253 253 253
39392 -253 253 253 253 253 253 253 253 253 253 253 253
39393 -253 253 253 253 253 253 231 231 231 6 6 6
39394 - 2 2 6 2 2 6 10 10 10 30 30 30
39395 - 2 2 6 2 2 6 2 2 6 2 2 6
39396 - 2 2 6 66 66 66 58 58 58 22 22 22
39397 - 6 6 6 0 0 0 0 0 0 0 0 0
39398 - 0 0 0 0 0 0 0 0 0 0 0 0
39399 - 0 0 0 0 0 0 0 0 0 0 0 0
39400 - 0 0 0 0 0 0 0 0 0 0 0 0
39401 - 0 0 0 0 0 0 0 0 0 0 0 0
39402 - 0 0 0 0 0 0 0 0 0 0 0 0
39403 - 0 0 0 0 0 0 0 0 0 10 10 10
39404 - 38 38 38 78 78 78 6 6 6 2 2 6
39405 - 2 2 6 46 46 46 14 14 14 42 42 42
39406 -246 246 246 253 253 253 253 253 253 253 253 253
39407 -253 253 253 253 253 253 253 253 253 253 253 253
39408 -253 253 253 253 253 253 231 231 231 242 242 242
39409 -253 253 253 253 253 253 253 253 253 253 253 253
39410 -253 253 253 253 253 253 253 253 253 253 253 253
39411 -253 253 253 253 253 253 253 253 253 253 253 253
39412 -253 253 253 253 253 253 253 253 253 253 253 253
39413 -253 253 253 253 253 253 234 234 234 10 10 10
39414 - 2 2 6 2 2 6 22 22 22 14 14 14
39415 - 2 2 6 2 2 6 2 2 6 2 2 6
39416 - 2 2 6 66 66 66 62 62 62 22 22 22
39417 - 6 6 6 0 0 0 0 0 0 0 0 0
39418 - 0 0 0 0 0 0 0 0 0 0 0 0
39419 - 0 0 0 0 0 0 0 0 0 0 0 0
39420 - 0 0 0 0 0 0 0 0 0 0 0 0
39421 - 0 0 0 0 0 0 0 0 0 0 0 0
39422 - 0 0 0 0 0 0 0 0 0 0 0 0
39423 - 0 0 0 0 0 0 6 6 6 18 18 18
39424 - 50 50 50 74 74 74 2 2 6 2 2 6
39425 - 14 14 14 70 70 70 34 34 34 62 62 62
39426 -250 250 250 253 253 253 253 253 253 253 253 253
39427 -253 253 253 253 253 253 253 253 253 253 253 253
39428 -253 253 253 253 253 253 231 231 231 246 246 246
39429 -253 253 253 253 253 253 253 253 253 253 253 253
39430 -253 253 253 253 253 253 253 253 253 253 253 253
39431 -253 253 253 253 253 253 253 253 253 253 253 253
39432 -253 253 253 253 253 253 253 253 253 253 253 253
39433 -253 253 253 253 253 253 234 234 234 14 14 14
39434 - 2 2 6 2 2 6 30 30 30 2 2 6
39435 - 2 2 6 2 2 6 2 2 6 2 2 6
39436 - 2 2 6 66 66 66 62 62 62 22 22 22
39437 - 6 6 6 0 0 0 0 0 0 0 0 0
39438 - 0 0 0 0 0 0 0 0 0 0 0 0
39439 - 0 0 0 0 0 0 0 0 0 0 0 0
39440 - 0 0 0 0 0 0 0 0 0 0 0 0
39441 - 0 0 0 0 0 0 0 0 0 0 0 0
39442 - 0 0 0 0 0 0 0 0 0 0 0 0
39443 - 0 0 0 0 0 0 6 6 6 18 18 18
39444 - 54 54 54 62 62 62 2 2 6 2 2 6
39445 - 2 2 6 30 30 30 46 46 46 70 70 70
39446 -250 250 250 253 253 253 253 253 253 253 253 253
39447 -253 253 253 253 253 253 253 253 253 253 253 253
39448 -253 253 253 253 253 253 231 231 231 246 246 246
39449 -253 253 253 253 253 253 253 253 253 253 253 253
39450 -253 253 253 253 253 253 253 253 253 253 253 253
39451 -253 253 253 253 253 253 253 253 253 253 253 253
39452 -253 253 253 253 253 253 253 253 253 253 253 253
39453 -253 253 253 253 253 253 226 226 226 10 10 10
39454 - 2 2 6 6 6 6 30 30 30 2 2 6
39455 - 2 2 6 2 2 6 2 2 6 2 2 6
39456 - 2 2 6 66 66 66 58 58 58 22 22 22
39457 - 6 6 6 0 0 0 0 0 0 0 0 0
39458 - 0 0 0 0 0 0 0 0 0 0 0 0
39459 - 0 0 0 0 0 0 0 0 0 0 0 0
39460 - 0 0 0 0 0 0 0 0 0 0 0 0
39461 - 0 0 0 0 0 0 0 0 0 0 0 0
39462 - 0 0 0 0 0 0 0 0 0 0 0 0
39463 - 0 0 0 0 0 0 6 6 6 22 22 22
39464 - 58 58 58 62 62 62 2 2 6 2 2 6
39465 - 2 2 6 2 2 6 30 30 30 78 78 78
39466 -250 250 250 253 253 253 253 253 253 253 253 253
39467 -253 253 253 253 253 253 253 253 253 253 253 253
39468 -253 253 253 253 253 253 231 231 231 246 246 246
39469 -253 253 253 253 253 253 253 253 253 253 253 253
39470 -253 253 253 253 253 253 253 253 253 253 253 253
39471 -253 253 253 253 253 253 253 253 253 253 253 253
39472 -253 253 253 253 253 253 253 253 253 253 253 253
39473 -253 253 253 253 253 253 206 206 206 2 2 6
39474 - 22 22 22 34 34 34 18 14 6 22 22 22
39475 - 26 26 26 18 18 18 6 6 6 2 2 6
39476 - 2 2 6 82 82 82 54 54 54 18 18 18
39477 - 6 6 6 0 0 0 0 0 0 0 0 0
39478 - 0 0 0 0 0 0 0 0 0 0 0 0
39479 - 0 0 0 0 0 0 0 0 0 0 0 0
39480 - 0 0 0 0 0 0 0 0 0 0 0 0
39481 - 0 0 0 0 0 0 0 0 0 0 0 0
39482 - 0 0 0 0 0 0 0 0 0 0 0 0
39483 - 0 0 0 0 0 0 6 6 6 26 26 26
39484 - 62 62 62 106 106 106 74 54 14 185 133 11
39485 -210 162 10 121 92 8 6 6 6 62 62 62
39486 -238 238 238 253 253 253 253 253 253 253 253 253
39487 -253 253 253 253 253 253 253 253 253 253 253 253
39488 -253 253 253 253 253 253 231 231 231 246 246 246
39489 -253 253 253 253 253 253 253 253 253 253 253 253
39490 -253 253 253 253 253 253 253 253 253 253 253 253
39491 -253 253 253 253 253 253 253 253 253 253 253 253
39492 -253 253 253 253 253 253 253 253 253 253 253 253
39493 -253 253 253 253 253 253 158 158 158 18 18 18
39494 - 14 14 14 2 2 6 2 2 6 2 2 6
39495 - 6 6 6 18 18 18 66 66 66 38 38 38
39496 - 6 6 6 94 94 94 50 50 50 18 18 18
39497 - 6 6 6 0 0 0 0 0 0 0 0 0
39498 - 0 0 0 0 0 0 0 0 0 0 0 0
39499 - 0 0 0 0 0 0 0 0 0 0 0 0
39500 - 0 0 0 0 0 0 0 0 0 0 0 0
39501 - 0 0 0 0 0 0 0 0 0 0 0 0
39502 - 0 0 0 0 0 0 0 0 0 6 6 6
39503 - 10 10 10 10 10 10 18 18 18 38 38 38
39504 - 78 78 78 142 134 106 216 158 10 242 186 14
39505 -246 190 14 246 190 14 156 118 10 10 10 10
39506 - 90 90 90 238 238 238 253 253 253 253 253 253
39507 -253 253 253 253 253 253 253 253 253 253 253 253
39508 -253 253 253 253 253 253 231 231 231 250 250 250
39509 -253 253 253 253 253 253 253 253 253 253 253 253
39510 -253 253 253 253 253 253 253 253 253 253 253 253
39511 -253 253 253 253 253 253 253 253 253 253 253 253
39512 -253 253 253 253 253 253 253 253 253 246 230 190
39513 -238 204 91 238 204 91 181 142 44 37 26 9
39514 - 2 2 6 2 2 6 2 2 6 2 2 6
39515 - 2 2 6 2 2 6 38 38 38 46 46 46
39516 - 26 26 26 106 106 106 54 54 54 18 18 18
39517 - 6 6 6 0 0 0 0 0 0 0 0 0
39518 - 0 0 0 0 0 0 0 0 0 0 0 0
39519 - 0 0 0 0 0 0 0 0 0 0 0 0
39520 - 0 0 0 0 0 0 0 0 0 0 0 0
39521 - 0 0 0 0 0 0 0 0 0 0 0 0
39522 - 0 0 0 6 6 6 14 14 14 22 22 22
39523 - 30 30 30 38 38 38 50 50 50 70 70 70
39524 -106 106 106 190 142 34 226 170 11 242 186 14
39525 -246 190 14 246 190 14 246 190 14 154 114 10
39526 - 6 6 6 74 74 74 226 226 226 253 253 253
39527 -253 253 253 253 253 253 253 253 253 253 253 253
39528 -253 253 253 253 253 253 231 231 231 250 250 250
39529 -253 253 253 253 253 253 253 253 253 253 253 253
39530 -253 253 253 253 253 253 253 253 253 253 253 253
39531 -253 253 253 253 253 253 253 253 253 253 253 253
39532 -253 253 253 253 253 253 253 253 253 228 184 62
39533 -241 196 14 241 208 19 232 195 16 38 30 10
39534 - 2 2 6 2 2 6 2 2 6 2 2 6
39535 - 2 2 6 6 6 6 30 30 30 26 26 26
39536 -203 166 17 154 142 90 66 66 66 26 26 26
39537 - 6 6 6 0 0 0 0 0 0 0 0 0
39538 - 0 0 0 0 0 0 0 0 0 0 0 0
39539 - 0 0 0 0 0 0 0 0 0 0 0 0
39540 - 0 0 0 0 0 0 0 0 0 0 0 0
39541 - 0 0 0 0 0 0 0 0 0 0 0 0
39542 - 6 6 6 18 18 18 38 38 38 58 58 58
39543 - 78 78 78 86 86 86 101 101 101 123 123 123
39544 -175 146 61 210 150 10 234 174 13 246 186 14
39545 -246 190 14 246 190 14 246 190 14 238 190 10
39546 -102 78 10 2 2 6 46 46 46 198 198 198
39547 -253 253 253 253 253 253 253 253 253 253 253 253
39548 -253 253 253 253 253 253 234 234 234 242 242 242
39549 -253 253 253 253 253 253 253 253 253 253 253 253
39550 -253 253 253 253 253 253 253 253 253 253 253 253
39551 -253 253 253 253 253 253 253 253 253 253 253 253
39552 -253 253 253 253 253 253 253 253 253 224 178 62
39553 -242 186 14 241 196 14 210 166 10 22 18 6
39554 - 2 2 6 2 2 6 2 2 6 2 2 6
39555 - 2 2 6 2 2 6 6 6 6 121 92 8
39556 -238 202 15 232 195 16 82 82 82 34 34 34
39557 - 10 10 10 0 0 0 0 0 0 0 0 0
39558 - 0 0 0 0 0 0 0 0 0 0 0 0
39559 - 0 0 0 0 0 0 0 0 0 0 0 0
39560 - 0 0 0 0 0 0 0 0 0 0 0 0
39561 - 0 0 0 0 0 0 0 0 0 0 0 0
39562 - 14 14 14 38 38 38 70 70 70 154 122 46
39563 -190 142 34 200 144 11 197 138 11 197 138 11
39564 -213 154 11 226 170 11 242 186 14 246 190 14
39565 -246 190 14 246 190 14 246 190 14 246 190 14
39566 -225 175 15 46 32 6 2 2 6 22 22 22
39567 -158 158 158 250 250 250 253 253 253 253 253 253
39568 -253 253 253 253 253 253 253 253 253 253 253 253
39569 -253 253 253 253 253 253 253 253 253 253 253 253
39570 -253 253 253 253 253 253 253 253 253 253 253 253
39571 -253 253 253 253 253 253 253 253 253 253 253 253
39572 -253 253 253 250 250 250 242 242 242 224 178 62
39573 -239 182 13 236 186 11 213 154 11 46 32 6
39574 - 2 2 6 2 2 6 2 2 6 2 2 6
39575 - 2 2 6 2 2 6 61 42 6 225 175 15
39576 -238 190 10 236 186 11 112 100 78 42 42 42
39577 - 14 14 14 0 0 0 0 0 0 0 0 0
39578 - 0 0 0 0 0 0 0 0 0 0 0 0
39579 - 0 0 0 0 0 0 0 0 0 0 0 0
39580 - 0 0 0 0 0 0 0 0 0 0 0 0
39581 - 0 0 0 0 0 0 0 0 0 6 6 6
39582 - 22 22 22 54 54 54 154 122 46 213 154 11
39583 -226 170 11 230 174 11 226 170 11 226 170 11
39584 -236 178 12 242 186 14 246 190 14 246 190 14
39585 -246 190 14 246 190 14 246 190 14 246 190 14
39586 -241 196 14 184 144 12 10 10 10 2 2 6
39587 - 6 6 6 116 116 116 242 242 242 253 253 253
39588 -253 253 253 253 253 253 253 253 253 253 253 253
39589 -253 253 253 253 253 253 253 253 253 253 253 253
39590 -253 253 253 253 253 253 253 253 253 253 253 253
39591 -253 253 253 253 253 253 253 253 253 253 253 253
39592 -253 253 253 231 231 231 198 198 198 214 170 54
39593 -236 178 12 236 178 12 210 150 10 137 92 6
39594 - 18 14 6 2 2 6 2 2 6 2 2 6
39595 - 6 6 6 70 47 6 200 144 11 236 178 12
39596 -239 182 13 239 182 13 124 112 88 58 58 58
39597 - 22 22 22 6 6 6 0 0 0 0 0 0
39598 - 0 0 0 0 0 0 0 0 0 0 0 0
39599 - 0 0 0 0 0 0 0 0 0 0 0 0
39600 - 0 0 0 0 0 0 0 0 0 0 0 0
39601 - 0 0 0 0 0 0 0 0 0 10 10 10
39602 - 30 30 30 70 70 70 180 133 36 226 170 11
39603 -239 182 13 242 186 14 242 186 14 246 186 14
39604 -246 190 14 246 190 14 246 190 14 246 190 14
39605 -246 190 14 246 190 14 246 190 14 246 190 14
39606 -246 190 14 232 195 16 98 70 6 2 2 6
39607 - 2 2 6 2 2 6 66 66 66 221 221 221
39608 -253 253 253 253 253 253 253 253 253 253 253 253
39609 -253 253 253 253 253 253 253 253 253 253 253 253
39610 -253 253 253 253 253 253 253 253 253 253 253 253
39611 -253 253 253 253 253 253 253 253 253 253 253 253
39612 -253 253 253 206 206 206 198 198 198 214 166 58
39613 -230 174 11 230 174 11 216 158 10 192 133 9
39614 -163 110 8 116 81 8 102 78 10 116 81 8
39615 -167 114 7 197 138 11 226 170 11 239 182 13
39616 -242 186 14 242 186 14 162 146 94 78 78 78
39617 - 34 34 34 14 14 14 6 6 6 0 0 0
39618 - 0 0 0 0 0 0 0 0 0 0 0 0
39619 - 0 0 0 0 0 0 0 0 0 0 0 0
39620 - 0 0 0 0 0 0 0 0 0 0 0 0
39621 - 0 0 0 0 0 0 0 0 0 6 6 6
39622 - 30 30 30 78 78 78 190 142 34 226 170 11
39623 -239 182 13 246 190 14 246 190 14 246 190 14
39624 -246 190 14 246 190 14 246 190 14 246 190 14
39625 -246 190 14 246 190 14 246 190 14 246 190 14
39626 -246 190 14 241 196 14 203 166 17 22 18 6
39627 - 2 2 6 2 2 6 2 2 6 38 38 38
39628 -218 218 218 253 253 253 253 253 253 253 253 253
39629 -253 253 253 253 253 253 253 253 253 253 253 253
39630 -253 253 253 253 253 253 253 253 253 253 253 253
39631 -253 253 253 253 253 253 253 253 253 253 253 253
39632 -250 250 250 206 206 206 198 198 198 202 162 69
39633 -226 170 11 236 178 12 224 166 10 210 150 10
39634 -200 144 11 197 138 11 192 133 9 197 138 11
39635 -210 150 10 226 170 11 242 186 14 246 190 14
39636 -246 190 14 246 186 14 225 175 15 124 112 88
39637 - 62 62 62 30 30 30 14 14 14 6 6 6
39638 - 0 0 0 0 0 0 0 0 0 0 0 0
39639 - 0 0 0 0 0 0 0 0 0 0 0 0
39640 - 0 0 0 0 0 0 0 0 0 0 0 0
39641 - 0 0 0 0 0 0 0 0 0 10 10 10
39642 - 30 30 30 78 78 78 174 135 50 224 166 10
39643 -239 182 13 246 190 14 246 190 14 246 190 14
39644 -246 190 14 246 190 14 246 190 14 246 190 14
39645 -246 190 14 246 190 14 246 190 14 246 190 14
39646 -246 190 14 246 190 14 241 196 14 139 102 15
39647 - 2 2 6 2 2 6 2 2 6 2 2 6
39648 - 78 78 78 250 250 250 253 253 253 253 253 253
39649 -253 253 253 253 253 253 253 253 253 253 253 253
39650 -253 253 253 253 253 253 253 253 253 253 253 253
39651 -253 253 253 253 253 253 253 253 253 253 253 253
39652 -250 250 250 214 214 214 198 198 198 190 150 46
39653 -219 162 10 236 178 12 234 174 13 224 166 10
39654 -216 158 10 213 154 11 213 154 11 216 158 10
39655 -226 170 11 239 182 13 246 190 14 246 190 14
39656 -246 190 14 246 190 14 242 186 14 206 162 42
39657 -101 101 101 58 58 58 30 30 30 14 14 14
39658 - 6 6 6 0 0 0 0 0 0 0 0 0
39659 - 0 0 0 0 0 0 0 0 0 0 0 0
39660 - 0 0 0 0 0 0 0 0 0 0 0 0
39661 - 0 0 0 0 0 0 0 0 0 10 10 10
39662 - 30 30 30 74 74 74 174 135 50 216 158 10
39663 -236 178 12 246 190 14 246 190 14 246 190 14
39664 -246 190 14 246 190 14 246 190 14 246 190 14
39665 -246 190 14 246 190 14 246 190 14 246 190 14
39666 -246 190 14 246 190 14 241 196 14 226 184 13
39667 - 61 42 6 2 2 6 2 2 6 2 2 6
39668 - 22 22 22 238 238 238 253 253 253 253 253 253
39669 -253 253 253 253 253 253 253 253 253 253 253 253
39670 -253 253 253 253 253 253 253 253 253 253 253 253
39671 -253 253 253 253 253 253 253 253 253 253 253 253
39672 -253 253 253 226 226 226 187 187 187 180 133 36
39673 -216 158 10 236 178 12 239 182 13 236 178 12
39674 -230 174 11 226 170 11 226 170 11 230 174 11
39675 -236 178 12 242 186 14 246 190 14 246 190 14
39676 -246 190 14 246 190 14 246 186 14 239 182 13
39677 -206 162 42 106 106 106 66 66 66 34 34 34
39678 - 14 14 14 6 6 6 0 0 0 0 0 0
39679 - 0 0 0 0 0 0 0 0 0 0 0 0
39680 - 0 0 0 0 0 0 0 0 0 0 0 0
39681 - 0 0 0 0 0 0 0 0 0 6 6 6
39682 - 26 26 26 70 70 70 163 133 67 213 154 11
39683 -236 178 12 246 190 14 246 190 14 246 190 14
39684 -246 190 14 246 190 14 246 190 14 246 190 14
39685 -246 190 14 246 190 14 246 190 14 246 190 14
39686 -246 190 14 246 190 14 246 190 14 241 196 14
39687 -190 146 13 18 14 6 2 2 6 2 2 6
39688 - 46 46 46 246 246 246 253 253 253 253 253 253
39689 -253 253 253 253 253 253 253 253 253 253 253 253
39690 -253 253 253 253 253 253 253 253 253 253 253 253
39691 -253 253 253 253 253 253 253 253 253 253 253 253
39692 -253 253 253 221 221 221 86 86 86 156 107 11
39693 -216 158 10 236 178 12 242 186 14 246 186 14
39694 -242 186 14 239 182 13 239 182 13 242 186 14
39695 -242 186 14 246 186 14 246 190 14 246 190 14
39696 -246 190 14 246 190 14 246 190 14 246 190 14
39697 -242 186 14 225 175 15 142 122 72 66 66 66
39698 - 30 30 30 10 10 10 0 0 0 0 0 0
39699 - 0 0 0 0 0 0 0 0 0 0 0 0
39700 - 0 0 0 0 0 0 0 0 0 0 0 0
39701 - 0 0 0 0 0 0 0 0 0 6 6 6
39702 - 26 26 26 70 70 70 163 133 67 210 150 10
39703 -236 178 12 246 190 14 246 190 14 246 190 14
39704 -246 190 14 246 190 14 246 190 14 246 190 14
39705 -246 190 14 246 190 14 246 190 14 246 190 14
39706 -246 190 14 246 190 14 246 190 14 246 190 14
39707 -232 195 16 121 92 8 34 34 34 106 106 106
39708 -221 221 221 253 253 253 253 253 253 253 253 253
39709 -253 253 253 253 253 253 253 253 253 253 253 253
39710 -253 253 253 253 253 253 253 253 253 253 253 253
39711 -253 253 253 253 253 253 253 253 253 253 253 253
39712 -242 242 242 82 82 82 18 14 6 163 110 8
39713 -216 158 10 236 178 12 242 186 14 246 190 14
39714 -246 190 14 246 190 14 246 190 14 246 190 14
39715 -246 190 14 246 190 14 246 190 14 246 190 14
39716 -246 190 14 246 190 14 246 190 14 246 190 14
39717 -246 190 14 246 190 14 242 186 14 163 133 67
39718 - 46 46 46 18 18 18 6 6 6 0 0 0
39719 - 0 0 0 0 0 0 0 0 0 0 0 0
39720 - 0 0 0 0 0 0 0 0 0 0 0 0
39721 - 0 0 0 0 0 0 0 0 0 10 10 10
39722 - 30 30 30 78 78 78 163 133 67 210 150 10
39723 -236 178 12 246 186 14 246 190 14 246 190 14
39724 -246 190 14 246 190 14 246 190 14 246 190 14
39725 -246 190 14 246 190 14 246 190 14 246 190 14
39726 -246 190 14 246 190 14 246 190 14 246 190 14
39727 -241 196 14 215 174 15 190 178 144 253 253 253
39728 -253 253 253 253 253 253 253 253 253 253 253 253
39729 -253 253 253 253 253 253 253 253 253 253 253 253
39730 -253 253 253 253 253 253 253 253 253 253 253 253
39731 -253 253 253 253 253 253 253 253 253 218 218 218
39732 - 58 58 58 2 2 6 22 18 6 167 114 7
39733 -216 158 10 236 178 12 246 186 14 246 190 14
39734 -246 190 14 246 190 14 246 190 14 246 190 14
39735 -246 190 14 246 190 14 246 190 14 246 190 14
39736 -246 190 14 246 190 14 246 190 14 246 190 14
39737 -246 190 14 246 186 14 242 186 14 190 150 46
39738 - 54 54 54 22 22 22 6 6 6 0 0 0
39739 - 0 0 0 0 0 0 0 0 0 0 0 0
39740 - 0 0 0 0 0 0 0 0 0 0 0 0
39741 - 0 0 0 0 0 0 0 0 0 14 14 14
39742 - 38 38 38 86 86 86 180 133 36 213 154 11
39743 -236 178 12 246 186 14 246 190 14 246 190 14
39744 -246 190 14 246 190 14 246 190 14 246 190 14
39745 -246 190 14 246 190 14 246 190 14 246 190 14
39746 -246 190 14 246 190 14 246 190 14 246 190 14
39747 -246 190 14 232 195 16 190 146 13 214 214 214
39748 -253 253 253 253 253 253 253 253 253 253 253 253
39749 -253 253 253 253 253 253 253 253 253 253 253 253
39750 -253 253 253 253 253 253 253 253 253 253 253 253
39751 -253 253 253 250 250 250 170 170 170 26 26 26
39752 - 2 2 6 2 2 6 37 26 9 163 110 8
39753 -219 162 10 239 182 13 246 186 14 246 190 14
39754 -246 190 14 246 190 14 246 190 14 246 190 14
39755 -246 190 14 246 190 14 246 190 14 246 190 14
39756 -246 190 14 246 190 14 246 190 14 246 190 14
39757 -246 186 14 236 178 12 224 166 10 142 122 72
39758 - 46 46 46 18 18 18 6 6 6 0 0 0
39759 - 0 0 0 0 0 0 0 0 0 0 0 0
39760 - 0 0 0 0 0 0 0 0 0 0 0 0
39761 - 0 0 0 0 0 0 6 6 6 18 18 18
39762 - 50 50 50 109 106 95 192 133 9 224 166 10
39763 -242 186 14 246 190 14 246 190 14 246 190 14
39764 -246 190 14 246 190 14 246 190 14 246 190 14
39765 -246 190 14 246 190 14 246 190 14 246 190 14
39766 -246 190 14 246 190 14 246 190 14 246 190 14
39767 -242 186 14 226 184 13 210 162 10 142 110 46
39768 -226 226 226 253 253 253 253 253 253 253 253 253
39769 -253 253 253 253 253 253 253 253 253 253 253 253
39770 -253 253 253 253 253 253 253 253 253 253 253 253
39771 -198 198 198 66 66 66 2 2 6 2 2 6
39772 - 2 2 6 2 2 6 50 34 6 156 107 11
39773 -219 162 10 239 182 13 246 186 14 246 190 14
39774 -246 190 14 246 190 14 246 190 14 246 190 14
39775 -246 190 14 246 190 14 246 190 14 246 190 14
39776 -246 190 14 246 190 14 246 190 14 242 186 14
39777 -234 174 13 213 154 11 154 122 46 66 66 66
39778 - 30 30 30 10 10 10 0 0 0 0 0 0
39779 - 0 0 0 0 0 0 0 0 0 0 0 0
39780 - 0 0 0 0 0 0 0 0 0 0 0 0
39781 - 0 0 0 0 0 0 6 6 6 22 22 22
39782 - 58 58 58 154 121 60 206 145 10 234 174 13
39783 -242 186 14 246 186 14 246 190 14 246 190 14
39784 -246 190 14 246 190 14 246 190 14 246 190 14
39785 -246 190 14 246 190 14 246 190 14 246 190 14
39786 -246 190 14 246 190 14 246 190 14 246 190 14
39787 -246 186 14 236 178 12 210 162 10 163 110 8
39788 - 61 42 6 138 138 138 218 218 218 250 250 250
39789 -253 253 253 253 253 253 253 253 253 250 250 250
39790 -242 242 242 210 210 210 144 144 144 66 66 66
39791 - 6 6 6 2 2 6 2 2 6 2 2 6
39792 - 2 2 6 2 2 6 61 42 6 163 110 8
39793 -216 158 10 236 178 12 246 190 14 246 190 14
39794 -246 190 14 246 190 14 246 190 14 246 190 14
39795 -246 190 14 246 190 14 246 190 14 246 190 14
39796 -246 190 14 239 182 13 230 174 11 216 158 10
39797 -190 142 34 124 112 88 70 70 70 38 38 38
39798 - 18 18 18 6 6 6 0 0 0 0 0 0
39799 - 0 0 0 0 0 0 0 0 0 0 0 0
39800 - 0 0 0 0 0 0 0 0 0 0 0 0
39801 - 0 0 0 0 0 0 6 6 6 22 22 22
39802 - 62 62 62 168 124 44 206 145 10 224 166 10
39803 -236 178 12 239 182 13 242 186 14 242 186 14
39804 -246 186 14 246 190 14 246 190 14 246 190 14
39805 -246 190 14 246 190 14 246 190 14 246 190 14
39806 -246 190 14 246 190 14 246 190 14 246 190 14
39807 -246 190 14 236 178 12 216 158 10 175 118 6
39808 - 80 54 7 2 2 6 6 6 6 30 30 30
39809 - 54 54 54 62 62 62 50 50 50 38 38 38
39810 - 14 14 14 2 2 6 2 2 6 2 2 6
39811 - 2 2 6 2 2 6 2 2 6 2 2 6
39812 - 2 2 6 6 6 6 80 54 7 167 114 7
39813 -213 154 11 236 178 12 246 190 14 246 190 14
39814 -246 190 14 246 190 14 246 190 14 246 190 14
39815 -246 190 14 242 186 14 239 182 13 239 182 13
39816 -230 174 11 210 150 10 174 135 50 124 112 88
39817 - 82 82 82 54 54 54 34 34 34 18 18 18
39818 - 6 6 6 0 0 0 0 0 0 0 0 0
39819 - 0 0 0 0 0 0 0 0 0 0 0 0
39820 - 0 0 0 0 0 0 0 0 0 0 0 0
39821 - 0 0 0 0 0 0 6 6 6 18 18 18
39822 - 50 50 50 158 118 36 192 133 9 200 144 11
39823 -216 158 10 219 162 10 224 166 10 226 170 11
39824 -230 174 11 236 178 12 239 182 13 239 182 13
39825 -242 186 14 246 186 14 246 190 14 246 190 14
39826 -246 190 14 246 190 14 246 190 14 246 190 14
39827 -246 186 14 230 174 11 210 150 10 163 110 8
39828 -104 69 6 10 10 10 2 2 6 2 2 6
39829 - 2 2 6 2 2 6 2 2 6 2 2 6
39830 - 2 2 6 2 2 6 2 2 6 2 2 6
39831 - 2 2 6 2 2 6 2 2 6 2 2 6
39832 - 2 2 6 6 6 6 91 60 6 167 114 7
39833 -206 145 10 230 174 11 242 186 14 246 190 14
39834 -246 190 14 246 190 14 246 186 14 242 186 14
39835 -239 182 13 230 174 11 224 166 10 213 154 11
39836 -180 133 36 124 112 88 86 86 86 58 58 58
39837 - 38 38 38 22 22 22 10 10 10 6 6 6
39838 - 0 0 0 0 0 0 0 0 0 0 0 0
39839 - 0 0 0 0 0 0 0 0 0 0 0 0
39840 - 0 0 0 0 0 0 0 0 0 0 0 0
39841 - 0 0 0 0 0 0 0 0 0 14 14 14
39842 - 34 34 34 70 70 70 138 110 50 158 118 36
39843 -167 114 7 180 123 7 192 133 9 197 138 11
39844 -200 144 11 206 145 10 213 154 11 219 162 10
39845 -224 166 10 230 174 11 239 182 13 242 186 14
39846 -246 186 14 246 186 14 246 186 14 246 186 14
39847 -239 182 13 216 158 10 185 133 11 152 99 6
39848 -104 69 6 18 14 6 2 2 6 2 2 6
39849 - 2 2 6 2 2 6 2 2 6 2 2 6
39850 - 2 2 6 2 2 6 2 2 6 2 2 6
39851 - 2 2 6 2 2 6 2 2 6 2 2 6
39852 - 2 2 6 6 6 6 80 54 7 152 99 6
39853 -192 133 9 219 162 10 236 178 12 239 182 13
39854 -246 186 14 242 186 14 239 182 13 236 178 12
39855 -224 166 10 206 145 10 192 133 9 154 121 60
39856 - 94 94 94 62 62 62 42 42 42 22 22 22
39857 - 14 14 14 6 6 6 0 0 0 0 0 0
39858 - 0 0 0 0 0 0 0 0 0 0 0 0
39859 - 0 0 0 0 0 0 0 0 0 0 0 0
39860 - 0 0 0 0 0 0 0 0 0 0 0 0
39861 - 0 0 0 0 0 0 0 0 0 6 6 6
39862 - 18 18 18 34 34 34 58 58 58 78 78 78
39863 -101 98 89 124 112 88 142 110 46 156 107 11
39864 -163 110 8 167 114 7 175 118 6 180 123 7
39865 -185 133 11 197 138 11 210 150 10 219 162 10
39866 -226 170 11 236 178 12 236 178 12 234 174 13
39867 -219 162 10 197 138 11 163 110 8 130 83 6
39868 - 91 60 6 10 10 10 2 2 6 2 2 6
39869 - 18 18 18 38 38 38 38 38 38 38 38 38
39870 - 38 38 38 38 38 38 38 38 38 38 38 38
39871 - 38 38 38 38 38 38 26 26 26 2 2 6
39872 - 2 2 6 6 6 6 70 47 6 137 92 6
39873 -175 118 6 200 144 11 219 162 10 230 174 11
39874 -234 174 13 230 174 11 219 162 10 210 150 10
39875 -192 133 9 163 110 8 124 112 88 82 82 82
39876 - 50 50 50 30 30 30 14 14 14 6 6 6
39877 - 0 0 0 0 0 0 0 0 0 0 0 0
39878 - 0 0 0 0 0 0 0 0 0 0 0 0
39879 - 0 0 0 0 0 0 0 0 0 0 0 0
39880 - 0 0 0 0 0 0 0 0 0 0 0 0
39881 - 0 0 0 0 0 0 0 0 0 0 0 0
39882 - 6 6 6 14 14 14 22 22 22 34 34 34
39883 - 42 42 42 58 58 58 74 74 74 86 86 86
39884 -101 98 89 122 102 70 130 98 46 121 87 25
39885 -137 92 6 152 99 6 163 110 8 180 123 7
39886 -185 133 11 197 138 11 206 145 10 200 144 11
39887 -180 123 7 156 107 11 130 83 6 104 69 6
39888 - 50 34 6 54 54 54 110 110 110 101 98 89
39889 - 86 86 86 82 82 82 78 78 78 78 78 78
39890 - 78 78 78 78 78 78 78 78 78 78 78 78
39891 - 78 78 78 82 82 82 86 86 86 94 94 94
39892 -106 106 106 101 101 101 86 66 34 124 80 6
39893 -156 107 11 180 123 7 192 133 9 200 144 11
39894 -206 145 10 200 144 11 192 133 9 175 118 6
39895 -139 102 15 109 106 95 70 70 70 42 42 42
39896 - 22 22 22 10 10 10 0 0 0 0 0 0
39897 - 0 0 0 0 0 0 0 0 0 0 0 0
39898 - 0 0 0 0 0 0 0 0 0 0 0 0
39899 - 0 0 0 0 0 0 0 0 0 0 0 0
39900 - 0 0 0 0 0 0 0 0 0 0 0 0
39901 - 0 0 0 0 0 0 0 0 0 0 0 0
39902 - 0 0 0 0 0 0 6 6 6 10 10 10
39903 - 14 14 14 22 22 22 30 30 30 38 38 38
39904 - 50 50 50 62 62 62 74 74 74 90 90 90
39905 -101 98 89 112 100 78 121 87 25 124 80 6
39906 -137 92 6 152 99 6 152 99 6 152 99 6
39907 -138 86 6 124 80 6 98 70 6 86 66 30
39908 -101 98 89 82 82 82 58 58 58 46 46 46
39909 - 38 38 38 34 34 34 34 34 34 34 34 34
39910 - 34 34 34 34 34 34 34 34 34 34 34 34
39911 - 34 34 34 34 34 34 38 38 38 42 42 42
39912 - 54 54 54 82 82 82 94 86 76 91 60 6
39913 -134 86 6 156 107 11 167 114 7 175 118 6
39914 -175 118 6 167 114 7 152 99 6 121 87 25
39915 -101 98 89 62 62 62 34 34 34 18 18 18
39916 - 6 6 6 0 0 0 0 0 0 0 0 0
39917 - 0 0 0 0 0 0 0 0 0 0 0 0
39918 - 0 0 0 0 0 0 0 0 0 0 0 0
39919 - 0 0 0 0 0 0 0 0 0 0 0 0
39920 - 0 0 0 0 0 0 0 0 0 0 0 0
39921 - 0 0 0 0 0 0 0 0 0 0 0 0
39922 - 0 0 0 0 0 0 0 0 0 0 0 0
39923 - 0 0 0 6 6 6 6 6 6 10 10 10
39924 - 18 18 18 22 22 22 30 30 30 42 42 42
39925 - 50 50 50 66 66 66 86 86 86 101 98 89
39926 -106 86 58 98 70 6 104 69 6 104 69 6
39927 -104 69 6 91 60 6 82 62 34 90 90 90
39928 - 62 62 62 38 38 38 22 22 22 14 14 14
39929 - 10 10 10 10 10 10 10 10 10 10 10 10
39930 - 10 10 10 10 10 10 6 6 6 10 10 10
39931 - 10 10 10 10 10 10 10 10 10 14 14 14
39932 - 22 22 22 42 42 42 70 70 70 89 81 66
39933 - 80 54 7 104 69 6 124 80 6 137 92 6
39934 -134 86 6 116 81 8 100 82 52 86 86 86
39935 - 58 58 58 30 30 30 14 14 14 6 6 6
39936 - 0 0 0 0 0 0 0 0 0 0 0 0
39937 - 0 0 0 0 0 0 0 0 0 0 0 0
39938 - 0 0 0 0 0 0 0 0 0 0 0 0
39939 - 0 0 0 0 0 0 0 0 0 0 0 0
39940 - 0 0 0 0 0 0 0 0 0 0 0 0
39941 - 0 0 0 0 0 0 0 0 0 0 0 0
39942 - 0 0 0 0 0 0 0 0 0 0 0 0
39943 - 0 0 0 0 0 0 0 0 0 0 0 0
39944 - 0 0 0 6 6 6 10 10 10 14 14 14
39945 - 18 18 18 26 26 26 38 38 38 54 54 54
39946 - 70 70 70 86 86 86 94 86 76 89 81 66
39947 - 89 81 66 86 86 86 74 74 74 50 50 50
39948 - 30 30 30 14 14 14 6 6 6 0 0 0
39949 - 0 0 0 0 0 0 0 0 0 0 0 0
39950 - 0 0 0 0 0 0 0 0 0 0 0 0
39951 - 0 0 0 0 0 0 0 0 0 0 0 0
39952 - 6 6 6 18 18 18 34 34 34 58 58 58
39953 - 82 82 82 89 81 66 89 81 66 89 81 66
39954 - 94 86 66 94 86 76 74 74 74 50 50 50
39955 - 26 26 26 14 14 14 6 6 6 0 0 0
39956 - 0 0 0 0 0 0 0 0 0 0 0 0
39957 - 0 0 0 0 0 0 0 0 0 0 0 0
39958 - 0 0 0 0 0 0 0 0 0 0 0 0
39959 - 0 0 0 0 0 0 0 0 0 0 0 0
39960 - 0 0 0 0 0 0 0 0 0 0 0 0
39961 - 0 0 0 0 0 0 0 0 0 0 0 0
39962 - 0 0 0 0 0 0 0 0 0 0 0 0
39963 - 0 0 0 0 0 0 0 0 0 0 0 0
39964 - 0 0 0 0 0 0 0 0 0 0 0 0
39965 - 6 6 6 6 6 6 14 14 14 18 18 18
39966 - 30 30 30 38 38 38 46 46 46 54 54 54
39967 - 50 50 50 42 42 42 30 30 30 18 18 18
39968 - 10 10 10 0 0 0 0 0 0 0 0 0
39969 - 0 0 0 0 0 0 0 0 0 0 0 0
39970 - 0 0 0 0 0 0 0 0 0 0 0 0
39971 - 0 0 0 0 0 0 0 0 0 0 0 0
39972 - 0 0 0 6 6 6 14 14 14 26 26 26
39973 - 38 38 38 50 50 50 58 58 58 58 58 58
39974 - 54 54 54 42 42 42 30 30 30 18 18 18
39975 - 10 10 10 0 0 0 0 0 0 0 0 0
39976 - 0 0 0 0 0 0 0 0 0 0 0 0
39977 - 0 0 0 0 0 0 0 0 0 0 0 0
39978 - 0 0 0 0 0 0 0 0 0 0 0 0
39979 - 0 0 0 0 0 0 0 0 0 0 0 0
39980 - 0 0 0 0 0 0 0 0 0 0 0 0
39981 - 0 0 0 0 0 0 0 0 0 0 0 0
39982 - 0 0 0 0 0 0 0 0 0 0 0 0
39983 - 0 0 0 0 0 0 0 0 0 0 0 0
39984 - 0 0 0 0 0 0 0 0 0 0 0 0
39985 - 0 0 0 0 0 0 0 0 0 6 6 6
39986 - 6 6 6 10 10 10 14 14 14 18 18 18
39987 - 18 18 18 14 14 14 10 10 10 6 6 6
39988 - 0 0 0 0 0 0 0 0 0 0 0 0
39989 - 0 0 0 0 0 0 0 0 0 0 0 0
39990 - 0 0 0 0 0 0 0 0 0 0 0 0
39991 - 0 0 0 0 0 0 0 0 0 0 0 0
39992 - 0 0 0 0 0 0 0 0 0 6 6 6
39993 - 14 14 14 18 18 18 22 22 22 22 22 22
39994 - 18 18 18 14 14 14 10 10 10 6 6 6
39995 - 0 0 0 0 0 0 0 0 0 0 0 0
39996 - 0 0 0 0 0 0 0 0 0 0 0 0
39997 - 0 0 0 0 0 0 0 0 0 0 0 0
39998 - 0 0 0 0 0 0 0 0 0 0 0 0
39999 - 0 0 0 0 0 0 0 0 0 0 0 0
40000 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40001 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40002 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40003 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40004 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40005 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40006 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40007 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40008 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40009 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40010 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40011 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40012 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40013 +4 4 4 4 4 4
40014 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40015 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40016 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40017 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40018 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40019 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40020 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40021 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40022 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40023 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40024 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40025 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40026 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40027 +4 4 4 4 4 4
40028 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40029 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40030 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40031 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40032 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40033 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40034 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40035 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40036 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40037 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40038 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40039 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40040 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40041 +4 4 4 4 4 4
40042 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40043 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40044 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40045 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40046 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40047 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40048 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40049 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40050 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40051 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40052 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40053 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40054 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40055 +4 4 4 4 4 4
40056 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40057 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40058 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40059 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40060 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40061 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40062 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40063 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40064 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40065 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40066 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40067 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40068 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40069 +4 4 4 4 4 4
40070 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40071 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40072 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40073 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40074 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40075 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40076 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40077 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40078 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40079 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40080 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40081 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40082 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40083 +4 4 4 4 4 4
40084 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40085 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40086 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40087 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40088 +4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
40089 +0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
40090 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40091 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40092 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40093 +4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
40094 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
40095 +4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
40096 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40097 +4 4 4 4 4 4
40098 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40099 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40100 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40101 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40102 +4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
40103 +37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
40104 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40105 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40106 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40107 +4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
40108 +2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
40109 +4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
40110 +1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40111 +4 4 4 4 4 4
40112 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40113 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40116 +2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
40117 +153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
40118 +0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
40119 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40120 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40121 +4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
40122 +60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
40123 +4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
40124 +2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
40125 +4 4 4 4 4 4
40126 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40127 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40128 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40129 +4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
40130 +4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
40131 +165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
40132 +1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
40133 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40134 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
40135 +3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
40136 +163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
40137 +0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
40138 +37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
40139 +4 4 4 4 4 4
40140 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40141 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40142 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40143 +4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
40144 +37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
40145 +156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
40146 +125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
40147 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
40148 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
40149 +0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
40150 +174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
40151 +0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
40152 +64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
40153 +4 4 4 4 4 4
40154 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40155 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40156 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
40157 +5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
40158 +156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
40159 +156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
40160 +174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
40161 +1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
40162 +4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
40163 +13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
40164 +174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
40165 +22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
40166 +90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
40167 +4 4 4 4 4 4
40168 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40169 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40170 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
40171 +0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
40172 +174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
40173 +156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
40174 +163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
40175 +4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
40176 +5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
40177 +131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
40178 +190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
40179 +90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
40180 +31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
40181 +4 4 4 4 4 4
40182 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40183 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40184 +4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
40185 +4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
40186 +155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
40187 +167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
40188 +153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
40189 +41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
40190 +1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
40191 +177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
40192 +125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
40193 +136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
40194 +7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
40195 +4 4 4 4 4 4
40196 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40197 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40198 +4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
40199 +125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
40200 +156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
40201 +137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
40202 +156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
40203 +167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
40204 +0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
40205 +166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
40206 +6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
40207 +90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
40208 +1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
40209 +4 4 4 4 4 4
40210 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40211 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40212 +1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
40213 +167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
40214 +157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
40215 +26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
40216 +158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
40217 +165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
40218 +60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
40219 +137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
40220 +52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
40221 +13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
40222 +4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
40223 +4 4 4 4 4 4
40224 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40225 +4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
40226 +0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
40227 +158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
40228 +167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
40229 +4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
40230 +174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
40231 +155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
40232 +137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
40233 +16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
40234 +136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
40235 +2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
40236 +4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
40237 +4 4 4 4 4 4
40238 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40239 +4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
40240 +37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
40241 +157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
40242 +153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
40243 +4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
40244 +125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
40245 +156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
40246 +174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
40247 +4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
40248 +136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
40249 +1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
40250 +2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
40251 +0 0 0 4 4 4
40252 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
40253 +4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
40254 +158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
40255 +153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
40256 +37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
40257 +4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
40258 +4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
40259 +154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
40260 +174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
40261 +32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
40262 +28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
40263 +50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
40264 +0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
40265 +2 0 0 0 0 0
40266 +4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
40267 +0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
40268 +174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
40269 +165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
40270 +4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
40271 +4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
40272 +4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
40273 +174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
40274 +60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
40275 +136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
40276 +22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
40277 +136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
40278 +26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
40279 +37 38 37 0 0 0
40280 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
40281 +13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
40282 +153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
40283 +177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
40284 +4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
40285 +5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
40286 +6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
40287 +166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
40288 +4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
40289 +146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
40290 +71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
40291 +90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
40292 +125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
40293 +85 115 134 4 0 0
40294 +4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
40295 +125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
40296 +155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
40297 +125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
40298 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
40299 +0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
40300 +5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
40301 +37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
40302 +4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
40303 +90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
40304 +2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
40305 +13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
40306 +166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
40307 +60 73 81 4 0 0
40308 +4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
40309 +174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
40310 +156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
40311 +4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
40312 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
40313 +10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
40314 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
40315 +4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
40316 +80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
40317 +28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
40318 +50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
40319 +1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
40320 +167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
40321 +16 19 21 4 0 0
40322 +4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
40323 +158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
40324 +167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
40325 +4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
40326 +4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
40327 +80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
40328 +4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
40329 +3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
40330 +146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
40331 +68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
40332 +136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
40333 +24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
40334 +163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
40335 +4 0 0 4 3 3
40336 +3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
40337 +156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
40338 +155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
40339 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
40340 +2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
40341 +136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
40342 +0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
40343 +0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
40344 +136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
40345 +28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
40346 +22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
40347 +137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
40348 +60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
40349 +3 2 2 4 4 4
40350 +3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
40351 +157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
40352 +37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
40353 +4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
40354 +0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
40355 +101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
40356 +14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
40357 +22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
40358 +136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
40359 +17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
40360 +2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
40361 +166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
40362 +13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
40363 +4 4 4 4 4 4
40364 +1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
40365 +163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
40366 +4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
40367 +4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
40368 +40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
40369 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
40370 +101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
40371 +136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
40372 +136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
40373 +136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
40374 +3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
40375 +174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
40376 +4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
40377 +4 4 4 4 4 4
40378 +4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
40379 +155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
40380 +4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
40381 +4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
40382 +101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
40383 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
40384 +136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
40385 +136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
40386 +136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
40387 +90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
40388 +85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
40389 +167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
40390 +6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
40391 +5 5 5 5 5 5
40392 +1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
40393 +131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
40394 +6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
40395 +0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
40396 +101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
40397 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
40398 +101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
40399 +136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
40400 +101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
40401 +7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
40402 +174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
40403 +24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
40404 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
40405 +5 5 5 4 4 4
40406 +4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
40407 +131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
40408 +6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
40409 +13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
40410 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
40411 +101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
40412 +101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
40413 +136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
40414 +136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
40415 +2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
40416 +174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
40417 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
40418 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40419 +4 4 4 4 4 4
40420 +1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
40421 +137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
40422 +4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
40423 +64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
40424 +90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
40425 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
40426 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
40427 +136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
40428 +101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
40429 +37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
40430 +167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
40431 +3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
40432 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40433 +4 4 4 4 4 4
40434 +4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
40435 +153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
40436 +4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
40437 +90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
40438 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
40439 +90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
40440 +101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
40441 +101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
40442 +35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
40443 +154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
40444 +60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
40445 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40446 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40447 +4 4 4 4 4 4
40448 +1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
40449 +153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
40450 +4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
40451 +64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
40452 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
40453 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
40454 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
40455 +136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
40456 +13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
40457 +174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
40458 +6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
40459 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40460 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40461 +4 4 4 4 4 4
40462 +4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
40463 +156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
40464 +4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
40465 +90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
40466 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
40467 +90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
40468 +101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
40469 +101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
40470 +2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
40471 +174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
40472 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40473 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40474 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40475 +4 4 4 4 4 4
40476 +3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
40477 +158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
40478 +4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
40479 +37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
40480 +90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
40481 +90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
40482 +101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
40483 +90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
40484 +5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
40485 +167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
40486 +6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
40487 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40488 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40489 +4 4 4 4 4 4
40490 +4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
40491 +163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
40492 +4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
40493 +18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
40494 +64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
40495 +90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
40496 +101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
40497 +13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
40498 +3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
40499 +174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
40500 +4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
40501 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40502 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40503 +4 4 4 4 4 4
40504 +1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
40505 +167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
40506 +4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
40507 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
40508 +26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
40509 +90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
40510 +101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
40511 +7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
40512 +4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
40513 +174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
40514 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40515 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40516 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40517 +4 4 4 4 4 4
40518 +4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
40519 +174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
40520 +5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
40521 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
40522 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40523 +90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
40524 +101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
40525 +2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
40526 +3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
40527 +153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
40528 +4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40529 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40530 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40531 +4 4 4 4 4 4
40532 +1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
40533 +174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
40534 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
40535 +18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
40536 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40537 +26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
40538 +35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
40539 +2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
40540 +3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
40541 +131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
40542 +4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40543 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40544 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40545 +4 4 4 4 4 4
40546 +3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
40547 +174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
40548 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
40549 +18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
40550 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40551 +26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
40552 +7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
40553 +4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
40554 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
40555 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40556 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40557 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40558 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40559 +4 4 4 4 4 4
40560 +1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
40561 +174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
40562 +5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
40563 +18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
40564 +18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
40565 +26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
40566 +28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
40567 +3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
40568 +4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
40569 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40570 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40571 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40572 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40573 +4 4 4 4 4 4
40574 +4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
40575 +174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
40576 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
40577 +10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
40578 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40579 +18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
40580 +90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
40581 +3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
40582 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
40583 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40584 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40585 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40586 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40587 +4 4 4 4 4 4
40588 +1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
40589 +177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
40590 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
40591 +10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
40592 +26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
40593 +6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
40594 +10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
40595 +2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
40596 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
40597 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40598 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40599 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40600 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40601 +4 4 4 4 4 4
40602 +4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
40603 +177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
40604 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
40605 +10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
40606 +26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
40607 +7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
40608 +3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
40609 +21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
40610 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
40611 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40612 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40613 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40614 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40615 +4 4 4 4 4 4
40616 +3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
40617 +190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
40618 +5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
40619 +10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
40620 +24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
40621 +18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
40622 +28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
40623 +26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
40624 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
40625 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40626 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40627 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40628 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40629 +4 4 4 4 4 4
40630 +4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
40631 +190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
40632 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
40633 +10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
40634 +0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
40635 +26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
40636 +37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
40637 +90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
40638 +4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
40639 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40640 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40641 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40642 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40643 +4 4 4 4 4 4
40644 +4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
40645 +193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
40646 +5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
40647 +10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
40648 +1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
40649 +26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
40650 +22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
40651 +26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
40652 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
40653 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40654 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40655 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40656 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40657 +4 4 4 4 4 4
40658 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
40659 +190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
40660 +5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
40661 +10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
40662 +2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
40663 +26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
40664 +10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
40665 +26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
40666 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
40667 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40668 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40669 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40670 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40671 +4 4 4 4 4 4
40672 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
40673 +193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
40674 +5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
40675 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
40676 +13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
40677 +10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
40678 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40679 +26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
40680 +4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
40681 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40682 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40683 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40684 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40685 +4 4 4 4 4 4
40686 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
40687 +190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
40688 +5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
40689 +28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
40690 +10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
40691 +28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
40692 +26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
40693 +26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
40694 +4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
40695 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40696 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40697 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40698 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40699 +4 4 4 4 4 4
40700 +4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
40701 +193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
40702 +5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
40703 +4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
40704 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
40705 +10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
40706 +18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
40707 +22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
40708 +4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
40709 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40710 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40711 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40712 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40713 +4 4 4 4 4 4
40714 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
40715 +190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
40716 +6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
40717 +1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
40718 +18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
40719 +10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
40720 +26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
40721 +1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
40722 +5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
40723 +137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40724 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40725 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40726 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40727 +4 4 4 4 4 4
40728 +4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
40729 +193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
40730 +2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
40731 +4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
40732 +10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
40733 +10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
40734 +26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
40735 +2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
40736 +3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
40737 +131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40738 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40739 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40740 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40741 +4 4 4 4 4 4
40742 +4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
40743 +193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
40744 +0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
40745 +4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
40746 +13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
40747 +10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
40748 +28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
40749 +4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
40750 +0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
40751 +125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
40752 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40753 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40754 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40755 +4 4 4 4 4 4
40756 +4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
40757 +193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
40758 +120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
40759 +4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
40760 +4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
40761 +10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
40762 +4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
40763 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
40764 +24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
40765 +125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
40766 +0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
40767 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40768 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40769 +4 4 4 4 4 4
40770 +4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
40771 +174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
40772 +220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
40773 +3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
40774 +4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
40775 +10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
40776 +1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
40777 +5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
40778 +137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
40779 +125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
40780 +0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40781 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40782 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40783 +4 4 4 4 4 4
40784 +5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
40785 +193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
40786 +220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
40787 +4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
40788 +4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
40789 +22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
40790 +4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40791 +1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
40792 +166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
40793 +125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
40794 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
40795 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40796 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40797 +4 4 4 4 4 4
40798 +4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
40799 +220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
40800 +205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
40801 +24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
40802 +4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
40803 +4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
40804 +4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
40805 +2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
40806 +156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
40807 +137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
40808 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40809 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40810 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40811 +4 4 4 4 4 4
40812 +5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
40813 +125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
40814 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
40815 +193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
40816 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
40817 +1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
40818 +5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
40819 +60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
40820 +153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
40821 +125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
40822 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40823 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40824 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40825 +4 4 4 4 4 4
40826 +4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
40827 +6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
40828 +193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
40829 +244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
40830 +0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
40831 +4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
40832 +3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
40833 +220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
40834 +153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
40835 +13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
40836 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40837 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40838 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40839 +4 4 4 4 4 4
40840 +5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
40841 +6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
40842 +244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
40843 +220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
40844 +3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
40845 +4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
40846 +0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
40847 +177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
40848 +158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
40849 +4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
40850 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40851 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40852 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40853 +4 4 4 4 4 4
40854 +5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
40855 +6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
40856 +177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
40857 +220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
40858 +125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
40859 +4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
40860 +37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
40861 +174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
40862 +158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
40863 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
40864 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40865 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40866 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40867 +4 4 4 4 4 4
40868 +4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
40869 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
40870 +26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
40871 +205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
40872 +244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
40873 +0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
40874 +177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
40875 +174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
40876 +60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
40877 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40878 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40879 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40880 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40881 +4 4 4 4 4 4
40882 +5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
40883 +6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
40884 +6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
40885 +220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
40886 +220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
40887 +0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
40888 +220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
40889 +174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
40890 +4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
40891 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40892 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40893 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40894 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40895 +4 4 4 4 4 4
40896 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
40897 +6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
40898 +4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
40899 +220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
40900 +205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
40901 +60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
40902 +177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
40903 +190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
40904 +4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40905 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40906 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40907 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40908 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40909 +4 4 4 4 4 4
40910 +4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
40911 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
40912 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
40913 +125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
40914 +205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
40915 +193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
40916 +190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
40917 +153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
40918 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40919 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40920 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40921 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40922 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40923 +4 4 4 4 4 4
40924 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
40925 +6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
40926 +4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
40927 +4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
40928 +205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
40929 +220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
40930 +174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
40931 +6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
40932 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40933 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40934 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40935 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40936 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40937 +4 4 4 4 4 4
40938 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
40939 +5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
40940 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
40941 +4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
40942 +220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
40943 +190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
40944 +193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
40945 +4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
40946 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40947 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40948 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40949 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40950 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40951 +4 4 4 4 4 4
40952 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40953 +4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
40954 +4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
40955 +6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
40956 +174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
40957 +193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
40958 +193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
40959 +6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
40960 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40961 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40962 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40963 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40964 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40965 +4 4 4 4 4 4
40966 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40967 +4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
40968 +5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
40969 +5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
40970 +6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
40971 +193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
40972 +60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
40973 +5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
40974 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40975 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40976 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40977 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40978 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40979 +4 4 4 4 4 4
40980 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40981 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40982 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
40983 +5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
40984 +4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
40985 +193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
40986 +6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
40987 +4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
40988 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40989 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40990 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40991 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40992 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40993 +4 4 4 4 4 4
40994 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40995 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
40996 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
40997 +4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
40998 +6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
40999 +153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
41000 +6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
41001 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41002 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41003 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41004 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41005 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41006 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41007 +4 4 4 4 4 4
41008 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41009 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41010 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41011 +4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
41012 +6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
41013 +24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
41014 +6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
41015 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41016 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41017 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41018 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41019 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41020 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41021 +4 4 4 4 4 4
41022 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41023 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41024 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41025 +4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
41026 +4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
41027 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
41028 +4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
41029 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41030 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41031 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41032 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41033 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41034 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41035 +4 4 4 4 4 4
41036 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41037 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41038 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41039 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
41040 +5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
41041 +6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
41042 +6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
41043 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41044 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41045 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41046 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41047 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41048 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41049 +4 4 4 4 4 4
41050 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41051 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41052 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41053 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
41054 +4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
41055 +4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
41056 +6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
41057 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41058 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41059 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41060 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41061 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41062 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41063 +4 4 4 4 4 4
41064 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41065 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41066 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41067 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41068 +4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
41069 +6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
41070 +4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
41071 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41072 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41073 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41074 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41075 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41076 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41077 +4 4 4 4 4 4
41078 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41079 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41080 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41081 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41082 +4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
41083 +4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
41084 +5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41085 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41086 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41087 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41088 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41089 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41090 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41091 +4 4 4 4 4 4
41092 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41093 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41094 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41095 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41096 +4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
41097 +5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
41098 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41099 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41100 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41101 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41102 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41103 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41104 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41105 +4 4 4 4 4 4
41106 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41107 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41108 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41109 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41110 +4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
41111 +5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
41112 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41113 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41114 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41115 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41116 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41117 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41118 +4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
41119 +4 4 4 4 4 4
41120 diff -urNp linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c
41121 --- linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-03-27 14:31:47.000000000 -0400
41122 +++ linux-2.6.32.46/drivers/video/nvidia/nv_backlight.c 2011-04-17 15:56:46.000000000 -0400
41123 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
41124 return bd->props.brightness;
41125 }
41126
41127 -static struct backlight_ops nvidia_bl_ops = {
41128 +static const struct backlight_ops nvidia_bl_ops = {
41129 .get_brightness = nvidia_bl_get_brightness,
41130 .update_status = nvidia_bl_update_status,
41131 };
41132 diff -urNp linux-2.6.32.46/drivers/video/riva/fbdev.c linux-2.6.32.46/drivers/video/riva/fbdev.c
41133 --- linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-03-27 14:31:47.000000000 -0400
41134 +++ linux-2.6.32.46/drivers/video/riva/fbdev.c 2011-04-17 15:56:46.000000000 -0400
41135 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
41136 return bd->props.brightness;
41137 }
41138
41139 -static struct backlight_ops riva_bl_ops = {
41140 +static const struct backlight_ops riva_bl_ops = {
41141 .get_brightness = riva_bl_get_brightness,
41142 .update_status = riva_bl_update_status,
41143 };
41144 diff -urNp linux-2.6.32.46/drivers/video/uvesafb.c linux-2.6.32.46/drivers/video/uvesafb.c
41145 --- linux-2.6.32.46/drivers/video/uvesafb.c 2011-03-27 14:31:47.000000000 -0400
41146 +++ linux-2.6.32.46/drivers/video/uvesafb.c 2011-04-17 15:56:46.000000000 -0400
41147 @@ -18,6 +18,7 @@
41148 #include <linux/fb.h>
41149 #include <linux/io.h>
41150 #include <linux/mutex.h>
41151 +#include <linux/moduleloader.h>
41152 #include <video/edid.h>
41153 #include <video/uvesafb.h>
41154 #ifdef CONFIG_X86
41155 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
41156 NULL,
41157 };
41158
41159 - return call_usermodehelper(v86d_path, argv, envp, 1);
41160 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
41161 }
41162
41163 /*
41164 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
41165 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
41166 par->pmi_setpal = par->ypan = 0;
41167 } else {
41168 +
41169 +#ifdef CONFIG_PAX_KERNEXEC
41170 +#ifdef CONFIG_MODULES
41171 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
41172 +#endif
41173 + if (!par->pmi_code) {
41174 + par->pmi_setpal = par->ypan = 0;
41175 + return 0;
41176 + }
41177 +#endif
41178 +
41179 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
41180 + task->t.regs.edi);
41181 +
41182 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41183 + pax_open_kernel();
41184 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
41185 + pax_close_kernel();
41186 +
41187 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
41188 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
41189 +#else
41190 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
41191 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
41192 +#endif
41193 +
41194 printk(KERN_INFO "uvesafb: protected mode interface info at "
41195 "%04x:%04x\n",
41196 (u16)task->t.regs.es, (u16)task->t.regs.edi);
41197 @@ -1799,6 +1822,11 @@ out:
41198 if (par->vbe_modes)
41199 kfree(par->vbe_modes);
41200
41201 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41202 + if (par->pmi_code)
41203 + module_free_exec(NULL, par->pmi_code);
41204 +#endif
41205 +
41206 framebuffer_release(info);
41207 return err;
41208 }
41209 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
41210 kfree(par->vbe_state_orig);
41211 if (par->vbe_state_saved)
41212 kfree(par->vbe_state_saved);
41213 +
41214 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41215 + if (par->pmi_code)
41216 + module_free_exec(NULL, par->pmi_code);
41217 +#endif
41218 +
41219 }
41220
41221 framebuffer_release(info);
41222 diff -urNp linux-2.6.32.46/drivers/video/vesafb.c linux-2.6.32.46/drivers/video/vesafb.c
41223 --- linux-2.6.32.46/drivers/video/vesafb.c 2011-03-27 14:31:47.000000000 -0400
41224 +++ linux-2.6.32.46/drivers/video/vesafb.c 2011-08-05 20:33:55.000000000 -0400
41225 @@ -9,6 +9,7 @@
41226 */
41227
41228 #include <linux/module.h>
41229 +#include <linux/moduleloader.h>
41230 #include <linux/kernel.h>
41231 #include <linux/errno.h>
41232 #include <linux/string.h>
41233 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
41234 static int vram_total __initdata; /* Set total amount of memory */
41235 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
41236 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
41237 -static void (*pmi_start)(void) __read_mostly;
41238 -static void (*pmi_pal) (void) __read_mostly;
41239 +static void (*pmi_start)(void) __read_only;
41240 +static void (*pmi_pal) (void) __read_only;
41241 static int depth __read_mostly;
41242 static int vga_compat __read_mostly;
41243 /* --------------------------------------------------------------------- */
41244 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
41245 unsigned int size_vmode;
41246 unsigned int size_remap;
41247 unsigned int size_total;
41248 + void *pmi_code = NULL;
41249
41250 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
41251 return -ENODEV;
41252 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
41253 size_remap = size_total;
41254 vesafb_fix.smem_len = size_remap;
41255
41256 -#ifndef __i386__
41257 - screen_info.vesapm_seg = 0;
41258 -#endif
41259 -
41260 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
41261 printk(KERN_WARNING
41262 "vesafb: cannot reserve video memory at 0x%lx\n",
41263 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
41264 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
41265 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
41266
41267 +#ifdef __i386__
41268 +
41269 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41270 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
41271 + if (!pmi_code)
41272 +#elif !defined(CONFIG_PAX_KERNEXEC)
41273 + if (0)
41274 +#endif
41275 +
41276 +#endif
41277 + screen_info.vesapm_seg = 0;
41278 +
41279 if (screen_info.vesapm_seg) {
41280 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
41281 - screen_info.vesapm_seg,screen_info.vesapm_off);
41282 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
41283 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
41284 }
41285
41286 if (screen_info.vesapm_seg < 0xc000)
41287 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
41288
41289 if (ypan || pmi_setpal) {
41290 unsigned short *pmi_base;
41291 +
41292 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
41293 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
41294 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
41295 +
41296 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41297 + pax_open_kernel();
41298 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
41299 +#else
41300 + pmi_code = pmi_base;
41301 +#endif
41302 +
41303 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
41304 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
41305 +
41306 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41307 + pmi_start = ktva_ktla(pmi_start);
41308 + pmi_pal = ktva_ktla(pmi_pal);
41309 + pax_close_kernel();
41310 +#endif
41311 +
41312 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
41313 if (pmi_base[3]) {
41314 printk(KERN_INFO "vesafb: pmi: ports = ");
41315 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
41316 info->node, info->fix.id);
41317 return 0;
41318 err:
41319 +
41320 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
41321 + module_free_exec(NULL, pmi_code);
41322 +#endif
41323 +
41324 if (info->screen_base)
41325 iounmap(info->screen_base);
41326 framebuffer_release(info);
41327 diff -urNp linux-2.6.32.46/drivers/xen/sys-hypervisor.c linux-2.6.32.46/drivers/xen/sys-hypervisor.c
41328 --- linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-03-27 14:31:47.000000000 -0400
41329 +++ linux-2.6.32.46/drivers/xen/sys-hypervisor.c 2011-04-17 15:56:46.000000000 -0400
41330 @@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
41331 return 0;
41332 }
41333
41334 -static struct sysfs_ops hyp_sysfs_ops = {
41335 +static const struct sysfs_ops hyp_sysfs_ops = {
41336 .show = hyp_sysfs_show,
41337 .store = hyp_sysfs_store,
41338 };
41339 diff -urNp linux-2.6.32.46/fs/9p/vfs_inode.c linux-2.6.32.46/fs/9p/vfs_inode.c
41340 --- linux-2.6.32.46/fs/9p/vfs_inode.c 2011-03-27 14:31:47.000000000 -0400
41341 +++ linux-2.6.32.46/fs/9p/vfs_inode.c 2011-04-17 15:56:46.000000000 -0400
41342 @@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
41343 static void
41344 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
41345 {
41346 - char *s = nd_get_link(nd);
41347 + const char *s = nd_get_link(nd);
41348
41349 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
41350 IS_ERR(s) ? "<error>" : s);
41351 diff -urNp linux-2.6.32.46/fs/aio.c linux-2.6.32.46/fs/aio.c
41352 --- linux-2.6.32.46/fs/aio.c 2011-03-27 14:31:47.000000000 -0400
41353 +++ linux-2.6.32.46/fs/aio.c 2011-06-04 20:40:21.000000000 -0400
41354 @@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
41355 size += sizeof(struct io_event) * nr_events;
41356 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
41357
41358 - if (nr_pages < 0)
41359 + if (nr_pages <= 0)
41360 return -EINVAL;
41361
41362 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
41363 @@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
41364 struct aio_timeout to;
41365 int retry = 0;
41366
41367 + pax_track_stack();
41368 +
41369 /* needed to zero any padding within an entry (there shouldn't be
41370 * any, but C is fun!
41371 */
41372 @@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
41373 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
41374 {
41375 ssize_t ret;
41376 + struct iovec iovstack;
41377
41378 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
41379 kiocb->ki_nbytes, 1,
41380 - &kiocb->ki_inline_vec, &kiocb->ki_iovec);
41381 + &iovstack, &kiocb->ki_iovec);
41382 if (ret < 0)
41383 goto out;
41384
41385 + if (kiocb->ki_iovec == &iovstack) {
41386 + kiocb->ki_inline_vec = iovstack;
41387 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
41388 + }
41389 kiocb->ki_nr_segs = kiocb->ki_nbytes;
41390 kiocb->ki_cur_seg = 0;
41391 /* ki_nbytes/left now reflect bytes instead of segs */
41392 diff -urNp linux-2.6.32.46/fs/attr.c linux-2.6.32.46/fs/attr.c
41393 --- linux-2.6.32.46/fs/attr.c 2011-03-27 14:31:47.000000000 -0400
41394 +++ linux-2.6.32.46/fs/attr.c 2011-04-17 15:56:46.000000000 -0400
41395 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
41396 unsigned long limit;
41397
41398 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
41399 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
41400 if (limit != RLIM_INFINITY && offset > limit)
41401 goto out_sig;
41402 if (offset > inode->i_sb->s_maxbytes)
41403 diff -urNp linux-2.6.32.46/fs/autofs/root.c linux-2.6.32.46/fs/autofs/root.c
41404 --- linux-2.6.32.46/fs/autofs/root.c 2011-03-27 14:31:47.000000000 -0400
41405 +++ linux-2.6.32.46/fs/autofs/root.c 2011-04-17 15:56:46.000000000 -0400
41406 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
41407 set_bit(n,sbi->symlink_bitmap);
41408 sl = &sbi->symlink[n];
41409 sl->len = strlen(symname);
41410 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
41411 + slsize = sl->len+1;
41412 + sl->data = kmalloc(slsize, GFP_KERNEL);
41413 if (!sl->data) {
41414 clear_bit(n,sbi->symlink_bitmap);
41415 unlock_kernel();
41416 diff -urNp linux-2.6.32.46/fs/autofs4/symlink.c linux-2.6.32.46/fs/autofs4/symlink.c
41417 --- linux-2.6.32.46/fs/autofs4/symlink.c 2011-03-27 14:31:47.000000000 -0400
41418 +++ linux-2.6.32.46/fs/autofs4/symlink.c 2011-04-17 15:56:46.000000000 -0400
41419 @@ -15,7 +15,7 @@
41420 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
41421 {
41422 struct autofs_info *ino = autofs4_dentry_ino(dentry);
41423 - nd_set_link(nd, (char *)ino->u.symlink);
41424 + nd_set_link(nd, ino->u.symlink);
41425 return NULL;
41426 }
41427
41428 diff -urNp linux-2.6.32.46/fs/befs/linuxvfs.c linux-2.6.32.46/fs/befs/linuxvfs.c
41429 --- linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:24:44.000000000 -0400
41430 +++ linux-2.6.32.46/fs/befs/linuxvfs.c 2011-08-29 22:25:07.000000000 -0400
41431 @@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
41432 {
41433 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
41434 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
41435 - char *link = nd_get_link(nd);
41436 + const char *link = nd_get_link(nd);
41437 if (!IS_ERR(link))
41438 kfree(link);
41439 }
41440 diff -urNp linux-2.6.32.46/fs/binfmt_aout.c linux-2.6.32.46/fs/binfmt_aout.c
41441 --- linux-2.6.32.46/fs/binfmt_aout.c 2011-03-27 14:31:47.000000000 -0400
41442 +++ linux-2.6.32.46/fs/binfmt_aout.c 2011-04-17 15:56:46.000000000 -0400
41443 @@ -16,6 +16,7 @@
41444 #include <linux/string.h>
41445 #include <linux/fs.h>
41446 #include <linux/file.h>
41447 +#include <linux/security.h>
41448 #include <linux/stat.h>
41449 #include <linux/fcntl.h>
41450 #include <linux/ptrace.h>
41451 @@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
41452 #endif
41453 # define START_STACK(u) (u.start_stack)
41454
41455 + memset(&dump, 0, sizeof(dump));
41456 +
41457 fs = get_fs();
41458 set_fs(KERNEL_DS);
41459 has_dumped = 1;
41460 @@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
41461
41462 /* If the size of the dump file exceeds the rlimit, then see what would happen
41463 if we wrote the stack, but not the data area. */
41464 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
41465 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
41466 dump.u_dsize = 0;
41467
41468 /* Make sure we have enough room to write the stack and data areas. */
41469 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
41470 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
41471 dump.u_ssize = 0;
41472
41473 @@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
41474 dump_size = dump.u_ssize << PAGE_SHIFT;
41475 DUMP_WRITE(dump_start,dump_size);
41476 }
41477 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
41478 - set_fs(KERNEL_DS);
41479 - DUMP_WRITE(current,sizeof(*current));
41480 +/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
41481 end_coredump:
41482 set_fs(fs);
41483 return has_dumped;
41484 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
41485 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
41486 if (rlim >= RLIM_INFINITY)
41487 rlim = ~0;
41488 +
41489 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
41490 if (ex.a_data + ex.a_bss > rlim)
41491 return -ENOMEM;
41492
41493 @@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
41494 install_exec_creds(bprm);
41495 current->flags &= ~PF_FORKNOEXEC;
41496
41497 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41498 + current->mm->pax_flags = 0UL;
41499 +#endif
41500 +
41501 +#ifdef CONFIG_PAX_PAGEEXEC
41502 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
41503 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
41504 +
41505 +#ifdef CONFIG_PAX_EMUTRAMP
41506 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
41507 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
41508 +#endif
41509 +
41510 +#ifdef CONFIG_PAX_MPROTECT
41511 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
41512 + current->mm->pax_flags |= MF_PAX_MPROTECT;
41513 +#endif
41514 +
41515 + }
41516 +#endif
41517 +
41518 if (N_MAGIC(ex) == OMAGIC) {
41519 unsigned long text_addr, map_size;
41520 loff_t pos;
41521 @@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
41522
41523 down_write(&current->mm->mmap_sem);
41524 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
41525 - PROT_READ | PROT_WRITE | PROT_EXEC,
41526 + PROT_READ | PROT_WRITE,
41527 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
41528 fd_offset + ex.a_text);
41529 up_write(&current->mm->mmap_sem);
41530 diff -urNp linux-2.6.32.46/fs/binfmt_elf.c linux-2.6.32.46/fs/binfmt_elf.c
41531 --- linux-2.6.32.46/fs/binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
41532 +++ linux-2.6.32.46/fs/binfmt_elf.c 2011-05-16 21:46:57.000000000 -0400
41533 @@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
41534 #define elf_core_dump NULL
41535 #endif
41536
41537 +#ifdef CONFIG_PAX_MPROTECT
41538 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
41539 +#endif
41540 +
41541 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
41542 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
41543 #else
41544 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
41545 .load_binary = load_elf_binary,
41546 .load_shlib = load_elf_library,
41547 .core_dump = elf_core_dump,
41548 +
41549 +#ifdef CONFIG_PAX_MPROTECT
41550 + .handle_mprotect= elf_handle_mprotect,
41551 +#endif
41552 +
41553 .min_coredump = ELF_EXEC_PAGESIZE,
41554 .hasvdso = 1
41555 };
41556 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
41557
41558 static int set_brk(unsigned long start, unsigned long end)
41559 {
41560 + unsigned long e = end;
41561 +
41562 start = ELF_PAGEALIGN(start);
41563 end = ELF_PAGEALIGN(end);
41564 if (end > start) {
41565 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
41566 if (BAD_ADDR(addr))
41567 return addr;
41568 }
41569 - current->mm->start_brk = current->mm->brk = end;
41570 + current->mm->start_brk = current->mm->brk = e;
41571 return 0;
41572 }
41573
41574 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
41575 elf_addr_t __user *u_rand_bytes;
41576 const char *k_platform = ELF_PLATFORM;
41577 const char *k_base_platform = ELF_BASE_PLATFORM;
41578 - unsigned char k_rand_bytes[16];
41579 + u32 k_rand_bytes[4];
41580 int items;
41581 elf_addr_t *elf_info;
41582 int ei_index = 0;
41583 const struct cred *cred = current_cred();
41584 struct vm_area_struct *vma;
41585 + unsigned long saved_auxv[AT_VECTOR_SIZE];
41586 +
41587 + pax_track_stack();
41588
41589 /*
41590 * In some cases (e.g. Hyper-Threading), we want to avoid L1
41591 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
41592 * Generate 16 random bytes for userspace PRNG seeding.
41593 */
41594 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
41595 - u_rand_bytes = (elf_addr_t __user *)
41596 - STACK_ALLOC(p, sizeof(k_rand_bytes));
41597 + srandom32(k_rand_bytes[0] ^ random32());
41598 + srandom32(k_rand_bytes[1] ^ random32());
41599 + srandom32(k_rand_bytes[2] ^ random32());
41600 + srandom32(k_rand_bytes[3] ^ random32());
41601 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
41602 + u_rand_bytes = (elf_addr_t __user *) p;
41603 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
41604 return -EFAULT;
41605
41606 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
41607 return -EFAULT;
41608 current->mm->env_end = p;
41609
41610 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
41611 +
41612 /* Put the elf_info on the stack in the right place. */
41613 sp = (elf_addr_t __user *)envp + 1;
41614 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
41615 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
41616 return -EFAULT;
41617 return 0;
41618 }
41619 @@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
41620 {
41621 struct elf_phdr *elf_phdata;
41622 struct elf_phdr *eppnt;
41623 - unsigned long load_addr = 0;
41624 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
41625 int load_addr_set = 0;
41626 unsigned long last_bss = 0, elf_bss = 0;
41627 - unsigned long error = ~0UL;
41628 + unsigned long error = -EINVAL;
41629 unsigned long total_size;
41630 int retval, i, size;
41631
41632 @@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
41633 goto out_close;
41634 }
41635
41636 +#ifdef CONFIG_PAX_SEGMEXEC
41637 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
41638 + pax_task_size = SEGMEXEC_TASK_SIZE;
41639 +#endif
41640 +
41641 eppnt = elf_phdata;
41642 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
41643 if (eppnt->p_type == PT_LOAD) {
41644 @@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
41645 k = load_addr + eppnt->p_vaddr;
41646 if (BAD_ADDR(k) ||
41647 eppnt->p_filesz > eppnt->p_memsz ||
41648 - eppnt->p_memsz > TASK_SIZE ||
41649 - TASK_SIZE - eppnt->p_memsz < k) {
41650 + eppnt->p_memsz > pax_task_size ||
41651 + pax_task_size - eppnt->p_memsz < k) {
41652 error = -ENOMEM;
41653 goto out_close;
41654 }
41655 @@ -532,6 +557,194 @@ out:
41656 return error;
41657 }
41658
41659 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
41660 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
41661 +{
41662 + unsigned long pax_flags = 0UL;
41663 +
41664 +#ifdef CONFIG_PAX_PAGEEXEC
41665 + if (elf_phdata->p_flags & PF_PAGEEXEC)
41666 + pax_flags |= MF_PAX_PAGEEXEC;
41667 +#endif
41668 +
41669 +#ifdef CONFIG_PAX_SEGMEXEC
41670 + if (elf_phdata->p_flags & PF_SEGMEXEC)
41671 + pax_flags |= MF_PAX_SEGMEXEC;
41672 +#endif
41673 +
41674 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
41675 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41676 + if (nx_enabled)
41677 + pax_flags &= ~MF_PAX_SEGMEXEC;
41678 + else
41679 + pax_flags &= ~MF_PAX_PAGEEXEC;
41680 + }
41681 +#endif
41682 +
41683 +#ifdef CONFIG_PAX_EMUTRAMP
41684 + if (elf_phdata->p_flags & PF_EMUTRAMP)
41685 + pax_flags |= MF_PAX_EMUTRAMP;
41686 +#endif
41687 +
41688 +#ifdef CONFIG_PAX_MPROTECT
41689 + if (elf_phdata->p_flags & PF_MPROTECT)
41690 + pax_flags |= MF_PAX_MPROTECT;
41691 +#endif
41692 +
41693 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
41694 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
41695 + pax_flags |= MF_PAX_RANDMMAP;
41696 +#endif
41697 +
41698 + return pax_flags;
41699 +}
41700 +#endif
41701 +
41702 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
41703 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
41704 +{
41705 + unsigned long pax_flags = 0UL;
41706 +
41707 +#ifdef CONFIG_PAX_PAGEEXEC
41708 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
41709 + pax_flags |= MF_PAX_PAGEEXEC;
41710 +#endif
41711 +
41712 +#ifdef CONFIG_PAX_SEGMEXEC
41713 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
41714 + pax_flags |= MF_PAX_SEGMEXEC;
41715 +#endif
41716 +
41717 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
41718 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41719 + if (nx_enabled)
41720 + pax_flags &= ~MF_PAX_SEGMEXEC;
41721 + else
41722 + pax_flags &= ~MF_PAX_PAGEEXEC;
41723 + }
41724 +#endif
41725 +
41726 +#ifdef CONFIG_PAX_EMUTRAMP
41727 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
41728 + pax_flags |= MF_PAX_EMUTRAMP;
41729 +#endif
41730 +
41731 +#ifdef CONFIG_PAX_MPROTECT
41732 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
41733 + pax_flags |= MF_PAX_MPROTECT;
41734 +#endif
41735 +
41736 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
41737 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
41738 + pax_flags |= MF_PAX_RANDMMAP;
41739 +#endif
41740 +
41741 + return pax_flags;
41742 +}
41743 +#endif
41744 +
41745 +#ifdef CONFIG_PAX_EI_PAX
41746 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
41747 +{
41748 + unsigned long pax_flags = 0UL;
41749 +
41750 +#ifdef CONFIG_PAX_PAGEEXEC
41751 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
41752 + pax_flags |= MF_PAX_PAGEEXEC;
41753 +#endif
41754 +
41755 +#ifdef CONFIG_PAX_SEGMEXEC
41756 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
41757 + pax_flags |= MF_PAX_SEGMEXEC;
41758 +#endif
41759 +
41760 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
41761 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41762 + if (nx_enabled)
41763 + pax_flags &= ~MF_PAX_SEGMEXEC;
41764 + else
41765 + pax_flags &= ~MF_PAX_PAGEEXEC;
41766 + }
41767 +#endif
41768 +
41769 +#ifdef CONFIG_PAX_EMUTRAMP
41770 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
41771 + pax_flags |= MF_PAX_EMUTRAMP;
41772 +#endif
41773 +
41774 +#ifdef CONFIG_PAX_MPROTECT
41775 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
41776 + pax_flags |= MF_PAX_MPROTECT;
41777 +#endif
41778 +
41779 +#ifdef CONFIG_PAX_ASLR
41780 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
41781 + pax_flags |= MF_PAX_RANDMMAP;
41782 +#endif
41783 +
41784 + return pax_flags;
41785 +}
41786 +#endif
41787 +
41788 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
41789 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
41790 +{
41791 + unsigned long pax_flags = 0UL;
41792 +
41793 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
41794 + unsigned long i;
41795 + int found_flags = 0;
41796 +#endif
41797 +
41798 +#ifdef CONFIG_PAX_EI_PAX
41799 + pax_flags = pax_parse_ei_pax(elf_ex);
41800 +#endif
41801 +
41802 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
41803 + for (i = 0UL; i < elf_ex->e_phnum; i++)
41804 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
41805 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
41806 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
41807 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
41808 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
41809 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
41810 + return -EINVAL;
41811 +
41812 +#ifdef CONFIG_PAX_SOFTMODE
41813 + if (pax_softmode)
41814 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
41815 + else
41816 +#endif
41817 +
41818 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
41819 + found_flags = 1;
41820 + break;
41821 + }
41822 +#endif
41823 +
41824 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
41825 + if (found_flags == 0) {
41826 + struct elf_phdr phdr;
41827 + memset(&phdr, 0, sizeof(phdr));
41828 + phdr.p_flags = PF_NOEMUTRAMP;
41829 +#ifdef CONFIG_PAX_SOFTMODE
41830 + if (pax_softmode)
41831 + pax_flags = pax_parse_softmode(&phdr);
41832 + else
41833 +#endif
41834 + pax_flags = pax_parse_hardmode(&phdr);
41835 + }
41836 +#endif
41837 +
41838 +
41839 + if (0 > pax_check_flags(&pax_flags))
41840 + return -EINVAL;
41841 +
41842 + current->mm->pax_flags = pax_flags;
41843 + return 0;
41844 +}
41845 +#endif
41846 +
41847 /*
41848 * These are the functions used to load ELF style executables and shared
41849 * libraries. There is no binary dependent code anywhere else.
41850 @@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
41851 {
41852 unsigned int random_variable = 0;
41853
41854 +#ifdef CONFIG_PAX_RANDUSTACK
41855 + if (randomize_va_space)
41856 + return stack_top - current->mm->delta_stack;
41857 +#endif
41858 +
41859 if ((current->flags & PF_RANDOMIZE) &&
41860 !(current->personality & ADDR_NO_RANDOMIZE)) {
41861 random_variable = get_random_int() & STACK_RND_MASK;
41862 @@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
41863 unsigned long load_addr = 0, load_bias = 0;
41864 int load_addr_set = 0;
41865 char * elf_interpreter = NULL;
41866 - unsigned long error;
41867 + unsigned long error = 0;
41868 struct elf_phdr *elf_ppnt, *elf_phdata;
41869 unsigned long elf_bss, elf_brk;
41870 int retval, i;
41871 @@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
41872 unsigned long start_code, end_code, start_data, end_data;
41873 unsigned long reloc_func_desc = 0;
41874 int executable_stack = EXSTACK_DEFAULT;
41875 - unsigned long def_flags = 0;
41876 struct {
41877 struct elfhdr elf_ex;
41878 struct elfhdr interp_elf_ex;
41879 } *loc;
41880 + unsigned long pax_task_size = TASK_SIZE;
41881
41882 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
41883 if (!loc) {
41884 @@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
41885
41886 /* OK, This is the point of no return */
41887 current->flags &= ~PF_FORKNOEXEC;
41888 - current->mm->def_flags = def_flags;
41889 +
41890 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41891 + current->mm->pax_flags = 0UL;
41892 +#endif
41893 +
41894 +#ifdef CONFIG_PAX_DLRESOLVE
41895 + current->mm->call_dl_resolve = 0UL;
41896 +#endif
41897 +
41898 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
41899 + current->mm->call_syscall = 0UL;
41900 +#endif
41901 +
41902 +#ifdef CONFIG_PAX_ASLR
41903 + current->mm->delta_mmap = 0UL;
41904 + current->mm->delta_stack = 0UL;
41905 +#endif
41906 +
41907 + current->mm->def_flags = 0;
41908 +
41909 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
41910 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
41911 + send_sig(SIGKILL, current, 0);
41912 + goto out_free_dentry;
41913 + }
41914 +#endif
41915 +
41916 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
41917 + pax_set_initial_flags(bprm);
41918 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
41919 + if (pax_set_initial_flags_func)
41920 + (pax_set_initial_flags_func)(bprm);
41921 +#endif
41922 +
41923 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
41924 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
41925 + current->mm->context.user_cs_limit = PAGE_SIZE;
41926 + current->mm->def_flags |= VM_PAGEEXEC;
41927 + }
41928 +#endif
41929 +
41930 +#ifdef CONFIG_PAX_SEGMEXEC
41931 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
41932 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
41933 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
41934 + pax_task_size = SEGMEXEC_TASK_SIZE;
41935 + }
41936 +#endif
41937 +
41938 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
41939 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41940 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
41941 + put_cpu();
41942 + }
41943 +#endif
41944
41945 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
41946 may depend on the personality. */
41947 SET_PERSONALITY(loc->elf_ex);
41948 +
41949 +#ifdef CONFIG_PAX_ASLR
41950 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
41951 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
41952 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
41953 + }
41954 +#endif
41955 +
41956 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
41957 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
41958 + executable_stack = EXSTACK_DISABLE_X;
41959 + current->personality &= ~READ_IMPLIES_EXEC;
41960 + } else
41961 +#endif
41962 +
41963 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
41964 current->personality |= READ_IMPLIES_EXEC;
41965
41966 @@ -804,6 +1091,20 @@ static int load_elf_binary(struct linux_
41967 #else
41968 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
41969 #endif
41970 +
41971 +#ifdef CONFIG_PAX_RANDMMAP
41972 + /* PaX: randomize base address at the default exe base if requested */
41973 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
41974 +#ifdef CONFIG_SPARC64
41975 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
41976 +#else
41977 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
41978 +#endif
41979 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
41980 + elf_flags |= MAP_FIXED;
41981 + }
41982 +#endif
41983 +
41984 }
41985
41986 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
41987 @@ -836,9 +1137,9 @@ static int load_elf_binary(struct linux_
41988 * allowed task size. Note that p_filesz must always be
41989 * <= p_memsz so it is only necessary to check p_memsz.
41990 */
41991 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
41992 - elf_ppnt->p_memsz > TASK_SIZE ||
41993 - TASK_SIZE - elf_ppnt->p_memsz < k) {
41994 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
41995 + elf_ppnt->p_memsz > pax_task_size ||
41996 + pax_task_size - elf_ppnt->p_memsz < k) {
41997 /* set_brk can never work. Avoid overflows. */
41998 send_sig(SIGKILL, current, 0);
41999 retval = -EINVAL;
42000 @@ -866,6 +1167,11 @@ static int load_elf_binary(struct linux_
42001 start_data += load_bias;
42002 end_data += load_bias;
42003
42004 +#ifdef CONFIG_PAX_RANDMMAP
42005 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
42006 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
42007 +#endif
42008 +
42009 /* Calling set_brk effectively mmaps the pages that we need
42010 * for the bss and break sections. We must do this before
42011 * mapping in the interpreter, to make sure it doesn't wind
42012 @@ -877,9 +1183,11 @@ static int load_elf_binary(struct linux_
42013 goto out_free_dentry;
42014 }
42015 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
42016 - send_sig(SIGSEGV, current, 0);
42017 - retval = -EFAULT; /* Nobody gets to see this, but.. */
42018 - goto out_free_dentry;
42019 + /*
42020 + * This bss-zeroing can fail if the ELF
42021 + * file specifies odd protections. So
42022 + * we don't check the return value
42023 + */
42024 }
42025
42026 if (elf_interpreter) {
42027 @@ -1112,8 +1420,10 @@ static int dump_seek(struct file *file,
42028 unsigned long n = off;
42029 if (n > PAGE_SIZE)
42030 n = PAGE_SIZE;
42031 - if (!dump_write(file, buf, n))
42032 + if (!dump_write(file, buf, n)) {
42033 + free_page((unsigned long)buf);
42034 return 0;
42035 + }
42036 off -= n;
42037 }
42038 free_page((unsigned long)buf);
42039 @@ -1125,7 +1435,7 @@ static int dump_seek(struct file *file,
42040 * Decide what to dump of a segment, part, all or none.
42041 */
42042 static unsigned long vma_dump_size(struct vm_area_struct *vma,
42043 - unsigned long mm_flags)
42044 + unsigned long mm_flags, long signr)
42045 {
42046 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
42047
42048 @@ -1159,7 +1469,7 @@ static unsigned long vma_dump_size(struc
42049 if (vma->vm_file == NULL)
42050 return 0;
42051
42052 - if (FILTER(MAPPED_PRIVATE))
42053 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
42054 goto whole;
42055
42056 /*
42057 @@ -1255,8 +1565,11 @@ static int writenote(struct memelfnote *
42058 #undef DUMP_WRITE
42059
42060 #define DUMP_WRITE(addr, nr) \
42061 + do { \
42062 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
42063 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
42064 - goto end_coredump;
42065 + goto end_coredump; \
42066 + } while (0);
42067
42068 static void fill_elf_header(struct elfhdr *elf, int segs,
42069 u16 machine, u32 flags, u8 osabi)
42070 @@ -1385,9 +1698,9 @@ static void fill_auxv_note(struct memelf
42071 {
42072 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
42073 int i = 0;
42074 - do
42075 + do {
42076 i += 2;
42077 - while (auxv[i - 2] != AT_NULL);
42078 + } while (auxv[i - 2] != AT_NULL);
42079 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
42080 }
42081
42082 @@ -1973,7 +2286,7 @@ static int elf_core_dump(long signr, str
42083 phdr.p_offset = offset;
42084 phdr.p_vaddr = vma->vm_start;
42085 phdr.p_paddr = 0;
42086 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
42087 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
42088 phdr.p_memsz = vma->vm_end - vma->vm_start;
42089 offset += phdr.p_filesz;
42090 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
42091 @@ -2006,7 +2319,7 @@ static int elf_core_dump(long signr, str
42092 unsigned long addr;
42093 unsigned long end;
42094
42095 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
42096 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
42097
42098 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
42099 struct page *page;
42100 @@ -2015,6 +2328,7 @@ static int elf_core_dump(long signr, str
42101 page = get_dump_page(addr);
42102 if (page) {
42103 void *kaddr = kmap(page);
42104 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
42105 stop = ((size += PAGE_SIZE) > limit) ||
42106 !dump_write(file, kaddr, PAGE_SIZE);
42107 kunmap(page);
42108 @@ -2042,6 +2356,97 @@ out:
42109
42110 #endif /* USE_ELF_CORE_DUMP */
42111
42112 +#ifdef CONFIG_PAX_MPROTECT
42113 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
42114 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
42115 + * we'll remove VM_MAYWRITE for good on RELRO segments.
42116 + *
42117 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
42118 + * basis because we want to allow the common case and not the special ones.
42119 + */
42120 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
42121 +{
42122 + struct elfhdr elf_h;
42123 + struct elf_phdr elf_p;
42124 + unsigned long i;
42125 + unsigned long oldflags;
42126 + bool is_textrel_rw, is_textrel_rx, is_relro;
42127 +
42128 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
42129 + return;
42130 +
42131 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
42132 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
42133 +
42134 +#ifdef CONFIG_PAX_ELFRELOCS
42135 + /* possible TEXTREL */
42136 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
42137 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
42138 +#else
42139 + is_textrel_rw = false;
42140 + is_textrel_rx = false;
42141 +#endif
42142 +
42143 + /* possible RELRO */
42144 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
42145 +
42146 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
42147 + return;
42148 +
42149 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
42150 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
42151 +
42152 +#ifdef CONFIG_PAX_ETEXECRELOCS
42153 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
42154 +#else
42155 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
42156 +#endif
42157 +
42158 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
42159 + !elf_check_arch(&elf_h) ||
42160 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
42161 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
42162 + return;
42163 +
42164 + for (i = 0UL; i < elf_h.e_phnum; i++) {
42165 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
42166 + return;
42167 + switch (elf_p.p_type) {
42168 + case PT_DYNAMIC:
42169 + if (!is_textrel_rw && !is_textrel_rx)
42170 + continue;
42171 + i = 0UL;
42172 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
42173 + elf_dyn dyn;
42174 +
42175 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
42176 + return;
42177 + if (dyn.d_tag == DT_NULL)
42178 + return;
42179 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
42180 + gr_log_textrel(vma);
42181 + if (is_textrel_rw)
42182 + vma->vm_flags |= VM_MAYWRITE;
42183 + else
42184 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
42185 + vma->vm_flags &= ~VM_MAYWRITE;
42186 + return;
42187 + }
42188 + i++;
42189 + }
42190 + return;
42191 +
42192 + case PT_GNU_RELRO:
42193 + if (!is_relro)
42194 + continue;
42195 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
42196 + vma->vm_flags &= ~VM_MAYWRITE;
42197 + return;
42198 + }
42199 + }
42200 +}
42201 +#endif
42202 +
42203 static int __init init_elf_binfmt(void)
42204 {
42205 return register_binfmt(&elf_format);
42206 diff -urNp linux-2.6.32.46/fs/binfmt_flat.c linux-2.6.32.46/fs/binfmt_flat.c
42207 --- linux-2.6.32.46/fs/binfmt_flat.c 2011-03-27 14:31:47.000000000 -0400
42208 +++ linux-2.6.32.46/fs/binfmt_flat.c 2011-04-17 15:56:46.000000000 -0400
42209 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
42210 realdatastart = (unsigned long) -ENOMEM;
42211 printk("Unable to allocate RAM for process data, errno %d\n",
42212 (int)-realdatastart);
42213 + down_write(&current->mm->mmap_sem);
42214 do_munmap(current->mm, textpos, text_len);
42215 + up_write(&current->mm->mmap_sem);
42216 ret = realdatastart;
42217 goto err;
42218 }
42219 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
42220 }
42221 if (IS_ERR_VALUE(result)) {
42222 printk("Unable to read data+bss, errno %d\n", (int)-result);
42223 + down_write(&current->mm->mmap_sem);
42224 do_munmap(current->mm, textpos, text_len);
42225 do_munmap(current->mm, realdatastart, data_len + extra);
42226 + up_write(&current->mm->mmap_sem);
42227 ret = result;
42228 goto err;
42229 }
42230 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
42231 }
42232 if (IS_ERR_VALUE(result)) {
42233 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
42234 + down_write(&current->mm->mmap_sem);
42235 do_munmap(current->mm, textpos, text_len + data_len + extra +
42236 MAX_SHARED_LIBS * sizeof(unsigned long));
42237 + up_write(&current->mm->mmap_sem);
42238 ret = result;
42239 goto err;
42240 }
42241 diff -urNp linux-2.6.32.46/fs/bio.c linux-2.6.32.46/fs/bio.c
42242 --- linux-2.6.32.46/fs/bio.c 2011-03-27 14:31:47.000000000 -0400
42243 +++ linux-2.6.32.46/fs/bio.c 2011-04-17 15:56:46.000000000 -0400
42244 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
42245
42246 i = 0;
42247 while (i < bio_slab_nr) {
42248 - struct bio_slab *bslab = &bio_slabs[i];
42249 + bslab = &bio_slabs[i];
42250
42251 if (!bslab->slab && entry == -1)
42252 entry = i;
42253 @@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
42254 const int read = bio_data_dir(bio) == READ;
42255 struct bio_map_data *bmd = bio->bi_private;
42256 int i;
42257 - char *p = bmd->sgvecs[0].iov_base;
42258 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
42259
42260 __bio_for_each_segment(bvec, bio, i, 0) {
42261 char *addr = page_address(bvec->bv_page);
42262 diff -urNp linux-2.6.32.46/fs/block_dev.c linux-2.6.32.46/fs/block_dev.c
42263 --- linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:35:29.000000000 -0400
42264 +++ linux-2.6.32.46/fs/block_dev.c 2011-08-09 18:34:00.000000000 -0400
42265 @@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
42266 else if (bdev->bd_contains == bdev)
42267 res = 0; /* is a whole device which isn't held */
42268
42269 - else if (bdev->bd_contains->bd_holder == bd_claim)
42270 + else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
42271 res = 0; /* is a partition of a device that is being partitioned */
42272 else if (bdev->bd_contains->bd_holder != NULL)
42273 res = -EBUSY; /* is a partition of a held device */
42274 diff -urNp linux-2.6.32.46/fs/btrfs/ctree.c linux-2.6.32.46/fs/btrfs/ctree.c
42275 --- linux-2.6.32.46/fs/btrfs/ctree.c 2011-03-27 14:31:47.000000000 -0400
42276 +++ linux-2.6.32.46/fs/btrfs/ctree.c 2011-04-17 15:56:46.000000000 -0400
42277 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
42278 free_extent_buffer(buf);
42279 add_root_to_dirty_list(root);
42280 } else {
42281 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
42282 - parent_start = parent->start;
42283 - else
42284 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
42285 + if (parent)
42286 + parent_start = parent->start;
42287 + else
42288 + parent_start = 0;
42289 + } else
42290 parent_start = 0;
42291
42292 WARN_ON(trans->transid != btrfs_header_generation(parent));
42293 @@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
42294
42295 ret = 0;
42296 if (slot == 0) {
42297 - struct btrfs_disk_key disk_key;
42298 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
42299 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
42300 }
42301 diff -urNp linux-2.6.32.46/fs/btrfs/disk-io.c linux-2.6.32.46/fs/btrfs/disk-io.c
42302 --- linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:00:52.000000000 -0400
42303 +++ linux-2.6.32.46/fs/btrfs/disk-io.c 2011-04-17 17:03:11.000000000 -0400
42304 @@ -39,7 +39,7 @@
42305 #include "tree-log.h"
42306 #include "free-space-cache.h"
42307
42308 -static struct extent_io_ops btree_extent_io_ops;
42309 +static const struct extent_io_ops btree_extent_io_ops;
42310 static void end_workqueue_fn(struct btrfs_work *work);
42311 static void free_fs_root(struct btrfs_root *root);
42312
42313 @@ -2607,7 +2607,7 @@ out:
42314 return 0;
42315 }
42316
42317 -static struct extent_io_ops btree_extent_io_ops = {
42318 +static const struct extent_io_ops btree_extent_io_ops = {
42319 .write_cache_pages_lock_hook = btree_lock_page_hook,
42320 .readpage_end_io_hook = btree_readpage_end_io_hook,
42321 .submit_bio_hook = btree_submit_bio_hook,
42322 diff -urNp linux-2.6.32.46/fs/btrfs/extent_io.h linux-2.6.32.46/fs/btrfs/extent_io.h
42323 --- linux-2.6.32.46/fs/btrfs/extent_io.h 2011-03-27 14:31:47.000000000 -0400
42324 +++ linux-2.6.32.46/fs/btrfs/extent_io.h 2011-04-17 15:56:46.000000000 -0400
42325 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
42326 struct bio *bio, int mirror_num,
42327 unsigned long bio_flags);
42328 struct extent_io_ops {
42329 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
42330 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
42331 u64 start, u64 end, int *page_started,
42332 unsigned long *nr_written);
42333 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
42334 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
42335 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
42336 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
42337 extent_submit_bio_hook_t *submit_bio_hook;
42338 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
42339 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
42340 size_t size, struct bio *bio,
42341 unsigned long bio_flags);
42342 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
42343 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
42344 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
42345 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
42346 u64 start, u64 end,
42347 struct extent_state *state);
42348 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
42349 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
42350 u64 start, u64 end,
42351 struct extent_state *state);
42352 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
42353 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
42354 struct extent_state *state);
42355 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
42356 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
42357 struct extent_state *state, int uptodate);
42358 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
42359 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
42360 unsigned long old, unsigned long bits);
42361 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
42362 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
42363 unsigned long bits);
42364 - int (*merge_extent_hook)(struct inode *inode,
42365 + int (* const merge_extent_hook)(struct inode *inode,
42366 struct extent_state *new,
42367 struct extent_state *other);
42368 - int (*split_extent_hook)(struct inode *inode,
42369 + int (* const split_extent_hook)(struct inode *inode,
42370 struct extent_state *orig, u64 split);
42371 - int (*write_cache_pages_lock_hook)(struct page *page);
42372 + int (* const write_cache_pages_lock_hook)(struct page *page);
42373 };
42374
42375 struct extent_io_tree {
42376 @@ -88,7 +88,7 @@ struct extent_io_tree {
42377 u64 dirty_bytes;
42378 spinlock_t lock;
42379 spinlock_t buffer_lock;
42380 - struct extent_io_ops *ops;
42381 + const struct extent_io_ops *ops;
42382 };
42383
42384 struct extent_state {
42385 diff -urNp linux-2.6.32.46/fs/btrfs/extent-tree.c linux-2.6.32.46/fs/btrfs/extent-tree.c
42386 --- linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400
42387 +++ linux-2.6.32.46/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400
42388 @@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
42389 u64 group_start = group->key.objectid;
42390 new_extents = kmalloc(sizeof(*new_extents),
42391 GFP_NOFS);
42392 + if (!new_extents) {
42393 + ret = -ENOMEM;
42394 + goto out;
42395 + }
42396 nr_extents = 1;
42397 ret = get_new_locations(reloc_inode,
42398 extent_key,
42399 diff -urNp linux-2.6.32.46/fs/btrfs/free-space-cache.c linux-2.6.32.46/fs/btrfs/free-space-cache.c
42400 --- linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400
42401 +++ linux-2.6.32.46/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400
42402 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
42403
42404 while(1) {
42405 if (entry->bytes < bytes || entry->offset < min_start) {
42406 - struct rb_node *node;
42407 -
42408 node = rb_next(&entry->offset_index);
42409 if (!node)
42410 break;
42411 @@ -1226,7 +1224,7 @@ again:
42412 */
42413 while (entry->bitmap || found_bitmap ||
42414 (!entry->bitmap && entry->bytes < min_bytes)) {
42415 - struct rb_node *node = rb_next(&entry->offset_index);
42416 + node = rb_next(&entry->offset_index);
42417
42418 if (entry->bitmap && entry->bytes > bytes + empty_size) {
42419 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
42420 diff -urNp linux-2.6.32.46/fs/btrfs/inode.c linux-2.6.32.46/fs/btrfs/inode.c
42421 --- linux-2.6.32.46/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400
42422 +++ linux-2.6.32.46/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400
42423 @@ -63,7 +63,7 @@ static const struct inode_operations btr
42424 static const struct address_space_operations btrfs_aops;
42425 static const struct address_space_operations btrfs_symlink_aops;
42426 static const struct file_operations btrfs_dir_file_operations;
42427 -static struct extent_io_ops btrfs_extent_io_ops;
42428 +static const struct extent_io_ops btrfs_extent_io_ops;
42429
42430 static struct kmem_cache *btrfs_inode_cachep;
42431 struct kmem_cache *btrfs_trans_handle_cachep;
42432 @@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
42433 1, 0, NULL, GFP_NOFS);
42434 while (start < end) {
42435 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
42436 + BUG_ON(!async_cow);
42437 async_cow->inode = inode;
42438 async_cow->root = root;
42439 async_cow->locked_page = locked_page;
42440 @@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
42441 inline_size = btrfs_file_extent_inline_item_len(leaf,
42442 btrfs_item_nr(leaf, path->slots[0]));
42443 tmp = kmalloc(inline_size, GFP_NOFS);
42444 + if (!tmp)
42445 + return -ENOMEM;
42446 ptr = btrfs_file_extent_inline_start(item);
42447
42448 read_extent_buffer(leaf, tmp, ptr, inline_size);
42449 @@ -5410,7 +5413,7 @@ fail:
42450 return -ENOMEM;
42451 }
42452
42453 -static int btrfs_getattr(struct vfsmount *mnt,
42454 +int btrfs_getattr(struct vfsmount *mnt,
42455 struct dentry *dentry, struct kstat *stat)
42456 {
42457 struct inode *inode = dentry->d_inode;
42458 @@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
42459 return 0;
42460 }
42461
42462 +EXPORT_SYMBOL(btrfs_getattr);
42463 +
42464 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
42465 +{
42466 + return BTRFS_I(inode)->root->anon_super.s_dev;
42467 +}
42468 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
42469 +
42470 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
42471 struct inode *new_dir, struct dentry *new_dentry)
42472 {
42473 @@ -5972,7 +5983,7 @@ static const struct file_operations btrf
42474 .fsync = btrfs_sync_file,
42475 };
42476
42477 -static struct extent_io_ops btrfs_extent_io_ops = {
42478 +static const struct extent_io_ops btrfs_extent_io_ops = {
42479 .fill_delalloc = run_delalloc_range,
42480 .submit_bio_hook = btrfs_submit_bio_hook,
42481 .merge_bio_hook = btrfs_merge_bio_hook,
42482 diff -urNp linux-2.6.32.46/fs/btrfs/relocation.c linux-2.6.32.46/fs/btrfs/relocation.c
42483 --- linux-2.6.32.46/fs/btrfs/relocation.c 2011-03-27 14:31:47.000000000 -0400
42484 +++ linux-2.6.32.46/fs/btrfs/relocation.c 2011-04-17 15:56:46.000000000 -0400
42485 @@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
42486 }
42487 spin_unlock(&rc->reloc_root_tree.lock);
42488
42489 - BUG_ON((struct btrfs_root *)node->data != root);
42490 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
42491
42492 if (!del) {
42493 spin_lock(&rc->reloc_root_tree.lock);
42494 diff -urNp linux-2.6.32.46/fs/btrfs/sysfs.c linux-2.6.32.46/fs/btrfs/sysfs.c
42495 --- linux-2.6.32.46/fs/btrfs/sysfs.c 2011-03-27 14:31:47.000000000 -0400
42496 +++ linux-2.6.32.46/fs/btrfs/sysfs.c 2011-04-17 15:56:46.000000000 -0400
42497 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
42498 complete(&root->kobj_unregister);
42499 }
42500
42501 -static struct sysfs_ops btrfs_super_attr_ops = {
42502 +static const struct sysfs_ops btrfs_super_attr_ops = {
42503 .show = btrfs_super_attr_show,
42504 .store = btrfs_super_attr_store,
42505 };
42506
42507 -static struct sysfs_ops btrfs_root_attr_ops = {
42508 +static const struct sysfs_ops btrfs_root_attr_ops = {
42509 .show = btrfs_root_attr_show,
42510 .store = btrfs_root_attr_store,
42511 };
42512 diff -urNp linux-2.6.32.46/fs/buffer.c linux-2.6.32.46/fs/buffer.c
42513 --- linux-2.6.32.46/fs/buffer.c 2011-03-27 14:31:47.000000000 -0400
42514 +++ linux-2.6.32.46/fs/buffer.c 2011-04-17 15:56:46.000000000 -0400
42515 @@ -25,6 +25,7 @@
42516 #include <linux/percpu.h>
42517 #include <linux/slab.h>
42518 #include <linux/capability.h>
42519 +#include <linux/security.h>
42520 #include <linux/blkdev.h>
42521 #include <linux/file.h>
42522 #include <linux/quotaops.h>
42523 diff -urNp linux-2.6.32.46/fs/cachefiles/bind.c linux-2.6.32.46/fs/cachefiles/bind.c
42524 --- linux-2.6.32.46/fs/cachefiles/bind.c 2011-03-27 14:31:47.000000000 -0400
42525 +++ linux-2.6.32.46/fs/cachefiles/bind.c 2011-04-17 15:56:46.000000000 -0400
42526 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
42527 args);
42528
42529 /* start by checking things over */
42530 - ASSERT(cache->fstop_percent >= 0 &&
42531 - cache->fstop_percent < cache->fcull_percent &&
42532 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
42533 cache->fcull_percent < cache->frun_percent &&
42534 cache->frun_percent < 100);
42535
42536 - ASSERT(cache->bstop_percent >= 0 &&
42537 - cache->bstop_percent < cache->bcull_percent &&
42538 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
42539 cache->bcull_percent < cache->brun_percent &&
42540 cache->brun_percent < 100);
42541
42542 diff -urNp linux-2.6.32.46/fs/cachefiles/daemon.c linux-2.6.32.46/fs/cachefiles/daemon.c
42543 --- linux-2.6.32.46/fs/cachefiles/daemon.c 2011-03-27 14:31:47.000000000 -0400
42544 +++ linux-2.6.32.46/fs/cachefiles/daemon.c 2011-04-17 15:56:46.000000000 -0400
42545 @@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
42546 if (test_bit(CACHEFILES_DEAD, &cache->flags))
42547 return -EIO;
42548
42549 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
42550 + if (datalen > PAGE_SIZE - 1)
42551 return -EOPNOTSUPP;
42552
42553 /* drag the command string into the kernel so we can parse it */
42554 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
42555 if (args[0] != '%' || args[1] != '\0')
42556 return -EINVAL;
42557
42558 - if (fstop < 0 || fstop >= cache->fcull_percent)
42559 + if (fstop >= cache->fcull_percent)
42560 return cachefiles_daemon_range_error(cache, args);
42561
42562 cache->fstop_percent = fstop;
42563 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
42564 if (args[0] != '%' || args[1] != '\0')
42565 return -EINVAL;
42566
42567 - if (bstop < 0 || bstop >= cache->bcull_percent)
42568 + if (bstop >= cache->bcull_percent)
42569 return cachefiles_daemon_range_error(cache, args);
42570
42571 cache->bstop_percent = bstop;
42572 diff -urNp linux-2.6.32.46/fs/cachefiles/internal.h linux-2.6.32.46/fs/cachefiles/internal.h
42573 --- linux-2.6.32.46/fs/cachefiles/internal.h 2011-03-27 14:31:47.000000000 -0400
42574 +++ linux-2.6.32.46/fs/cachefiles/internal.h 2011-05-04 17:56:28.000000000 -0400
42575 @@ -56,7 +56,7 @@ struct cachefiles_cache {
42576 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
42577 struct rb_root active_nodes; /* active nodes (can't be culled) */
42578 rwlock_t active_lock; /* lock for active_nodes */
42579 - atomic_t gravecounter; /* graveyard uniquifier */
42580 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
42581 unsigned frun_percent; /* when to stop culling (% files) */
42582 unsigned fcull_percent; /* when to start culling (% files) */
42583 unsigned fstop_percent; /* when to stop allocating (% files) */
42584 @@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
42585 * proc.c
42586 */
42587 #ifdef CONFIG_CACHEFILES_HISTOGRAM
42588 -extern atomic_t cachefiles_lookup_histogram[HZ];
42589 -extern atomic_t cachefiles_mkdir_histogram[HZ];
42590 -extern atomic_t cachefiles_create_histogram[HZ];
42591 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
42592 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
42593 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
42594
42595 extern int __init cachefiles_proc_init(void);
42596 extern void cachefiles_proc_cleanup(void);
42597 static inline
42598 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
42599 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
42600 {
42601 unsigned long jif = jiffies - start_jif;
42602 if (jif >= HZ)
42603 jif = HZ - 1;
42604 - atomic_inc(&histogram[jif]);
42605 + atomic_inc_unchecked(&histogram[jif]);
42606 }
42607
42608 #else
42609 diff -urNp linux-2.6.32.46/fs/cachefiles/namei.c linux-2.6.32.46/fs/cachefiles/namei.c
42610 --- linux-2.6.32.46/fs/cachefiles/namei.c 2011-03-27 14:31:47.000000000 -0400
42611 +++ linux-2.6.32.46/fs/cachefiles/namei.c 2011-05-04 17:56:28.000000000 -0400
42612 @@ -250,7 +250,7 @@ try_again:
42613 /* first step is to make up a grave dentry in the graveyard */
42614 sprintf(nbuffer, "%08x%08x",
42615 (uint32_t) get_seconds(),
42616 - (uint32_t) atomic_inc_return(&cache->gravecounter));
42617 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
42618
42619 /* do the multiway lock magic */
42620 trap = lock_rename(cache->graveyard, dir);
42621 diff -urNp linux-2.6.32.46/fs/cachefiles/proc.c linux-2.6.32.46/fs/cachefiles/proc.c
42622 --- linux-2.6.32.46/fs/cachefiles/proc.c 2011-03-27 14:31:47.000000000 -0400
42623 +++ linux-2.6.32.46/fs/cachefiles/proc.c 2011-05-04 17:56:28.000000000 -0400
42624 @@ -14,9 +14,9 @@
42625 #include <linux/seq_file.h>
42626 #include "internal.h"
42627
42628 -atomic_t cachefiles_lookup_histogram[HZ];
42629 -atomic_t cachefiles_mkdir_histogram[HZ];
42630 -atomic_t cachefiles_create_histogram[HZ];
42631 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
42632 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
42633 +atomic_unchecked_t cachefiles_create_histogram[HZ];
42634
42635 /*
42636 * display the latency histogram
42637 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
42638 return 0;
42639 default:
42640 index = (unsigned long) v - 3;
42641 - x = atomic_read(&cachefiles_lookup_histogram[index]);
42642 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
42643 - z = atomic_read(&cachefiles_create_histogram[index]);
42644 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
42645 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
42646 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
42647 if (x == 0 && y == 0 && z == 0)
42648 return 0;
42649
42650 diff -urNp linux-2.6.32.46/fs/cachefiles/rdwr.c linux-2.6.32.46/fs/cachefiles/rdwr.c
42651 --- linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400
42652 +++ linux-2.6.32.46/fs/cachefiles/rdwr.c 2011-04-17 15:56:46.000000000 -0400
42653 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
42654 old_fs = get_fs();
42655 set_fs(KERNEL_DS);
42656 ret = file->f_op->write(
42657 - file, (const void __user *) data, len, &pos);
42658 + file, (__force const void __user *) data, len, &pos);
42659 set_fs(old_fs);
42660 kunmap(page);
42661 if (ret != len)
42662 diff -urNp linux-2.6.32.46/fs/cifs/cifs_debug.c linux-2.6.32.46/fs/cifs/cifs_debug.c
42663 --- linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-03-27 14:31:47.000000000 -0400
42664 +++ linux-2.6.32.46/fs/cifs/cifs_debug.c 2011-05-04 17:56:28.000000000 -0400
42665 @@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
42666 tcon = list_entry(tmp3,
42667 struct cifsTconInfo,
42668 tcon_list);
42669 - atomic_set(&tcon->num_smbs_sent, 0);
42670 - atomic_set(&tcon->num_writes, 0);
42671 - atomic_set(&tcon->num_reads, 0);
42672 - atomic_set(&tcon->num_oplock_brks, 0);
42673 - atomic_set(&tcon->num_opens, 0);
42674 - atomic_set(&tcon->num_posixopens, 0);
42675 - atomic_set(&tcon->num_posixmkdirs, 0);
42676 - atomic_set(&tcon->num_closes, 0);
42677 - atomic_set(&tcon->num_deletes, 0);
42678 - atomic_set(&tcon->num_mkdirs, 0);
42679 - atomic_set(&tcon->num_rmdirs, 0);
42680 - atomic_set(&tcon->num_renames, 0);
42681 - atomic_set(&tcon->num_t2renames, 0);
42682 - atomic_set(&tcon->num_ffirst, 0);
42683 - atomic_set(&tcon->num_fnext, 0);
42684 - atomic_set(&tcon->num_fclose, 0);
42685 - atomic_set(&tcon->num_hardlinks, 0);
42686 - atomic_set(&tcon->num_symlinks, 0);
42687 - atomic_set(&tcon->num_locks, 0);
42688 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
42689 + atomic_set_unchecked(&tcon->num_writes, 0);
42690 + atomic_set_unchecked(&tcon->num_reads, 0);
42691 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
42692 + atomic_set_unchecked(&tcon->num_opens, 0);
42693 + atomic_set_unchecked(&tcon->num_posixopens, 0);
42694 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
42695 + atomic_set_unchecked(&tcon->num_closes, 0);
42696 + atomic_set_unchecked(&tcon->num_deletes, 0);
42697 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
42698 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
42699 + atomic_set_unchecked(&tcon->num_renames, 0);
42700 + atomic_set_unchecked(&tcon->num_t2renames, 0);
42701 + atomic_set_unchecked(&tcon->num_ffirst, 0);
42702 + atomic_set_unchecked(&tcon->num_fnext, 0);
42703 + atomic_set_unchecked(&tcon->num_fclose, 0);
42704 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
42705 + atomic_set_unchecked(&tcon->num_symlinks, 0);
42706 + atomic_set_unchecked(&tcon->num_locks, 0);
42707 }
42708 }
42709 }
42710 @@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
42711 if (tcon->need_reconnect)
42712 seq_puts(m, "\tDISCONNECTED ");
42713 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
42714 - atomic_read(&tcon->num_smbs_sent),
42715 - atomic_read(&tcon->num_oplock_brks));
42716 + atomic_read_unchecked(&tcon->num_smbs_sent),
42717 + atomic_read_unchecked(&tcon->num_oplock_brks));
42718 seq_printf(m, "\nReads: %d Bytes: %lld",
42719 - atomic_read(&tcon->num_reads),
42720 + atomic_read_unchecked(&tcon->num_reads),
42721 (long long)(tcon->bytes_read));
42722 seq_printf(m, "\nWrites: %d Bytes: %lld",
42723 - atomic_read(&tcon->num_writes),
42724 + atomic_read_unchecked(&tcon->num_writes),
42725 (long long)(tcon->bytes_written));
42726 seq_printf(m, "\nFlushes: %d",
42727 - atomic_read(&tcon->num_flushes));
42728 + atomic_read_unchecked(&tcon->num_flushes));
42729 seq_printf(m, "\nLocks: %d HardLinks: %d "
42730 "Symlinks: %d",
42731 - atomic_read(&tcon->num_locks),
42732 - atomic_read(&tcon->num_hardlinks),
42733 - atomic_read(&tcon->num_symlinks));
42734 + atomic_read_unchecked(&tcon->num_locks),
42735 + atomic_read_unchecked(&tcon->num_hardlinks),
42736 + atomic_read_unchecked(&tcon->num_symlinks));
42737 seq_printf(m, "\nOpens: %d Closes: %d "
42738 "Deletes: %d",
42739 - atomic_read(&tcon->num_opens),
42740 - atomic_read(&tcon->num_closes),
42741 - atomic_read(&tcon->num_deletes));
42742 + atomic_read_unchecked(&tcon->num_opens),
42743 + atomic_read_unchecked(&tcon->num_closes),
42744 + atomic_read_unchecked(&tcon->num_deletes));
42745 seq_printf(m, "\nPosix Opens: %d "
42746 "Posix Mkdirs: %d",
42747 - atomic_read(&tcon->num_posixopens),
42748 - atomic_read(&tcon->num_posixmkdirs));
42749 + atomic_read_unchecked(&tcon->num_posixopens),
42750 + atomic_read_unchecked(&tcon->num_posixmkdirs));
42751 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
42752 - atomic_read(&tcon->num_mkdirs),
42753 - atomic_read(&tcon->num_rmdirs));
42754 + atomic_read_unchecked(&tcon->num_mkdirs),
42755 + atomic_read_unchecked(&tcon->num_rmdirs));
42756 seq_printf(m, "\nRenames: %d T2 Renames %d",
42757 - atomic_read(&tcon->num_renames),
42758 - atomic_read(&tcon->num_t2renames));
42759 + atomic_read_unchecked(&tcon->num_renames),
42760 + atomic_read_unchecked(&tcon->num_t2renames));
42761 seq_printf(m, "\nFindFirst: %d FNext %d "
42762 "FClose %d",
42763 - atomic_read(&tcon->num_ffirst),
42764 - atomic_read(&tcon->num_fnext),
42765 - atomic_read(&tcon->num_fclose));
42766 + atomic_read_unchecked(&tcon->num_ffirst),
42767 + atomic_read_unchecked(&tcon->num_fnext),
42768 + atomic_read_unchecked(&tcon->num_fclose));
42769 }
42770 }
42771 }
42772 diff -urNp linux-2.6.32.46/fs/cifs/cifsfs.c linux-2.6.32.46/fs/cifs/cifsfs.c
42773 --- linux-2.6.32.46/fs/cifs/cifsfs.c 2011-03-27 14:31:47.000000000 -0400
42774 +++ linux-2.6.32.46/fs/cifs/cifsfs.c 2011-08-25 17:17:57.000000000 -0400
42775 @@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
42776 cifs_req_cachep = kmem_cache_create("cifs_request",
42777 CIFSMaxBufSize +
42778 MAX_CIFS_HDR_SIZE, 0,
42779 - SLAB_HWCACHE_ALIGN, NULL);
42780 + SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
42781 if (cifs_req_cachep == NULL)
42782 return -ENOMEM;
42783
42784 @@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
42785 efficient to alloc 1 per page off the slab compared to 17K (5page)
42786 alloc of large cifs buffers even when page debugging is on */
42787 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
42788 - MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
42789 + MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
42790 NULL);
42791 if (cifs_sm_req_cachep == NULL) {
42792 mempool_destroy(cifs_req_poolp);
42793 @@ -991,8 +991,8 @@ init_cifs(void)
42794 atomic_set(&bufAllocCount, 0);
42795 atomic_set(&smBufAllocCount, 0);
42796 #ifdef CONFIG_CIFS_STATS2
42797 - atomic_set(&totBufAllocCount, 0);
42798 - atomic_set(&totSmBufAllocCount, 0);
42799 + atomic_set_unchecked(&totBufAllocCount, 0);
42800 + atomic_set_unchecked(&totSmBufAllocCount, 0);
42801 #endif /* CONFIG_CIFS_STATS2 */
42802
42803 atomic_set(&midCount, 0);
42804 diff -urNp linux-2.6.32.46/fs/cifs/cifsglob.h linux-2.6.32.46/fs/cifs/cifsglob.h
42805 --- linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-09 18:35:29.000000000 -0400
42806 +++ linux-2.6.32.46/fs/cifs/cifsglob.h 2011-08-25 17:17:57.000000000 -0400
42807 @@ -252,28 +252,28 @@ struct cifsTconInfo {
42808 __u16 Flags; /* optional support bits */
42809 enum statusEnum tidStatus;
42810 #ifdef CONFIG_CIFS_STATS
42811 - atomic_t num_smbs_sent;
42812 - atomic_t num_writes;
42813 - atomic_t num_reads;
42814 - atomic_t num_flushes;
42815 - atomic_t num_oplock_brks;
42816 - atomic_t num_opens;
42817 - atomic_t num_closes;
42818 - atomic_t num_deletes;
42819 - atomic_t num_mkdirs;
42820 - atomic_t num_posixopens;
42821 - atomic_t num_posixmkdirs;
42822 - atomic_t num_rmdirs;
42823 - atomic_t num_renames;
42824 - atomic_t num_t2renames;
42825 - atomic_t num_ffirst;
42826 - atomic_t num_fnext;
42827 - atomic_t num_fclose;
42828 - atomic_t num_hardlinks;
42829 - atomic_t num_symlinks;
42830 - atomic_t num_locks;
42831 - atomic_t num_acl_get;
42832 - atomic_t num_acl_set;
42833 + atomic_unchecked_t num_smbs_sent;
42834 + atomic_unchecked_t num_writes;
42835 + atomic_unchecked_t num_reads;
42836 + atomic_unchecked_t num_flushes;
42837 + atomic_unchecked_t num_oplock_brks;
42838 + atomic_unchecked_t num_opens;
42839 + atomic_unchecked_t num_closes;
42840 + atomic_unchecked_t num_deletes;
42841 + atomic_unchecked_t num_mkdirs;
42842 + atomic_unchecked_t num_posixopens;
42843 + atomic_unchecked_t num_posixmkdirs;
42844 + atomic_unchecked_t num_rmdirs;
42845 + atomic_unchecked_t num_renames;
42846 + atomic_unchecked_t num_t2renames;
42847 + atomic_unchecked_t num_ffirst;
42848 + atomic_unchecked_t num_fnext;
42849 + atomic_unchecked_t num_fclose;
42850 + atomic_unchecked_t num_hardlinks;
42851 + atomic_unchecked_t num_symlinks;
42852 + atomic_unchecked_t num_locks;
42853 + atomic_unchecked_t num_acl_get;
42854 + atomic_unchecked_t num_acl_set;
42855 #ifdef CONFIG_CIFS_STATS2
42856 unsigned long long time_writes;
42857 unsigned long long time_reads;
42858 @@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
42859 }
42860
42861 #ifdef CONFIG_CIFS_STATS
42862 -#define cifs_stats_inc atomic_inc
42863 +#define cifs_stats_inc atomic_inc_unchecked
42864
42865 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
42866 unsigned int bytes)
42867 @@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
42868 /* Various Debug counters */
42869 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
42870 #ifdef CONFIG_CIFS_STATS2
42871 -GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
42872 -GLOBAL_EXTERN atomic_t totSmBufAllocCount;
42873 +GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
42874 +GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
42875 #endif
42876 GLOBAL_EXTERN atomic_t smBufAllocCount;
42877 GLOBAL_EXTERN atomic_t midCount;
42878 diff -urNp linux-2.6.32.46/fs/cifs/link.c linux-2.6.32.46/fs/cifs/link.c
42879 --- linux-2.6.32.46/fs/cifs/link.c 2011-03-27 14:31:47.000000000 -0400
42880 +++ linux-2.6.32.46/fs/cifs/link.c 2011-04-17 15:56:46.000000000 -0400
42881 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
42882
42883 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
42884 {
42885 - char *p = nd_get_link(nd);
42886 + const char *p = nd_get_link(nd);
42887 if (!IS_ERR(p))
42888 kfree(p);
42889 }
42890 diff -urNp linux-2.6.32.46/fs/cifs/misc.c linux-2.6.32.46/fs/cifs/misc.c
42891 --- linux-2.6.32.46/fs/cifs/misc.c 2011-03-27 14:31:47.000000000 -0400
42892 +++ linux-2.6.32.46/fs/cifs/misc.c 2011-08-25 17:17:57.000000000 -0400
42893 @@ -155,7 +155,7 @@ cifs_buf_get(void)
42894 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
42895 atomic_inc(&bufAllocCount);
42896 #ifdef CONFIG_CIFS_STATS2
42897 - atomic_inc(&totBufAllocCount);
42898 + atomic_inc_unchecked(&totBufAllocCount);
42899 #endif /* CONFIG_CIFS_STATS2 */
42900 }
42901
42902 @@ -190,7 +190,7 @@ cifs_small_buf_get(void)
42903 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
42904 atomic_inc(&smBufAllocCount);
42905 #ifdef CONFIG_CIFS_STATS2
42906 - atomic_inc(&totSmBufAllocCount);
42907 + atomic_inc_unchecked(&totSmBufAllocCount);
42908 #endif /* CONFIG_CIFS_STATS2 */
42909
42910 }
42911 diff -urNp linux-2.6.32.46/fs/coda/cache.c linux-2.6.32.46/fs/coda/cache.c
42912 --- linux-2.6.32.46/fs/coda/cache.c 2011-03-27 14:31:47.000000000 -0400
42913 +++ linux-2.6.32.46/fs/coda/cache.c 2011-05-04 17:56:28.000000000 -0400
42914 @@ -24,14 +24,14 @@
42915 #include <linux/coda_fs_i.h>
42916 #include <linux/coda_cache.h>
42917
42918 -static atomic_t permission_epoch = ATOMIC_INIT(0);
42919 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
42920
42921 /* replace or extend an acl cache hit */
42922 void coda_cache_enter(struct inode *inode, int mask)
42923 {
42924 struct coda_inode_info *cii = ITOC(inode);
42925
42926 - cii->c_cached_epoch = atomic_read(&permission_epoch);
42927 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
42928 if (cii->c_uid != current_fsuid()) {
42929 cii->c_uid = current_fsuid();
42930 cii->c_cached_perm = mask;
42931 @@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
42932 void coda_cache_clear_inode(struct inode *inode)
42933 {
42934 struct coda_inode_info *cii = ITOC(inode);
42935 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
42936 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
42937 }
42938
42939 /* remove all acl caches */
42940 void coda_cache_clear_all(struct super_block *sb)
42941 {
42942 - atomic_inc(&permission_epoch);
42943 + atomic_inc_unchecked(&permission_epoch);
42944 }
42945
42946
42947 @@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
42948
42949 hit = (mask & cii->c_cached_perm) == mask &&
42950 cii->c_uid == current_fsuid() &&
42951 - cii->c_cached_epoch == atomic_read(&permission_epoch);
42952 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
42953
42954 return hit;
42955 }
42956 diff -urNp linux-2.6.32.46/fs/compat_binfmt_elf.c linux-2.6.32.46/fs/compat_binfmt_elf.c
42957 --- linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
42958 +++ linux-2.6.32.46/fs/compat_binfmt_elf.c 2011-04-17 15:56:46.000000000 -0400
42959 @@ -29,10 +29,12 @@
42960 #undef elfhdr
42961 #undef elf_phdr
42962 #undef elf_note
42963 +#undef elf_dyn
42964 #undef elf_addr_t
42965 #define elfhdr elf32_hdr
42966 #define elf_phdr elf32_phdr
42967 #define elf_note elf32_note
42968 +#define elf_dyn Elf32_Dyn
42969 #define elf_addr_t Elf32_Addr
42970
42971 /*
42972 diff -urNp linux-2.6.32.46/fs/compat.c linux-2.6.32.46/fs/compat.c
42973 --- linux-2.6.32.46/fs/compat.c 2011-04-17 17:00:52.000000000 -0400
42974 +++ linux-2.6.32.46/fs/compat.c 2011-08-11 19:56:56.000000000 -0400
42975 @@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
42976
42977 struct compat_readdir_callback {
42978 struct compat_old_linux_dirent __user *dirent;
42979 + struct file * file;
42980 int result;
42981 };
42982
42983 @@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
42984 buf->result = -EOVERFLOW;
42985 return -EOVERFLOW;
42986 }
42987 +
42988 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42989 + return 0;
42990 +
42991 buf->result++;
42992 dirent = buf->dirent;
42993 if (!access_ok(VERIFY_WRITE, dirent,
42994 @@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
42995
42996 buf.result = 0;
42997 buf.dirent = dirent;
42998 + buf.file = file;
42999
43000 error = vfs_readdir(file, compat_fillonedir, &buf);
43001 if (buf.result)
43002 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
43003 struct compat_getdents_callback {
43004 struct compat_linux_dirent __user *current_dir;
43005 struct compat_linux_dirent __user *previous;
43006 + struct file * file;
43007 int count;
43008 int error;
43009 };
43010 @@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
43011 buf->error = -EOVERFLOW;
43012 return -EOVERFLOW;
43013 }
43014 +
43015 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
43016 + return 0;
43017 +
43018 dirent = buf->previous;
43019 if (dirent) {
43020 if (__put_user(offset, &dirent->d_off))
43021 @@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
43022 buf.previous = NULL;
43023 buf.count = count;
43024 buf.error = 0;
43025 + buf.file = file;
43026
43027 error = vfs_readdir(file, compat_filldir, &buf);
43028 if (error >= 0)
43029 @@ -987,6 +999,7 @@ out:
43030 struct compat_getdents_callback64 {
43031 struct linux_dirent64 __user *current_dir;
43032 struct linux_dirent64 __user *previous;
43033 + struct file * file;
43034 int count;
43035 int error;
43036 };
43037 @@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
43038 buf->error = -EINVAL; /* only used if we fail.. */
43039 if (reclen > buf->count)
43040 return -EINVAL;
43041 +
43042 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
43043 + return 0;
43044 +
43045 dirent = buf->previous;
43046
43047 if (dirent) {
43048 @@ -1054,6 +1071,7 @@ asmlinkage long compat_sys_getdents64(un
43049 buf.previous = NULL;
43050 buf.count = count;
43051 buf.error = 0;
43052 + buf.file = file;
43053
43054 error = vfs_readdir(file, compat_filldir64, &buf);
43055 if (error >= 0)
43056 @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
43057 * verify all the pointers
43058 */
43059 ret = -EINVAL;
43060 - if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
43061 + if (nr_segs > UIO_MAXIOV)
43062 goto out;
43063 if (!file->f_op)
43064 goto out;
43065 @@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename,
43066 compat_uptr_t __user *envp,
43067 struct pt_regs * regs)
43068 {
43069 +#ifdef CONFIG_GRKERNSEC
43070 + struct file *old_exec_file;
43071 + struct acl_subject_label *old_acl;
43072 + struct rlimit old_rlim[RLIM_NLIMITS];
43073 +#endif
43074 struct linux_binprm *bprm;
43075 struct file *file;
43076 struct files_struct *displaced;
43077 bool clear_in_exec;
43078 int retval;
43079 + const struct cred *cred = current_cred();
43080 +
43081 + /*
43082 + * We move the actual failure in case of RLIMIT_NPROC excess from
43083 + * set*uid() to execve() because too many poorly written programs
43084 + * don't check setuid() return code. Here we additionally recheck
43085 + * whether NPROC limit is still exceeded.
43086 + */
43087 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
43088 +
43089 + if ((current->flags & PF_NPROC_EXCEEDED) &&
43090 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
43091 + retval = -EAGAIN;
43092 + goto out_ret;
43093 + }
43094 +
43095 + /* We're below the limit (still or again), so we don't want to make
43096 + * further execve() calls fail. */
43097 + current->flags &= ~PF_NPROC_EXCEEDED;
43098
43099 retval = unshare_files(&displaced);
43100 if (retval)
43101 @@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
43102 bprm->filename = filename;
43103 bprm->interp = filename;
43104
43105 + if (gr_process_user_ban()) {
43106 + retval = -EPERM;
43107 + goto out_file;
43108 + }
43109 +
43110 + retval = -EACCES;
43111 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
43112 + goto out_file;
43113 +
43114 retval = bprm_mm_init(bprm);
43115 if (retval)
43116 goto out_file;
43117 @@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
43118 if (retval < 0)
43119 goto out;
43120
43121 + if (!gr_tpe_allow(file)) {
43122 + retval = -EACCES;
43123 + goto out;
43124 + }
43125 +
43126 + if (gr_check_crash_exec(file)) {
43127 + retval = -EACCES;
43128 + goto out;
43129 + }
43130 +
43131 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
43132 +
43133 + gr_handle_exec_args_compat(bprm, argv);
43134 +
43135 +#ifdef CONFIG_GRKERNSEC
43136 + old_acl = current->acl;
43137 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
43138 + old_exec_file = current->exec_file;
43139 + get_file(file);
43140 + current->exec_file = file;
43141 +#endif
43142 +
43143 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
43144 + bprm->unsafe & LSM_UNSAFE_SHARE);
43145 + if (retval < 0)
43146 + goto out_fail;
43147 +
43148 retval = search_binary_handler(bprm, regs);
43149 if (retval < 0)
43150 - goto out;
43151 + goto out_fail;
43152 +#ifdef CONFIG_GRKERNSEC
43153 + if (old_exec_file)
43154 + fput(old_exec_file);
43155 +#endif
43156
43157 /* execve succeeded */
43158 current->fs->in_exec = 0;
43159 @@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
43160 put_files_struct(displaced);
43161 return retval;
43162
43163 +out_fail:
43164 +#ifdef CONFIG_GRKERNSEC
43165 + current->acl = old_acl;
43166 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
43167 + fput(current->exec_file);
43168 + current->exec_file = old_exec_file;
43169 +#endif
43170 +
43171 out:
43172 if (bprm->mm) {
43173 acct_arg_size(bprm, 0);
43174 @@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat
43175 struct fdtable *fdt;
43176 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
43177
43178 + pax_track_stack();
43179 +
43180 if (n < 0)
43181 goto out_nofds;
43182
43183 diff -urNp linux-2.6.32.46/fs/compat_ioctl.c linux-2.6.32.46/fs/compat_ioctl.c
43184 --- linux-2.6.32.46/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
43185 +++ linux-2.6.32.46/fs/compat_ioctl.c 2011-04-23 12:56:11.000000000 -0400
43186 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
43187 up = (struct compat_video_spu_palette __user *) arg;
43188 err = get_user(palp, &up->palette);
43189 err |= get_user(length, &up->length);
43190 + if (err)
43191 + return -EFAULT;
43192
43193 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
43194 err = put_user(compat_ptr(palp), &up_native->palette);
43195 diff -urNp linux-2.6.32.46/fs/configfs/dir.c linux-2.6.32.46/fs/configfs/dir.c
43196 --- linux-2.6.32.46/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400
43197 +++ linux-2.6.32.46/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400
43198 @@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
43199 }
43200 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
43201 struct configfs_dirent *next;
43202 - const char * name;
43203 + const unsigned char * name;
43204 + char d_name[sizeof(next->s_dentry->d_iname)];
43205 int len;
43206
43207 next = list_entry(p, struct configfs_dirent,
43208 @@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
43209 continue;
43210
43211 name = configfs_get_name(next);
43212 - len = strlen(name);
43213 + if (next->s_dentry && name == next->s_dentry->d_iname) {
43214 + len = next->s_dentry->d_name.len;
43215 + memcpy(d_name, name, len);
43216 + name = d_name;
43217 + } else
43218 + len = strlen(name);
43219 if (next->s_dentry)
43220 ino = next->s_dentry->d_inode->i_ino;
43221 else
43222 diff -urNp linux-2.6.32.46/fs/dcache.c linux-2.6.32.46/fs/dcache.c
43223 --- linux-2.6.32.46/fs/dcache.c 2011-03-27 14:31:47.000000000 -0400
43224 +++ linux-2.6.32.46/fs/dcache.c 2011-04-23 13:32:21.000000000 -0400
43225 @@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
43226
43227 static struct kmem_cache *dentry_cache __read_mostly;
43228
43229 -#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
43230 -
43231 /*
43232 * This is the single most critical data structure when it comes
43233 * to the dcache: the hashtable for lookups. Somebody should try
43234 @@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
43235 mempages -= reserve;
43236
43237 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
43238 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
43239 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
43240
43241 dcache_init();
43242 inode_init();
43243 diff -urNp linux-2.6.32.46/fs/dlm/lockspace.c linux-2.6.32.46/fs/dlm/lockspace.c
43244 --- linux-2.6.32.46/fs/dlm/lockspace.c 2011-03-27 14:31:47.000000000 -0400
43245 +++ linux-2.6.32.46/fs/dlm/lockspace.c 2011-04-17 15:56:46.000000000 -0400
43246 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
43247 kfree(ls);
43248 }
43249
43250 -static struct sysfs_ops dlm_attr_ops = {
43251 +static const struct sysfs_ops dlm_attr_ops = {
43252 .show = dlm_attr_show,
43253 .store = dlm_attr_store,
43254 };
43255 diff -urNp linux-2.6.32.46/fs/ecryptfs/inode.c linux-2.6.32.46/fs/ecryptfs/inode.c
43256 --- linux-2.6.32.46/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400
43257 +++ linux-2.6.32.46/fs/ecryptfs/inode.c 2011-04-17 15:56:46.000000000 -0400
43258 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
43259 old_fs = get_fs();
43260 set_fs(get_ds());
43261 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
43262 - (char __user *)lower_buf,
43263 + (__force char __user *)lower_buf,
43264 lower_bufsiz);
43265 set_fs(old_fs);
43266 if (rc < 0)
43267 @@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
43268 }
43269 old_fs = get_fs();
43270 set_fs(get_ds());
43271 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
43272 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
43273 set_fs(old_fs);
43274 if (rc < 0)
43275 goto out_free;
43276 diff -urNp linux-2.6.32.46/fs/exec.c linux-2.6.32.46/fs/exec.c
43277 --- linux-2.6.32.46/fs/exec.c 2011-06-25 12:55:34.000000000 -0400
43278 +++ linux-2.6.32.46/fs/exec.c 2011-08-11 19:56:19.000000000 -0400
43279 @@ -56,12 +56,24 @@
43280 #include <linux/fsnotify.h>
43281 #include <linux/fs_struct.h>
43282 #include <linux/pipe_fs_i.h>
43283 +#include <linux/random.h>
43284 +#include <linux/seq_file.h>
43285 +
43286 +#ifdef CONFIG_PAX_REFCOUNT
43287 +#include <linux/kallsyms.h>
43288 +#include <linux/kdebug.h>
43289 +#endif
43290
43291 #include <asm/uaccess.h>
43292 #include <asm/mmu_context.h>
43293 #include <asm/tlb.h>
43294 #include "internal.h"
43295
43296 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
43297 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
43298 +EXPORT_SYMBOL(pax_set_initial_flags_func);
43299 +#endif
43300 +
43301 int core_uses_pid;
43302 char core_pattern[CORENAME_MAX_SIZE] = "core";
43303 unsigned int core_pipe_limit;
43304 @@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
43305 goto out;
43306
43307 file = do_filp_open(AT_FDCWD, tmp,
43308 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
43309 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
43310 MAY_READ | MAY_EXEC | MAY_OPEN);
43311 putname(tmp);
43312 error = PTR_ERR(file);
43313 @@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
43314 int write)
43315 {
43316 struct page *page;
43317 - int ret;
43318
43319 -#ifdef CONFIG_STACK_GROWSUP
43320 - if (write) {
43321 - ret = expand_stack_downwards(bprm->vma, pos);
43322 - if (ret < 0)
43323 - return NULL;
43324 - }
43325 -#endif
43326 - ret = get_user_pages(current, bprm->mm, pos,
43327 - 1, write, 1, &page, NULL);
43328 - if (ret <= 0)
43329 + if (0 > expand_stack_downwards(bprm->vma, pos))
43330 + return NULL;
43331 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
43332 return NULL;
43333
43334 if (write) {
43335 @@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
43336 vma->vm_end = STACK_TOP_MAX;
43337 vma->vm_start = vma->vm_end - PAGE_SIZE;
43338 vma->vm_flags = VM_STACK_FLAGS;
43339 +
43340 +#ifdef CONFIG_PAX_SEGMEXEC
43341 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
43342 +#endif
43343 +
43344 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
43345
43346 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
43347 @@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
43348 mm->stack_vm = mm->total_vm = 1;
43349 up_write(&mm->mmap_sem);
43350 bprm->p = vma->vm_end - sizeof(void *);
43351 +
43352 +#ifdef CONFIG_PAX_RANDUSTACK
43353 + if (randomize_va_space)
43354 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
43355 +#endif
43356 +
43357 return 0;
43358 err:
43359 up_write(&mm->mmap_sem);
43360 @@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
43361 int r;
43362 mm_segment_t oldfs = get_fs();
43363 set_fs(KERNEL_DS);
43364 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
43365 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
43366 set_fs(oldfs);
43367 return r;
43368 }
43369 @@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
43370 unsigned long new_end = old_end - shift;
43371 struct mmu_gather *tlb;
43372
43373 - BUG_ON(new_start > new_end);
43374 + if (new_start >= new_end || new_start < mmap_min_addr)
43375 + return -ENOMEM;
43376
43377 /*
43378 * ensure there are no vmas between where we want to go
43379 @@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
43380 if (vma != find_vma(mm, new_start))
43381 return -EFAULT;
43382
43383 +#ifdef CONFIG_PAX_SEGMEXEC
43384 + BUG_ON(pax_find_mirror_vma(vma));
43385 +#endif
43386 +
43387 /*
43388 * cover the whole range: [new_start, old_end)
43389 */
43390 @@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
43391 stack_top = arch_align_stack(stack_top);
43392 stack_top = PAGE_ALIGN(stack_top);
43393
43394 - if (unlikely(stack_top < mmap_min_addr) ||
43395 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
43396 - return -ENOMEM;
43397 -
43398 stack_shift = vma->vm_end - stack_top;
43399
43400 bprm->p -= stack_shift;
43401 @@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
43402 bprm->exec -= stack_shift;
43403
43404 down_write(&mm->mmap_sem);
43405 +
43406 + /* Move stack pages down in memory. */
43407 + if (stack_shift) {
43408 + ret = shift_arg_pages(vma, stack_shift);
43409 + if (ret)
43410 + goto out_unlock;
43411 + }
43412 +
43413 vm_flags = VM_STACK_FLAGS;
43414
43415 /*
43416 @@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
43417 vm_flags &= ~VM_EXEC;
43418 vm_flags |= mm->def_flags;
43419
43420 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43421 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
43422 + vm_flags &= ~VM_EXEC;
43423 +
43424 +#ifdef CONFIG_PAX_MPROTECT
43425 + if (mm->pax_flags & MF_PAX_MPROTECT)
43426 + vm_flags &= ~VM_MAYEXEC;
43427 +#endif
43428 +
43429 + }
43430 +#endif
43431 +
43432 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
43433 vm_flags);
43434 if (ret)
43435 goto out_unlock;
43436 BUG_ON(prev != vma);
43437
43438 - /* Move stack pages down in memory. */
43439 - if (stack_shift) {
43440 - ret = shift_arg_pages(vma, stack_shift);
43441 - if (ret)
43442 - goto out_unlock;
43443 - }
43444 -
43445 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
43446 stack_size = vma->vm_end - vma->vm_start;
43447 /*
43448 @@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
43449 int err;
43450
43451 file = do_filp_open(AT_FDCWD, name,
43452 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
43453 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
43454 MAY_EXEC | MAY_OPEN);
43455 if (IS_ERR(file))
43456 goto out;
43457 @@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
43458 old_fs = get_fs();
43459 set_fs(get_ds());
43460 /* The cast to a user pointer is valid due to the set_fs() */
43461 - result = vfs_read(file, (void __user *)addr, count, &pos);
43462 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
43463 set_fs(old_fs);
43464 return result;
43465 }
43466 @@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
43467 }
43468 rcu_read_unlock();
43469
43470 - if (p->fs->users > n_fs) {
43471 + if (atomic_read(&p->fs->users) > n_fs) {
43472 bprm->unsafe |= LSM_UNSAFE_SHARE;
43473 } else {
43474 res = -EAGAIN;
43475 @@ -1347,11 +1376,35 @@ int do_execve(char * filename,
43476 char __user *__user *envp,
43477 struct pt_regs * regs)
43478 {
43479 +#ifdef CONFIG_GRKERNSEC
43480 + struct file *old_exec_file;
43481 + struct acl_subject_label *old_acl;
43482 + struct rlimit old_rlim[RLIM_NLIMITS];
43483 +#endif
43484 struct linux_binprm *bprm;
43485 struct file *file;
43486 struct files_struct *displaced;
43487 bool clear_in_exec;
43488 int retval;
43489 + const struct cred *cred = current_cred();
43490 +
43491 + /*
43492 + * We move the actual failure in case of RLIMIT_NPROC excess from
43493 + * set*uid() to execve() because too many poorly written programs
43494 + * don't check setuid() return code. Here we additionally recheck
43495 + * whether NPROC limit is still exceeded.
43496 + */
43497 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
43498 +
43499 + if ((current->flags & PF_NPROC_EXCEEDED) &&
43500 + atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
43501 + retval = -EAGAIN;
43502 + goto out_ret;
43503 + }
43504 +
43505 + /* We're below the limit (still or again), so we don't want to make
43506 + * further execve() calls fail. */
43507 + current->flags &= ~PF_NPROC_EXCEEDED;
43508
43509 retval = unshare_files(&displaced);
43510 if (retval)
43511 @@ -1383,6 +1436,16 @@ int do_execve(char * filename,
43512 bprm->filename = filename;
43513 bprm->interp = filename;
43514
43515 + if (gr_process_user_ban()) {
43516 + retval = -EPERM;
43517 + goto out_file;
43518 + }
43519 +
43520 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
43521 + retval = -EACCES;
43522 + goto out_file;
43523 + }
43524 +
43525 retval = bprm_mm_init(bprm);
43526 if (retval)
43527 goto out_file;
43528 @@ -1412,10 +1475,41 @@ int do_execve(char * filename,
43529 if (retval < 0)
43530 goto out;
43531
43532 + if (!gr_tpe_allow(file)) {
43533 + retval = -EACCES;
43534 + goto out;
43535 + }
43536 +
43537 + if (gr_check_crash_exec(file)) {
43538 + retval = -EACCES;
43539 + goto out;
43540 + }
43541 +
43542 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
43543 +
43544 + gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
43545 +
43546 +#ifdef CONFIG_GRKERNSEC
43547 + old_acl = current->acl;
43548 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
43549 + old_exec_file = current->exec_file;
43550 + get_file(file);
43551 + current->exec_file = file;
43552 +#endif
43553 +
43554 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
43555 + bprm->unsafe & LSM_UNSAFE_SHARE);
43556 + if (retval < 0)
43557 + goto out_fail;
43558 +
43559 current->flags &= ~PF_KTHREAD;
43560 retval = search_binary_handler(bprm,regs);
43561 if (retval < 0)
43562 - goto out;
43563 + goto out_fail;
43564 +#ifdef CONFIG_GRKERNSEC
43565 + if (old_exec_file)
43566 + fput(old_exec_file);
43567 +#endif
43568
43569 /* execve succeeded */
43570 current->fs->in_exec = 0;
43571 @@ -1426,6 +1520,14 @@ int do_execve(char * filename,
43572 put_files_struct(displaced);
43573 return retval;
43574
43575 +out_fail:
43576 +#ifdef CONFIG_GRKERNSEC
43577 + current->acl = old_acl;
43578 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
43579 + fput(current->exec_file);
43580 + current->exec_file = old_exec_file;
43581 +#endif
43582 +
43583 out:
43584 if (bprm->mm) {
43585 acct_arg_size(bprm, 0);
43586 @@ -1591,6 +1693,220 @@ out:
43587 return ispipe;
43588 }
43589
43590 +int pax_check_flags(unsigned long *flags)
43591 +{
43592 + int retval = 0;
43593 +
43594 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
43595 + if (*flags & MF_PAX_SEGMEXEC)
43596 + {
43597 + *flags &= ~MF_PAX_SEGMEXEC;
43598 + retval = -EINVAL;
43599 + }
43600 +#endif
43601 +
43602 + if ((*flags & MF_PAX_PAGEEXEC)
43603 +
43604 +#ifdef CONFIG_PAX_PAGEEXEC
43605 + && (*flags & MF_PAX_SEGMEXEC)
43606 +#endif
43607 +
43608 + )
43609 + {
43610 + *flags &= ~MF_PAX_PAGEEXEC;
43611 + retval = -EINVAL;
43612 + }
43613 +
43614 + if ((*flags & MF_PAX_MPROTECT)
43615 +
43616 +#ifdef CONFIG_PAX_MPROTECT
43617 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
43618 +#endif
43619 +
43620 + )
43621 + {
43622 + *flags &= ~MF_PAX_MPROTECT;
43623 + retval = -EINVAL;
43624 + }
43625 +
43626 + if ((*flags & MF_PAX_EMUTRAMP)
43627 +
43628 +#ifdef CONFIG_PAX_EMUTRAMP
43629 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
43630 +#endif
43631 +
43632 + )
43633 + {
43634 + *flags &= ~MF_PAX_EMUTRAMP;
43635 + retval = -EINVAL;
43636 + }
43637 +
43638 + return retval;
43639 +}
43640 +
43641 +EXPORT_SYMBOL(pax_check_flags);
43642 +
43643 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
43644 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
43645 +{
43646 + struct task_struct *tsk = current;
43647 + struct mm_struct *mm = current->mm;
43648 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
43649 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
43650 + char *path_exec = NULL;
43651 + char *path_fault = NULL;
43652 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
43653 +
43654 + if (buffer_exec && buffer_fault) {
43655 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
43656 +
43657 + down_read(&mm->mmap_sem);
43658 + vma = mm->mmap;
43659 + while (vma && (!vma_exec || !vma_fault)) {
43660 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
43661 + vma_exec = vma;
43662 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
43663 + vma_fault = vma;
43664 + vma = vma->vm_next;
43665 + }
43666 + if (vma_exec) {
43667 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
43668 + if (IS_ERR(path_exec))
43669 + path_exec = "<path too long>";
43670 + else {
43671 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
43672 + if (path_exec) {
43673 + *path_exec = 0;
43674 + path_exec = buffer_exec;
43675 + } else
43676 + path_exec = "<path too long>";
43677 + }
43678 + }
43679 + if (vma_fault) {
43680 + start = vma_fault->vm_start;
43681 + end = vma_fault->vm_end;
43682 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
43683 + if (vma_fault->vm_file) {
43684 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
43685 + if (IS_ERR(path_fault))
43686 + path_fault = "<path too long>";
43687 + else {
43688 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
43689 + if (path_fault) {
43690 + *path_fault = 0;
43691 + path_fault = buffer_fault;
43692 + } else
43693 + path_fault = "<path too long>";
43694 + }
43695 + } else
43696 + path_fault = "<anonymous mapping>";
43697 + }
43698 + up_read(&mm->mmap_sem);
43699 + }
43700 + if (tsk->signal->curr_ip)
43701 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
43702 + else
43703 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
43704 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
43705 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
43706 + task_uid(tsk), task_euid(tsk), pc, sp);
43707 + free_page((unsigned long)buffer_exec);
43708 + free_page((unsigned long)buffer_fault);
43709 + pax_report_insns(pc, sp);
43710 + do_coredump(SIGKILL, SIGKILL, regs);
43711 +}
43712 +#endif
43713 +
43714 +#ifdef CONFIG_PAX_REFCOUNT
43715 +void pax_report_refcount_overflow(struct pt_regs *regs)
43716 +{
43717 + if (current->signal->curr_ip)
43718 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
43719 + &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
43720 + else
43721 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
43722 + current->comm, task_pid_nr(current), current_uid(), current_euid());
43723 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
43724 + show_regs(regs);
43725 + force_sig_specific(SIGKILL, current);
43726 +}
43727 +#endif
43728 +
43729 +#ifdef CONFIG_PAX_USERCOPY
43730 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
43731 +int object_is_on_stack(const void *obj, unsigned long len)
43732 +{
43733 + const void * const stack = task_stack_page(current);
43734 + const void * const stackend = stack + THREAD_SIZE;
43735 +
43736 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
43737 + const void *frame = NULL;
43738 + const void *oldframe;
43739 +#endif
43740 +
43741 + if (obj + len < obj)
43742 + return -1;
43743 +
43744 + if (obj + len <= stack || stackend <= obj)
43745 + return 0;
43746 +
43747 + if (obj < stack || stackend < obj + len)
43748 + return -1;
43749 +
43750 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
43751 + oldframe = __builtin_frame_address(1);
43752 + if (oldframe)
43753 + frame = __builtin_frame_address(2);
43754 + /*
43755 + low ----------------------------------------------> high
43756 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
43757 + ^----------------^
43758 + allow copies only within here
43759 + */
43760 + while (stack <= frame && frame < stackend) {
43761 + /* if obj + len extends past the last frame, this
43762 + check won't pass and the next frame will be 0,
43763 + causing us to bail out and correctly report
43764 + the copy as invalid
43765 + */
43766 + if (obj + len <= frame)
43767 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
43768 + oldframe = frame;
43769 + frame = *(const void * const *)frame;
43770 + }
43771 + return -1;
43772 +#else
43773 + return 1;
43774 +#endif
43775 +}
43776 +
43777 +
43778 +NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
43779 +{
43780 + if (current->signal->curr_ip)
43781 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
43782 + &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
43783 + else
43784 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
43785 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
43786 +
43787 + dump_stack();
43788 + gr_handle_kernel_exploit();
43789 + do_group_exit(SIGKILL);
43790 +}
43791 +#endif
43792 +
43793 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
43794 +void pax_track_stack(void)
43795 +{
43796 + unsigned long sp = (unsigned long)&sp;
43797 + if (sp < current_thread_info()->lowest_stack &&
43798 + sp > (unsigned long)task_stack_page(current))
43799 + current_thread_info()->lowest_stack = sp;
43800 +}
43801 +EXPORT_SYMBOL(pax_track_stack);
43802 +#endif
43803 +
43804 static int zap_process(struct task_struct *start)
43805 {
43806 struct task_struct *t;
43807 @@ -1793,17 +2109,17 @@ static void wait_for_dump_helpers(struct
43808 pipe = file->f_path.dentry->d_inode->i_pipe;
43809
43810 pipe_lock(pipe);
43811 - pipe->readers++;
43812 - pipe->writers--;
43813 + atomic_inc(&pipe->readers);
43814 + atomic_dec(&pipe->writers);
43815
43816 - while ((pipe->readers > 1) && (!signal_pending(current))) {
43817 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
43818 wake_up_interruptible_sync(&pipe->wait);
43819 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
43820 pipe_wait(pipe);
43821 }
43822
43823 - pipe->readers--;
43824 - pipe->writers++;
43825 + atomic_dec(&pipe->readers);
43826 + atomic_inc(&pipe->writers);
43827 pipe_unlock(pipe);
43828
43829 }
43830 @@ -1826,10 +2142,13 @@ void do_coredump(long signr, int exit_co
43831 char **helper_argv = NULL;
43832 int helper_argc = 0;
43833 int dump_count = 0;
43834 - static atomic_t core_dump_count = ATOMIC_INIT(0);
43835 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
43836
43837 audit_core_dumps(signr);
43838
43839 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
43840 + gr_handle_brute_attach(current, mm->flags);
43841 +
43842 binfmt = mm->binfmt;
43843 if (!binfmt || !binfmt->core_dump)
43844 goto fail;
43845 @@ -1874,6 +2193,8 @@ void do_coredump(long signr, int exit_co
43846 */
43847 clear_thread_flag(TIF_SIGPENDING);
43848
43849 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
43850 +
43851 /*
43852 * lock_kernel() because format_corename() is controlled by sysctl, which
43853 * uses lock_kernel()
43854 @@ -1908,7 +2229,7 @@ void do_coredump(long signr, int exit_co
43855 goto fail_unlock;
43856 }
43857
43858 - dump_count = atomic_inc_return(&core_dump_count);
43859 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
43860 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
43861 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
43862 task_tgid_vnr(current), current->comm);
43863 @@ -1972,7 +2293,7 @@ close_fail:
43864 filp_close(file, NULL);
43865 fail_dropcount:
43866 if (dump_count)
43867 - atomic_dec(&core_dump_count);
43868 + atomic_dec_unchecked(&core_dump_count);
43869 fail_unlock:
43870 if (helper_argv)
43871 argv_free(helper_argv);
43872 diff -urNp linux-2.6.32.46/fs/ext2/balloc.c linux-2.6.32.46/fs/ext2/balloc.c
43873 --- linux-2.6.32.46/fs/ext2/balloc.c 2011-03-27 14:31:47.000000000 -0400
43874 +++ linux-2.6.32.46/fs/ext2/balloc.c 2011-04-17 15:56:46.000000000 -0400
43875 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
43876
43877 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
43878 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
43879 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
43880 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
43881 sbi->s_resuid != current_fsuid() &&
43882 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
43883 return 0;
43884 diff -urNp linux-2.6.32.46/fs/ext3/balloc.c linux-2.6.32.46/fs/ext3/balloc.c
43885 --- linux-2.6.32.46/fs/ext3/balloc.c 2011-03-27 14:31:47.000000000 -0400
43886 +++ linux-2.6.32.46/fs/ext3/balloc.c 2011-04-17 15:56:46.000000000 -0400
43887 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
43888
43889 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
43890 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
43891 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
43892 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
43893 sbi->s_resuid != current_fsuid() &&
43894 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
43895 return 0;
43896 diff -urNp linux-2.6.32.46/fs/ext4/balloc.c linux-2.6.32.46/fs/ext4/balloc.c
43897 --- linux-2.6.32.46/fs/ext4/balloc.c 2011-03-27 14:31:47.000000000 -0400
43898 +++ linux-2.6.32.46/fs/ext4/balloc.c 2011-04-17 15:56:46.000000000 -0400
43899 @@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
43900 /* Hm, nope. Are (enough) root reserved blocks available? */
43901 if (sbi->s_resuid == current_fsuid() ||
43902 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
43903 - capable(CAP_SYS_RESOURCE)) {
43904 + capable_nolog(CAP_SYS_RESOURCE)) {
43905 if (free_blocks >= (nblocks + dirty_blocks))
43906 return 1;
43907 }
43908 diff -urNp linux-2.6.32.46/fs/ext4/ext4.h linux-2.6.32.46/fs/ext4/ext4.h
43909 --- linux-2.6.32.46/fs/ext4/ext4.h 2011-03-27 14:31:47.000000000 -0400
43910 +++ linux-2.6.32.46/fs/ext4/ext4.h 2011-04-17 15:56:46.000000000 -0400
43911 @@ -1078,19 +1078,19 @@ struct ext4_sb_info {
43912
43913 /* stats for buddy allocator */
43914 spinlock_t s_mb_pa_lock;
43915 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
43916 - atomic_t s_bal_success; /* we found long enough chunks */
43917 - atomic_t s_bal_allocated; /* in blocks */
43918 - atomic_t s_bal_ex_scanned; /* total extents scanned */
43919 - atomic_t s_bal_goals; /* goal hits */
43920 - atomic_t s_bal_breaks; /* too long searches */
43921 - atomic_t s_bal_2orders; /* 2^order hits */
43922 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
43923 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
43924 + atomic_unchecked_t s_bal_allocated; /* in blocks */
43925 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
43926 + atomic_unchecked_t s_bal_goals; /* goal hits */
43927 + atomic_unchecked_t s_bal_breaks; /* too long searches */
43928 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
43929 spinlock_t s_bal_lock;
43930 unsigned long s_mb_buddies_generated;
43931 unsigned long long s_mb_generation_time;
43932 - atomic_t s_mb_lost_chunks;
43933 - atomic_t s_mb_preallocated;
43934 - atomic_t s_mb_discarded;
43935 + atomic_unchecked_t s_mb_lost_chunks;
43936 + atomic_unchecked_t s_mb_preallocated;
43937 + atomic_unchecked_t s_mb_discarded;
43938 atomic_t s_lock_busy;
43939
43940 /* locality groups */
43941 diff -urNp linux-2.6.32.46/fs/ext4/mballoc.c linux-2.6.32.46/fs/ext4/mballoc.c
43942 --- linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:55:34.000000000 -0400
43943 +++ linux-2.6.32.46/fs/ext4/mballoc.c 2011-06-25 12:56:37.000000000 -0400
43944 @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
43945 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
43946
43947 if (EXT4_SB(sb)->s_mb_stats)
43948 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
43949 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
43950
43951 break;
43952 }
43953 @@ -2131,7 +2131,7 @@ repeat:
43954 ac->ac_status = AC_STATUS_CONTINUE;
43955 ac->ac_flags |= EXT4_MB_HINT_FIRST;
43956 cr = 3;
43957 - atomic_inc(&sbi->s_mb_lost_chunks);
43958 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
43959 goto repeat;
43960 }
43961 }
43962 @@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
43963 ext4_grpblk_t counters[16];
43964 } sg;
43965
43966 + pax_track_stack();
43967 +
43968 group--;
43969 if (group == 0)
43970 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
43971 @@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
43972 if (sbi->s_mb_stats) {
43973 printk(KERN_INFO
43974 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
43975 - atomic_read(&sbi->s_bal_allocated),
43976 - atomic_read(&sbi->s_bal_reqs),
43977 - atomic_read(&sbi->s_bal_success));
43978 + atomic_read_unchecked(&sbi->s_bal_allocated),
43979 + atomic_read_unchecked(&sbi->s_bal_reqs),
43980 + atomic_read_unchecked(&sbi->s_bal_success));
43981 printk(KERN_INFO
43982 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
43983 "%u 2^N hits, %u breaks, %u lost\n",
43984 - atomic_read(&sbi->s_bal_ex_scanned),
43985 - atomic_read(&sbi->s_bal_goals),
43986 - atomic_read(&sbi->s_bal_2orders),
43987 - atomic_read(&sbi->s_bal_breaks),
43988 - atomic_read(&sbi->s_mb_lost_chunks));
43989 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
43990 + atomic_read_unchecked(&sbi->s_bal_goals),
43991 + atomic_read_unchecked(&sbi->s_bal_2orders),
43992 + atomic_read_unchecked(&sbi->s_bal_breaks),
43993 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
43994 printk(KERN_INFO
43995 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
43996 sbi->s_mb_buddies_generated++,
43997 sbi->s_mb_generation_time);
43998 printk(KERN_INFO
43999 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
44000 - atomic_read(&sbi->s_mb_preallocated),
44001 - atomic_read(&sbi->s_mb_discarded));
44002 + atomic_read_unchecked(&sbi->s_mb_preallocated),
44003 + atomic_read_unchecked(&sbi->s_mb_discarded));
44004 }
44005
44006 free_percpu(sbi->s_locality_groups);
44007 @@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
44008 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
44009
44010 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
44011 - atomic_inc(&sbi->s_bal_reqs);
44012 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
44013 + atomic_inc_unchecked(&sbi->s_bal_reqs);
44014 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
44015 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
44016 - atomic_inc(&sbi->s_bal_success);
44017 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
44018 + atomic_inc_unchecked(&sbi->s_bal_success);
44019 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
44020 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
44021 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
44022 - atomic_inc(&sbi->s_bal_goals);
44023 + atomic_inc_unchecked(&sbi->s_bal_goals);
44024 if (ac->ac_found > sbi->s_mb_max_to_scan)
44025 - atomic_inc(&sbi->s_bal_breaks);
44026 + atomic_inc_unchecked(&sbi->s_bal_breaks);
44027 }
44028
44029 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
44030 @@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
44031 trace_ext4_mb_new_inode_pa(ac, pa);
44032
44033 ext4_mb_use_inode_pa(ac, pa);
44034 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44035 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44036
44037 ei = EXT4_I(ac->ac_inode);
44038 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
44039 @@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
44040 trace_ext4_mb_new_group_pa(ac, pa);
44041
44042 ext4_mb_use_group_pa(ac, pa);
44043 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44044 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
44045
44046 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
44047 lg = ac->ac_lg;
44048 @@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
44049 * from the bitmap and continue.
44050 */
44051 }
44052 - atomic_add(free, &sbi->s_mb_discarded);
44053 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
44054
44055 return err;
44056 }
44057 @@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
44058 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
44059 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
44060 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
44061 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
44062 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
44063
44064 if (ac) {
44065 ac->ac_sb = sb;
44066 diff -urNp linux-2.6.32.46/fs/ext4/super.c linux-2.6.32.46/fs/ext4/super.c
44067 --- linux-2.6.32.46/fs/ext4/super.c 2011-03-27 14:31:47.000000000 -0400
44068 +++ linux-2.6.32.46/fs/ext4/super.c 2011-04-17 15:56:46.000000000 -0400
44069 @@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
44070 }
44071
44072
44073 -static struct sysfs_ops ext4_attr_ops = {
44074 +static const struct sysfs_ops ext4_attr_ops = {
44075 .show = ext4_attr_show,
44076 .store = ext4_attr_store,
44077 };
44078 diff -urNp linux-2.6.32.46/fs/fcntl.c linux-2.6.32.46/fs/fcntl.c
44079 --- linux-2.6.32.46/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400
44080 +++ linux-2.6.32.46/fs/fcntl.c 2011-04-17 15:56:46.000000000 -0400
44081 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
44082 if (err)
44083 return err;
44084
44085 + if (gr_handle_chroot_fowner(pid, type))
44086 + return -ENOENT;
44087 + if (gr_check_protected_task_fowner(pid, type))
44088 + return -EACCES;
44089 +
44090 f_modown(filp, pid, type, force);
44091 return 0;
44092 }
44093 @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
44094 switch (cmd) {
44095 case F_DUPFD:
44096 case F_DUPFD_CLOEXEC:
44097 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
44098 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
44099 break;
44100 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
44101 diff -urNp linux-2.6.32.46/fs/fifo.c linux-2.6.32.46/fs/fifo.c
44102 --- linux-2.6.32.46/fs/fifo.c 2011-03-27 14:31:47.000000000 -0400
44103 +++ linux-2.6.32.46/fs/fifo.c 2011-04-17 15:56:46.000000000 -0400
44104 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
44105 */
44106 filp->f_op = &read_pipefifo_fops;
44107 pipe->r_counter++;
44108 - if (pipe->readers++ == 0)
44109 + if (atomic_inc_return(&pipe->readers) == 1)
44110 wake_up_partner(inode);
44111
44112 - if (!pipe->writers) {
44113 + if (!atomic_read(&pipe->writers)) {
44114 if ((filp->f_flags & O_NONBLOCK)) {
44115 /* suppress POLLHUP until we have
44116 * seen a writer */
44117 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
44118 * errno=ENXIO when there is no process reading the FIFO.
44119 */
44120 ret = -ENXIO;
44121 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
44122 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
44123 goto err;
44124
44125 filp->f_op = &write_pipefifo_fops;
44126 pipe->w_counter++;
44127 - if (!pipe->writers++)
44128 + if (atomic_inc_return(&pipe->writers) == 1)
44129 wake_up_partner(inode);
44130
44131 - if (!pipe->readers) {
44132 + if (!atomic_read(&pipe->readers)) {
44133 wait_for_partner(inode, &pipe->r_counter);
44134 if (signal_pending(current))
44135 goto err_wr;
44136 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
44137 */
44138 filp->f_op = &rdwr_pipefifo_fops;
44139
44140 - pipe->readers++;
44141 - pipe->writers++;
44142 + atomic_inc(&pipe->readers);
44143 + atomic_inc(&pipe->writers);
44144 pipe->r_counter++;
44145 pipe->w_counter++;
44146 - if (pipe->readers == 1 || pipe->writers == 1)
44147 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
44148 wake_up_partner(inode);
44149 break;
44150
44151 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
44152 return 0;
44153
44154 err_rd:
44155 - if (!--pipe->readers)
44156 + if (atomic_dec_and_test(&pipe->readers))
44157 wake_up_interruptible(&pipe->wait);
44158 ret = -ERESTARTSYS;
44159 goto err;
44160
44161 err_wr:
44162 - if (!--pipe->writers)
44163 + if (atomic_dec_and_test(&pipe->writers))
44164 wake_up_interruptible(&pipe->wait);
44165 ret = -ERESTARTSYS;
44166 goto err;
44167
44168 err:
44169 - if (!pipe->readers && !pipe->writers)
44170 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
44171 free_pipe_info(inode);
44172
44173 err_nocleanup:
44174 diff -urNp linux-2.6.32.46/fs/file.c linux-2.6.32.46/fs/file.c
44175 --- linux-2.6.32.46/fs/file.c 2011-03-27 14:31:47.000000000 -0400
44176 +++ linux-2.6.32.46/fs/file.c 2011-04-17 15:56:46.000000000 -0400
44177 @@ -14,6 +14,7 @@
44178 #include <linux/slab.h>
44179 #include <linux/vmalloc.h>
44180 #include <linux/file.h>
44181 +#include <linux/security.h>
44182 #include <linux/fdtable.h>
44183 #include <linux/bitops.h>
44184 #include <linux/interrupt.h>
44185 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
44186 * N.B. For clone tasks sharing a files structure, this test
44187 * will limit the total number of files that can be opened.
44188 */
44189 +
44190 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
44191 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
44192 return -EMFILE;
44193
44194 diff -urNp linux-2.6.32.46/fs/filesystems.c linux-2.6.32.46/fs/filesystems.c
44195 --- linux-2.6.32.46/fs/filesystems.c 2011-03-27 14:31:47.000000000 -0400
44196 +++ linux-2.6.32.46/fs/filesystems.c 2011-04-17 15:56:46.000000000 -0400
44197 @@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
44198 int len = dot ? dot - name : strlen(name);
44199
44200 fs = __get_fs_type(name, len);
44201 +
44202 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
44203 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
44204 +#else
44205 if (!fs && (request_module("%.*s", len, name) == 0))
44206 +#endif
44207 fs = __get_fs_type(name, len);
44208
44209 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
44210 diff -urNp linux-2.6.32.46/fs/fscache/cookie.c linux-2.6.32.46/fs/fscache/cookie.c
44211 --- linux-2.6.32.46/fs/fscache/cookie.c 2011-03-27 14:31:47.000000000 -0400
44212 +++ linux-2.6.32.46/fs/fscache/cookie.c 2011-05-04 17:56:28.000000000 -0400
44213 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
44214 parent ? (char *) parent->def->name : "<no-parent>",
44215 def->name, netfs_data);
44216
44217 - fscache_stat(&fscache_n_acquires);
44218 + fscache_stat_unchecked(&fscache_n_acquires);
44219
44220 /* if there's no parent cookie, then we don't create one here either */
44221 if (!parent) {
44222 - fscache_stat(&fscache_n_acquires_null);
44223 + fscache_stat_unchecked(&fscache_n_acquires_null);
44224 _leave(" [no parent]");
44225 return NULL;
44226 }
44227 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
44228 /* allocate and initialise a cookie */
44229 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
44230 if (!cookie) {
44231 - fscache_stat(&fscache_n_acquires_oom);
44232 + fscache_stat_unchecked(&fscache_n_acquires_oom);
44233 _leave(" [ENOMEM]");
44234 return NULL;
44235 }
44236 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
44237
44238 switch (cookie->def->type) {
44239 case FSCACHE_COOKIE_TYPE_INDEX:
44240 - fscache_stat(&fscache_n_cookie_index);
44241 + fscache_stat_unchecked(&fscache_n_cookie_index);
44242 break;
44243 case FSCACHE_COOKIE_TYPE_DATAFILE:
44244 - fscache_stat(&fscache_n_cookie_data);
44245 + fscache_stat_unchecked(&fscache_n_cookie_data);
44246 break;
44247 default:
44248 - fscache_stat(&fscache_n_cookie_special);
44249 + fscache_stat_unchecked(&fscache_n_cookie_special);
44250 break;
44251 }
44252
44253 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
44254 if (fscache_acquire_non_index_cookie(cookie) < 0) {
44255 atomic_dec(&parent->n_children);
44256 __fscache_cookie_put(cookie);
44257 - fscache_stat(&fscache_n_acquires_nobufs);
44258 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
44259 _leave(" = NULL");
44260 return NULL;
44261 }
44262 }
44263
44264 - fscache_stat(&fscache_n_acquires_ok);
44265 + fscache_stat_unchecked(&fscache_n_acquires_ok);
44266 _leave(" = %p", cookie);
44267 return cookie;
44268 }
44269 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
44270 cache = fscache_select_cache_for_object(cookie->parent);
44271 if (!cache) {
44272 up_read(&fscache_addremove_sem);
44273 - fscache_stat(&fscache_n_acquires_no_cache);
44274 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
44275 _leave(" = -ENOMEDIUM [no cache]");
44276 return -ENOMEDIUM;
44277 }
44278 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
44279 object = cache->ops->alloc_object(cache, cookie);
44280 fscache_stat_d(&fscache_n_cop_alloc_object);
44281 if (IS_ERR(object)) {
44282 - fscache_stat(&fscache_n_object_no_alloc);
44283 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
44284 ret = PTR_ERR(object);
44285 goto error;
44286 }
44287
44288 - fscache_stat(&fscache_n_object_alloc);
44289 + fscache_stat_unchecked(&fscache_n_object_alloc);
44290
44291 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
44292
44293 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
44294 struct fscache_object *object;
44295 struct hlist_node *_p;
44296
44297 - fscache_stat(&fscache_n_updates);
44298 + fscache_stat_unchecked(&fscache_n_updates);
44299
44300 if (!cookie) {
44301 - fscache_stat(&fscache_n_updates_null);
44302 + fscache_stat_unchecked(&fscache_n_updates_null);
44303 _leave(" [no cookie]");
44304 return;
44305 }
44306 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
44307 struct fscache_object *object;
44308 unsigned long event;
44309
44310 - fscache_stat(&fscache_n_relinquishes);
44311 + fscache_stat_unchecked(&fscache_n_relinquishes);
44312 if (retire)
44313 - fscache_stat(&fscache_n_relinquishes_retire);
44314 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
44315
44316 if (!cookie) {
44317 - fscache_stat(&fscache_n_relinquishes_null);
44318 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
44319 _leave(" [no cookie]");
44320 return;
44321 }
44322 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
44323
44324 /* wait for the cookie to finish being instantiated (or to fail) */
44325 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
44326 - fscache_stat(&fscache_n_relinquishes_waitcrt);
44327 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
44328 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
44329 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
44330 }
44331 diff -urNp linux-2.6.32.46/fs/fscache/internal.h linux-2.6.32.46/fs/fscache/internal.h
44332 --- linux-2.6.32.46/fs/fscache/internal.h 2011-03-27 14:31:47.000000000 -0400
44333 +++ linux-2.6.32.46/fs/fscache/internal.h 2011-05-04 17:56:28.000000000 -0400
44334 @@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
44335 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
44336 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
44337
44338 -extern atomic_t fscache_n_op_pend;
44339 -extern atomic_t fscache_n_op_run;
44340 -extern atomic_t fscache_n_op_enqueue;
44341 -extern atomic_t fscache_n_op_deferred_release;
44342 -extern atomic_t fscache_n_op_release;
44343 -extern atomic_t fscache_n_op_gc;
44344 -extern atomic_t fscache_n_op_cancelled;
44345 -extern atomic_t fscache_n_op_rejected;
44346 -
44347 -extern atomic_t fscache_n_attr_changed;
44348 -extern atomic_t fscache_n_attr_changed_ok;
44349 -extern atomic_t fscache_n_attr_changed_nobufs;
44350 -extern atomic_t fscache_n_attr_changed_nomem;
44351 -extern atomic_t fscache_n_attr_changed_calls;
44352 -
44353 -extern atomic_t fscache_n_allocs;
44354 -extern atomic_t fscache_n_allocs_ok;
44355 -extern atomic_t fscache_n_allocs_wait;
44356 -extern atomic_t fscache_n_allocs_nobufs;
44357 -extern atomic_t fscache_n_allocs_intr;
44358 -extern atomic_t fscache_n_allocs_object_dead;
44359 -extern atomic_t fscache_n_alloc_ops;
44360 -extern atomic_t fscache_n_alloc_op_waits;
44361 -
44362 -extern atomic_t fscache_n_retrievals;
44363 -extern atomic_t fscache_n_retrievals_ok;
44364 -extern atomic_t fscache_n_retrievals_wait;
44365 -extern atomic_t fscache_n_retrievals_nodata;
44366 -extern atomic_t fscache_n_retrievals_nobufs;
44367 -extern atomic_t fscache_n_retrievals_intr;
44368 -extern atomic_t fscache_n_retrievals_nomem;
44369 -extern atomic_t fscache_n_retrievals_object_dead;
44370 -extern atomic_t fscache_n_retrieval_ops;
44371 -extern atomic_t fscache_n_retrieval_op_waits;
44372 -
44373 -extern atomic_t fscache_n_stores;
44374 -extern atomic_t fscache_n_stores_ok;
44375 -extern atomic_t fscache_n_stores_again;
44376 -extern atomic_t fscache_n_stores_nobufs;
44377 -extern atomic_t fscache_n_stores_oom;
44378 -extern atomic_t fscache_n_store_ops;
44379 -extern atomic_t fscache_n_store_calls;
44380 -extern atomic_t fscache_n_store_pages;
44381 -extern atomic_t fscache_n_store_radix_deletes;
44382 -extern atomic_t fscache_n_store_pages_over_limit;
44383 -
44384 -extern atomic_t fscache_n_store_vmscan_not_storing;
44385 -extern atomic_t fscache_n_store_vmscan_gone;
44386 -extern atomic_t fscache_n_store_vmscan_busy;
44387 -extern atomic_t fscache_n_store_vmscan_cancelled;
44388 -
44389 -extern atomic_t fscache_n_marks;
44390 -extern atomic_t fscache_n_uncaches;
44391 -
44392 -extern atomic_t fscache_n_acquires;
44393 -extern atomic_t fscache_n_acquires_null;
44394 -extern atomic_t fscache_n_acquires_no_cache;
44395 -extern atomic_t fscache_n_acquires_ok;
44396 -extern atomic_t fscache_n_acquires_nobufs;
44397 -extern atomic_t fscache_n_acquires_oom;
44398 -
44399 -extern atomic_t fscache_n_updates;
44400 -extern atomic_t fscache_n_updates_null;
44401 -extern atomic_t fscache_n_updates_run;
44402 -
44403 -extern atomic_t fscache_n_relinquishes;
44404 -extern atomic_t fscache_n_relinquishes_null;
44405 -extern atomic_t fscache_n_relinquishes_waitcrt;
44406 -extern atomic_t fscache_n_relinquishes_retire;
44407 -
44408 -extern atomic_t fscache_n_cookie_index;
44409 -extern atomic_t fscache_n_cookie_data;
44410 -extern atomic_t fscache_n_cookie_special;
44411 -
44412 -extern atomic_t fscache_n_object_alloc;
44413 -extern atomic_t fscache_n_object_no_alloc;
44414 -extern atomic_t fscache_n_object_lookups;
44415 -extern atomic_t fscache_n_object_lookups_negative;
44416 -extern atomic_t fscache_n_object_lookups_positive;
44417 -extern atomic_t fscache_n_object_lookups_timed_out;
44418 -extern atomic_t fscache_n_object_created;
44419 -extern atomic_t fscache_n_object_avail;
44420 -extern atomic_t fscache_n_object_dead;
44421 -
44422 -extern atomic_t fscache_n_checkaux_none;
44423 -extern atomic_t fscache_n_checkaux_okay;
44424 -extern atomic_t fscache_n_checkaux_update;
44425 -extern atomic_t fscache_n_checkaux_obsolete;
44426 +extern atomic_unchecked_t fscache_n_op_pend;
44427 +extern atomic_unchecked_t fscache_n_op_run;
44428 +extern atomic_unchecked_t fscache_n_op_enqueue;
44429 +extern atomic_unchecked_t fscache_n_op_deferred_release;
44430 +extern atomic_unchecked_t fscache_n_op_release;
44431 +extern atomic_unchecked_t fscache_n_op_gc;
44432 +extern atomic_unchecked_t fscache_n_op_cancelled;
44433 +extern atomic_unchecked_t fscache_n_op_rejected;
44434 +
44435 +extern atomic_unchecked_t fscache_n_attr_changed;
44436 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
44437 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
44438 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
44439 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
44440 +
44441 +extern atomic_unchecked_t fscache_n_allocs;
44442 +extern atomic_unchecked_t fscache_n_allocs_ok;
44443 +extern atomic_unchecked_t fscache_n_allocs_wait;
44444 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
44445 +extern atomic_unchecked_t fscache_n_allocs_intr;
44446 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
44447 +extern atomic_unchecked_t fscache_n_alloc_ops;
44448 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
44449 +
44450 +extern atomic_unchecked_t fscache_n_retrievals;
44451 +extern atomic_unchecked_t fscache_n_retrievals_ok;
44452 +extern atomic_unchecked_t fscache_n_retrievals_wait;
44453 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
44454 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
44455 +extern atomic_unchecked_t fscache_n_retrievals_intr;
44456 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
44457 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
44458 +extern atomic_unchecked_t fscache_n_retrieval_ops;
44459 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
44460 +
44461 +extern atomic_unchecked_t fscache_n_stores;
44462 +extern atomic_unchecked_t fscache_n_stores_ok;
44463 +extern atomic_unchecked_t fscache_n_stores_again;
44464 +extern atomic_unchecked_t fscache_n_stores_nobufs;
44465 +extern atomic_unchecked_t fscache_n_stores_oom;
44466 +extern atomic_unchecked_t fscache_n_store_ops;
44467 +extern atomic_unchecked_t fscache_n_store_calls;
44468 +extern atomic_unchecked_t fscache_n_store_pages;
44469 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
44470 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
44471 +
44472 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
44473 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
44474 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
44475 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
44476 +
44477 +extern atomic_unchecked_t fscache_n_marks;
44478 +extern atomic_unchecked_t fscache_n_uncaches;
44479 +
44480 +extern atomic_unchecked_t fscache_n_acquires;
44481 +extern atomic_unchecked_t fscache_n_acquires_null;
44482 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
44483 +extern atomic_unchecked_t fscache_n_acquires_ok;
44484 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
44485 +extern atomic_unchecked_t fscache_n_acquires_oom;
44486 +
44487 +extern atomic_unchecked_t fscache_n_updates;
44488 +extern atomic_unchecked_t fscache_n_updates_null;
44489 +extern atomic_unchecked_t fscache_n_updates_run;
44490 +
44491 +extern atomic_unchecked_t fscache_n_relinquishes;
44492 +extern atomic_unchecked_t fscache_n_relinquishes_null;
44493 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
44494 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
44495 +
44496 +extern atomic_unchecked_t fscache_n_cookie_index;
44497 +extern atomic_unchecked_t fscache_n_cookie_data;
44498 +extern atomic_unchecked_t fscache_n_cookie_special;
44499 +
44500 +extern atomic_unchecked_t fscache_n_object_alloc;
44501 +extern atomic_unchecked_t fscache_n_object_no_alloc;
44502 +extern atomic_unchecked_t fscache_n_object_lookups;
44503 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
44504 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
44505 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
44506 +extern atomic_unchecked_t fscache_n_object_created;
44507 +extern atomic_unchecked_t fscache_n_object_avail;
44508 +extern atomic_unchecked_t fscache_n_object_dead;
44509 +
44510 +extern atomic_unchecked_t fscache_n_checkaux_none;
44511 +extern atomic_unchecked_t fscache_n_checkaux_okay;
44512 +extern atomic_unchecked_t fscache_n_checkaux_update;
44513 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
44514
44515 extern atomic_t fscache_n_cop_alloc_object;
44516 extern atomic_t fscache_n_cop_lookup_object;
44517 @@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
44518 atomic_inc(stat);
44519 }
44520
44521 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
44522 +{
44523 + atomic_inc_unchecked(stat);
44524 +}
44525 +
44526 static inline void fscache_stat_d(atomic_t *stat)
44527 {
44528 atomic_dec(stat);
44529 @@ -259,6 +264,7 @@ extern const struct file_operations fsca
44530
44531 #define __fscache_stat(stat) (NULL)
44532 #define fscache_stat(stat) do {} while (0)
44533 +#define fscache_stat_unchecked(stat) do {} while (0)
44534 #define fscache_stat_d(stat) do {} while (0)
44535 #endif
44536
44537 diff -urNp linux-2.6.32.46/fs/fscache/object.c linux-2.6.32.46/fs/fscache/object.c
44538 --- linux-2.6.32.46/fs/fscache/object.c 2011-03-27 14:31:47.000000000 -0400
44539 +++ linux-2.6.32.46/fs/fscache/object.c 2011-05-04 17:56:28.000000000 -0400
44540 @@ -144,7 +144,7 @@ static void fscache_object_state_machine
44541 /* update the object metadata on disk */
44542 case FSCACHE_OBJECT_UPDATING:
44543 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
44544 - fscache_stat(&fscache_n_updates_run);
44545 + fscache_stat_unchecked(&fscache_n_updates_run);
44546 fscache_stat(&fscache_n_cop_update_object);
44547 object->cache->ops->update_object(object);
44548 fscache_stat_d(&fscache_n_cop_update_object);
44549 @@ -233,7 +233,7 @@ static void fscache_object_state_machine
44550 spin_lock(&object->lock);
44551 object->state = FSCACHE_OBJECT_DEAD;
44552 spin_unlock(&object->lock);
44553 - fscache_stat(&fscache_n_object_dead);
44554 + fscache_stat_unchecked(&fscache_n_object_dead);
44555 goto terminal_transit;
44556
44557 /* handle the parent cache of this object being withdrawn from
44558 @@ -248,7 +248,7 @@ static void fscache_object_state_machine
44559 spin_lock(&object->lock);
44560 object->state = FSCACHE_OBJECT_DEAD;
44561 spin_unlock(&object->lock);
44562 - fscache_stat(&fscache_n_object_dead);
44563 + fscache_stat_unchecked(&fscache_n_object_dead);
44564 goto terminal_transit;
44565
44566 /* complain about the object being woken up once it is
44567 @@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
44568 parent->cookie->def->name, cookie->def->name,
44569 object->cache->tag->name);
44570
44571 - fscache_stat(&fscache_n_object_lookups);
44572 + fscache_stat_unchecked(&fscache_n_object_lookups);
44573 fscache_stat(&fscache_n_cop_lookup_object);
44574 ret = object->cache->ops->lookup_object(object);
44575 fscache_stat_d(&fscache_n_cop_lookup_object);
44576 @@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
44577 if (ret == -ETIMEDOUT) {
44578 /* probably stuck behind another object, so move this one to
44579 * the back of the queue */
44580 - fscache_stat(&fscache_n_object_lookups_timed_out);
44581 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
44582 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
44583 }
44584
44585 @@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
44586
44587 spin_lock(&object->lock);
44588 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
44589 - fscache_stat(&fscache_n_object_lookups_negative);
44590 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
44591
44592 /* transit here to allow write requests to begin stacking up
44593 * and read requests to begin returning ENODATA */
44594 @@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
44595 * result, in which case there may be data available */
44596 spin_lock(&object->lock);
44597 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
44598 - fscache_stat(&fscache_n_object_lookups_positive);
44599 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
44600
44601 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
44602
44603 @@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
44604 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
44605 } else {
44606 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
44607 - fscache_stat(&fscache_n_object_created);
44608 + fscache_stat_unchecked(&fscache_n_object_created);
44609
44610 object->state = FSCACHE_OBJECT_AVAILABLE;
44611 spin_unlock(&object->lock);
44612 @@ -633,7 +633,7 @@ static void fscache_object_available(str
44613 fscache_enqueue_dependents(object);
44614
44615 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
44616 - fscache_stat(&fscache_n_object_avail);
44617 + fscache_stat_unchecked(&fscache_n_object_avail);
44618
44619 _leave("");
44620 }
44621 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
44622 enum fscache_checkaux result;
44623
44624 if (!object->cookie->def->check_aux) {
44625 - fscache_stat(&fscache_n_checkaux_none);
44626 + fscache_stat_unchecked(&fscache_n_checkaux_none);
44627 return FSCACHE_CHECKAUX_OKAY;
44628 }
44629
44630 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
44631 switch (result) {
44632 /* entry okay as is */
44633 case FSCACHE_CHECKAUX_OKAY:
44634 - fscache_stat(&fscache_n_checkaux_okay);
44635 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
44636 break;
44637
44638 /* entry requires update */
44639 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
44640 - fscache_stat(&fscache_n_checkaux_update);
44641 + fscache_stat_unchecked(&fscache_n_checkaux_update);
44642 break;
44643
44644 /* entry requires deletion */
44645 case FSCACHE_CHECKAUX_OBSOLETE:
44646 - fscache_stat(&fscache_n_checkaux_obsolete);
44647 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
44648 break;
44649
44650 default:
44651 diff -urNp linux-2.6.32.46/fs/fscache/operation.c linux-2.6.32.46/fs/fscache/operation.c
44652 --- linux-2.6.32.46/fs/fscache/operation.c 2011-03-27 14:31:47.000000000 -0400
44653 +++ linux-2.6.32.46/fs/fscache/operation.c 2011-05-04 17:56:28.000000000 -0400
44654 @@ -16,7 +16,7 @@
44655 #include <linux/seq_file.h>
44656 #include "internal.h"
44657
44658 -atomic_t fscache_op_debug_id;
44659 +atomic_unchecked_t fscache_op_debug_id;
44660 EXPORT_SYMBOL(fscache_op_debug_id);
44661
44662 /**
44663 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
44664 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
44665 ASSERTCMP(atomic_read(&op->usage), >, 0);
44666
44667 - fscache_stat(&fscache_n_op_enqueue);
44668 + fscache_stat_unchecked(&fscache_n_op_enqueue);
44669 switch (op->flags & FSCACHE_OP_TYPE) {
44670 case FSCACHE_OP_FAST:
44671 _debug("queue fast");
44672 @@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
44673 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
44674 if (op->processor)
44675 fscache_enqueue_operation(op);
44676 - fscache_stat(&fscache_n_op_run);
44677 + fscache_stat_unchecked(&fscache_n_op_run);
44678 }
44679
44680 /*
44681 @@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
44682 if (object->n_ops > 0) {
44683 atomic_inc(&op->usage);
44684 list_add_tail(&op->pend_link, &object->pending_ops);
44685 - fscache_stat(&fscache_n_op_pend);
44686 + fscache_stat_unchecked(&fscache_n_op_pend);
44687 } else if (!list_empty(&object->pending_ops)) {
44688 atomic_inc(&op->usage);
44689 list_add_tail(&op->pend_link, &object->pending_ops);
44690 - fscache_stat(&fscache_n_op_pend);
44691 + fscache_stat_unchecked(&fscache_n_op_pend);
44692 fscache_start_operations(object);
44693 } else {
44694 ASSERTCMP(object->n_in_progress, ==, 0);
44695 @@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
44696 object->n_exclusive++; /* reads and writes must wait */
44697 atomic_inc(&op->usage);
44698 list_add_tail(&op->pend_link, &object->pending_ops);
44699 - fscache_stat(&fscache_n_op_pend);
44700 + fscache_stat_unchecked(&fscache_n_op_pend);
44701 ret = 0;
44702 } else {
44703 /* not allowed to submit ops in any other state */
44704 @@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
44705 if (object->n_exclusive > 0) {
44706 atomic_inc(&op->usage);
44707 list_add_tail(&op->pend_link, &object->pending_ops);
44708 - fscache_stat(&fscache_n_op_pend);
44709 + fscache_stat_unchecked(&fscache_n_op_pend);
44710 } else if (!list_empty(&object->pending_ops)) {
44711 atomic_inc(&op->usage);
44712 list_add_tail(&op->pend_link, &object->pending_ops);
44713 - fscache_stat(&fscache_n_op_pend);
44714 + fscache_stat_unchecked(&fscache_n_op_pend);
44715 fscache_start_operations(object);
44716 } else {
44717 ASSERTCMP(object->n_exclusive, ==, 0);
44718 @@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
44719 object->n_ops++;
44720 atomic_inc(&op->usage);
44721 list_add_tail(&op->pend_link, &object->pending_ops);
44722 - fscache_stat(&fscache_n_op_pend);
44723 + fscache_stat_unchecked(&fscache_n_op_pend);
44724 ret = 0;
44725 } else if (object->state == FSCACHE_OBJECT_DYING ||
44726 object->state == FSCACHE_OBJECT_LC_DYING ||
44727 object->state == FSCACHE_OBJECT_WITHDRAWING) {
44728 - fscache_stat(&fscache_n_op_rejected);
44729 + fscache_stat_unchecked(&fscache_n_op_rejected);
44730 ret = -ENOBUFS;
44731 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
44732 fscache_report_unexpected_submission(object, op, ostate);
44733 @@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
44734
44735 ret = -EBUSY;
44736 if (!list_empty(&op->pend_link)) {
44737 - fscache_stat(&fscache_n_op_cancelled);
44738 + fscache_stat_unchecked(&fscache_n_op_cancelled);
44739 list_del_init(&op->pend_link);
44740 object->n_ops--;
44741 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
44742 @@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
44743 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
44744 BUG();
44745
44746 - fscache_stat(&fscache_n_op_release);
44747 + fscache_stat_unchecked(&fscache_n_op_release);
44748
44749 if (op->release) {
44750 op->release(op);
44751 @@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
44752 * lock, and defer it otherwise */
44753 if (!spin_trylock(&object->lock)) {
44754 _debug("defer put");
44755 - fscache_stat(&fscache_n_op_deferred_release);
44756 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
44757
44758 cache = object->cache;
44759 spin_lock(&cache->op_gc_list_lock);
44760 @@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
44761
44762 _debug("GC DEFERRED REL OBJ%x OP%x",
44763 object->debug_id, op->debug_id);
44764 - fscache_stat(&fscache_n_op_gc);
44765 + fscache_stat_unchecked(&fscache_n_op_gc);
44766
44767 ASSERTCMP(atomic_read(&op->usage), ==, 0);
44768
44769 diff -urNp linux-2.6.32.46/fs/fscache/page.c linux-2.6.32.46/fs/fscache/page.c
44770 --- linux-2.6.32.46/fs/fscache/page.c 2011-03-27 14:31:47.000000000 -0400
44771 +++ linux-2.6.32.46/fs/fscache/page.c 2011-05-04 17:56:28.000000000 -0400
44772 @@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
44773 val = radix_tree_lookup(&cookie->stores, page->index);
44774 if (!val) {
44775 rcu_read_unlock();
44776 - fscache_stat(&fscache_n_store_vmscan_not_storing);
44777 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
44778 __fscache_uncache_page(cookie, page);
44779 return true;
44780 }
44781 @@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
44782 spin_unlock(&cookie->stores_lock);
44783
44784 if (xpage) {
44785 - fscache_stat(&fscache_n_store_vmscan_cancelled);
44786 - fscache_stat(&fscache_n_store_radix_deletes);
44787 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
44788 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
44789 ASSERTCMP(xpage, ==, page);
44790 } else {
44791 - fscache_stat(&fscache_n_store_vmscan_gone);
44792 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
44793 }
44794
44795 wake_up_bit(&cookie->flags, 0);
44796 @@ -106,7 +106,7 @@ page_busy:
44797 /* we might want to wait here, but that could deadlock the allocator as
44798 * the slow-work threads writing to the cache may all end up sleeping
44799 * on memory allocation */
44800 - fscache_stat(&fscache_n_store_vmscan_busy);
44801 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
44802 return false;
44803 }
44804 EXPORT_SYMBOL(__fscache_maybe_release_page);
44805 @@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
44806 FSCACHE_COOKIE_STORING_TAG);
44807 if (!radix_tree_tag_get(&cookie->stores, page->index,
44808 FSCACHE_COOKIE_PENDING_TAG)) {
44809 - fscache_stat(&fscache_n_store_radix_deletes);
44810 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
44811 xpage = radix_tree_delete(&cookie->stores, page->index);
44812 }
44813 spin_unlock(&cookie->stores_lock);
44814 @@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
44815
44816 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
44817
44818 - fscache_stat(&fscache_n_attr_changed_calls);
44819 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
44820
44821 if (fscache_object_is_active(object)) {
44822 fscache_set_op_state(op, "CallFS");
44823 @@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
44824
44825 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
44826
44827 - fscache_stat(&fscache_n_attr_changed);
44828 + fscache_stat_unchecked(&fscache_n_attr_changed);
44829
44830 op = kzalloc(sizeof(*op), GFP_KERNEL);
44831 if (!op) {
44832 - fscache_stat(&fscache_n_attr_changed_nomem);
44833 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
44834 _leave(" = -ENOMEM");
44835 return -ENOMEM;
44836 }
44837 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
44838 if (fscache_submit_exclusive_op(object, op) < 0)
44839 goto nobufs;
44840 spin_unlock(&cookie->lock);
44841 - fscache_stat(&fscache_n_attr_changed_ok);
44842 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
44843 fscache_put_operation(op);
44844 _leave(" = 0");
44845 return 0;
44846 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
44847 nobufs:
44848 spin_unlock(&cookie->lock);
44849 kfree(op);
44850 - fscache_stat(&fscache_n_attr_changed_nobufs);
44851 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
44852 _leave(" = %d", -ENOBUFS);
44853 return -ENOBUFS;
44854 }
44855 @@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
44856 /* allocate a retrieval operation and attempt to submit it */
44857 op = kzalloc(sizeof(*op), GFP_NOIO);
44858 if (!op) {
44859 - fscache_stat(&fscache_n_retrievals_nomem);
44860 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
44861 return NULL;
44862 }
44863
44864 @@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
44865 return 0;
44866 }
44867
44868 - fscache_stat(&fscache_n_retrievals_wait);
44869 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
44870
44871 jif = jiffies;
44872 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
44873 fscache_wait_bit_interruptible,
44874 TASK_INTERRUPTIBLE) != 0) {
44875 - fscache_stat(&fscache_n_retrievals_intr);
44876 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
44877 _leave(" = -ERESTARTSYS");
44878 return -ERESTARTSYS;
44879 }
44880 @@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
44881 */
44882 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
44883 struct fscache_retrieval *op,
44884 - atomic_t *stat_op_waits,
44885 - atomic_t *stat_object_dead)
44886 + atomic_unchecked_t *stat_op_waits,
44887 + atomic_unchecked_t *stat_object_dead)
44888 {
44889 int ret;
44890
44891 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
44892 goto check_if_dead;
44893
44894 _debug(">>> WT");
44895 - fscache_stat(stat_op_waits);
44896 + fscache_stat_unchecked(stat_op_waits);
44897 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
44898 fscache_wait_bit_interruptible,
44899 TASK_INTERRUPTIBLE) < 0) {
44900 @@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
44901
44902 check_if_dead:
44903 if (unlikely(fscache_object_is_dead(object))) {
44904 - fscache_stat(stat_object_dead);
44905 + fscache_stat_unchecked(stat_object_dead);
44906 return -ENOBUFS;
44907 }
44908 return 0;
44909 @@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
44910
44911 _enter("%p,%p,,,", cookie, page);
44912
44913 - fscache_stat(&fscache_n_retrievals);
44914 + fscache_stat_unchecked(&fscache_n_retrievals);
44915
44916 if (hlist_empty(&cookie->backing_objects))
44917 goto nobufs;
44918 @@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
44919 goto nobufs_unlock;
44920 spin_unlock(&cookie->lock);
44921
44922 - fscache_stat(&fscache_n_retrieval_ops);
44923 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
44924
44925 /* pin the netfs read context in case we need to do the actual netfs
44926 * read because we've encountered a cache read failure */
44927 @@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
44928
44929 error:
44930 if (ret == -ENOMEM)
44931 - fscache_stat(&fscache_n_retrievals_nomem);
44932 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
44933 else if (ret == -ERESTARTSYS)
44934 - fscache_stat(&fscache_n_retrievals_intr);
44935 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
44936 else if (ret == -ENODATA)
44937 - fscache_stat(&fscache_n_retrievals_nodata);
44938 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
44939 else if (ret < 0)
44940 - fscache_stat(&fscache_n_retrievals_nobufs);
44941 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
44942 else
44943 - fscache_stat(&fscache_n_retrievals_ok);
44944 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
44945
44946 fscache_put_retrieval(op);
44947 _leave(" = %d", ret);
44948 @@ -453,7 +453,7 @@ nobufs_unlock:
44949 spin_unlock(&cookie->lock);
44950 kfree(op);
44951 nobufs:
44952 - fscache_stat(&fscache_n_retrievals_nobufs);
44953 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
44954 _leave(" = -ENOBUFS");
44955 return -ENOBUFS;
44956 }
44957 @@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
44958
44959 _enter("%p,,%d,,,", cookie, *nr_pages);
44960
44961 - fscache_stat(&fscache_n_retrievals);
44962 + fscache_stat_unchecked(&fscache_n_retrievals);
44963
44964 if (hlist_empty(&cookie->backing_objects))
44965 goto nobufs;
44966 @@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
44967 goto nobufs_unlock;
44968 spin_unlock(&cookie->lock);
44969
44970 - fscache_stat(&fscache_n_retrieval_ops);
44971 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
44972
44973 /* pin the netfs read context in case we need to do the actual netfs
44974 * read because we've encountered a cache read failure */
44975 @@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
44976
44977 error:
44978 if (ret == -ENOMEM)
44979 - fscache_stat(&fscache_n_retrievals_nomem);
44980 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
44981 else if (ret == -ERESTARTSYS)
44982 - fscache_stat(&fscache_n_retrievals_intr);
44983 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
44984 else if (ret == -ENODATA)
44985 - fscache_stat(&fscache_n_retrievals_nodata);
44986 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
44987 else if (ret < 0)
44988 - fscache_stat(&fscache_n_retrievals_nobufs);
44989 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
44990 else
44991 - fscache_stat(&fscache_n_retrievals_ok);
44992 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
44993
44994 fscache_put_retrieval(op);
44995 _leave(" = %d", ret);
44996 @@ -570,7 +570,7 @@ nobufs_unlock:
44997 spin_unlock(&cookie->lock);
44998 kfree(op);
44999 nobufs:
45000 - fscache_stat(&fscache_n_retrievals_nobufs);
45001 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
45002 _leave(" = -ENOBUFS");
45003 return -ENOBUFS;
45004 }
45005 @@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
45006
45007 _enter("%p,%p,,,", cookie, page);
45008
45009 - fscache_stat(&fscache_n_allocs);
45010 + fscache_stat_unchecked(&fscache_n_allocs);
45011
45012 if (hlist_empty(&cookie->backing_objects))
45013 goto nobufs;
45014 @@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
45015 goto nobufs_unlock;
45016 spin_unlock(&cookie->lock);
45017
45018 - fscache_stat(&fscache_n_alloc_ops);
45019 + fscache_stat_unchecked(&fscache_n_alloc_ops);
45020
45021 ret = fscache_wait_for_retrieval_activation(
45022 object, op,
45023 @@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
45024
45025 error:
45026 if (ret == -ERESTARTSYS)
45027 - fscache_stat(&fscache_n_allocs_intr);
45028 + fscache_stat_unchecked(&fscache_n_allocs_intr);
45029 else if (ret < 0)
45030 - fscache_stat(&fscache_n_allocs_nobufs);
45031 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
45032 else
45033 - fscache_stat(&fscache_n_allocs_ok);
45034 + fscache_stat_unchecked(&fscache_n_allocs_ok);
45035
45036 fscache_put_retrieval(op);
45037 _leave(" = %d", ret);
45038 @@ -651,7 +651,7 @@ nobufs_unlock:
45039 spin_unlock(&cookie->lock);
45040 kfree(op);
45041 nobufs:
45042 - fscache_stat(&fscache_n_allocs_nobufs);
45043 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
45044 _leave(" = -ENOBUFS");
45045 return -ENOBUFS;
45046 }
45047 @@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
45048
45049 spin_lock(&cookie->stores_lock);
45050
45051 - fscache_stat(&fscache_n_store_calls);
45052 + fscache_stat_unchecked(&fscache_n_store_calls);
45053
45054 /* find a page to store */
45055 page = NULL;
45056 @@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
45057 page = results[0];
45058 _debug("gang %d [%lx]", n, page->index);
45059 if (page->index > op->store_limit) {
45060 - fscache_stat(&fscache_n_store_pages_over_limit);
45061 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
45062 goto superseded;
45063 }
45064
45065 @@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
45066
45067 if (page) {
45068 fscache_set_op_state(&op->op, "Store");
45069 - fscache_stat(&fscache_n_store_pages);
45070 + fscache_stat_unchecked(&fscache_n_store_pages);
45071 fscache_stat(&fscache_n_cop_write_page);
45072 ret = object->cache->ops->write_page(op, page);
45073 fscache_stat_d(&fscache_n_cop_write_page);
45074 @@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
45075 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
45076 ASSERT(PageFsCache(page));
45077
45078 - fscache_stat(&fscache_n_stores);
45079 + fscache_stat_unchecked(&fscache_n_stores);
45080
45081 op = kzalloc(sizeof(*op), GFP_NOIO);
45082 if (!op)
45083 @@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
45084 spin_unlock(&cookie->stores_lock);
45085 spin_unlock(&object->lock);
45086
45087 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
45088 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
45089 op->store_limit = object->store_limit;
45090
45091 if (fscache_submit_op(object, &op->op) < 0)
45092 @@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
45093
45094 spin_unlock(&cookie->lock);
45095 radix_tree_preload_end();
45096 - fscache_stat(&fscache_n_store_ops);
45097 - fscache_stat(&fscache_n_stores_ok);
45098 + fscache_stat_unchecked(&fscache_n_store_ops);
45099 + fscache_stat_unchecked(&fscache_n_stores_ok);
45100
45101 /* the slow work queue now carries its own ref on the object */
45102 fscache_put_operation(&op->op);
45103 @@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
45104 return 0;
45105
45106 already_queued:
45107 - fscache_stat(&fscache_n_stores_again);
45108 + fscache_stat_unchecked(&fscache_n_stores_again);
45109 already_pending:
45110 spin_unlock(&cookie->stores_lock);
45111 spin_unlock(&object->lock);
45112 spin_unlock(&cookie->lock);
45113 radix_tree_preload_end();
45114 kfree(op);
45115 - fscache_stat(&fscache_n_stores_ok);
45116 + fscache_stat_unchecked(&fscache_n_stores_ok);
45117 _leave(" = 0");
45118 return 0;
45119
45120 @@ -886,14 +886,14 @@ nobufs:
45121 spin_unlock(&cookie->lock);
45122 radix_tree_preload_end();
45123 kfree(op);
45124 - fscache_stat(&fscache_n_stores_nobufs);
45125 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
45126 _leave(" = -ENOBUFS");
45127 return -ENOBUFS;
45128
45129 nomem_free:
45130 kfree(op);
45131 nomem:
45132 - fscache_stat(&fscache_n_stores_oom);
45133 + fscache_stat_unchecked(&fscache_n_stores_oom);
45134 _leave(" = -ENOMEM");
45135 return -ENOMEM;
45136 }
45137 @@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
45138 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
45139 ASSERTCMP(page, !=, NULL);
45140
45141 - fscache_stat(&fscache_n_uncaches);
45142 + fscache_stat_unchecked(&fscache_n_uncaches);
45143
45144 /* cache withdrawal may beat us to it */
45145 if (!PageFsCache(page))
45146 @@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
45147 unsigned long loop;
45148
45149 #ifdef CONFIG_FSCACHE_STATS
45150 - atomic_add(pagevec->nr, &fscache_n_marks);
45151 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
45152 #endif
45153
45154 for (loop = 0; loop < pagevec->nr; loop++) {
45155 diff -urNp linux-2.6.32.46/fs/fscache/stats.c linux-2.6.32.46/fs/fscache/stats.c
45156 --- linux-2.6.32.46/fs/fscache/stats.c 2011-03-27 14:31:47.000000000 -0400
45157 +++ linux-2.6.32.46/fs/fscache/stats.c 2011-05-04 17:56:28.000000000 -0400
45158 @@ -18,95 +18,95 @@
45159 /*
45160 * operation counters
45161 */
45162 -atomic_t fscache_n_op_pend;
45163 -atomic_t fscache_n_op_run;
45164 -atomic_t fscache_n_op_enqueue;
45165 -atomic_t fscache_n_op_requeue;
45166 -atomic_t fscache_n_op_deferred_release;
45167 -atomic_t fscache_n_op_release;
45168 -atomic_t fscache_n_op_gc;
45169 -atomic_t fscache_n_op_cancelled;
45170 -atomic_t fscache_n_op_rejected;
45171 -
45172 -atomic_t fscache_n_attr_changed;
45173 -atomic_t fscache_n_attr_changed_ok;
45174 -atomic_t fscache_n_attr_changed_nobufs;
45175 -atomic_t fscache_n_attr_changed_nomem;
45176 -atomic_t fscache_n_attr_changed_calls;
45177 -
45178 -atomic_t fscache_n_allocs;
45179 -atomic_t fscache_n_allocs_ok;
45180 -atomic_t fscache_n_allocs_wait;
45181 -atomic_t fscache_n_allocs_nobufs;
45182 -atomic_t fscache_n_allocs_intr;
45183 -atomic_t fscache_n_allocs_object_dead;
45184 -atomic_t fscache_n_alloc_ops;
45185 -atomic_t fscache_n_alloc_op_waits;
45186 -
45187 -atomic_t fscache_n_retrievals;
45188 -atomic_t fscache_n_retrievals_ok;
45189 -atomic_t fscache_n_retrievals_wait;
45190 -atomic_t fscache_n_retrievals_nodata;
45191 -atomic_t fscache_n_retrievals_nobufs;
45192 -atomic_t fscache_n_retrievals_intr;
45193 -atomic_t fscache_n_retrievals_nomem;
45194 -atomic_t fscache_n_retrievals_object_dead;
45195 -atomic_t fscache_n_retrieval_ops;
45196 -atomic_t fscache_n_retrieval_op_waits;
45197 -
45198 -atomic_t fscache_n_stores;
45199 -atomic_t fscache_n_stores_ok;
45200 -atomic_t fscache_n_stores_again;
45201 -atomic_t fscache_n_stores_nobufs;
45202 -atomic_t fscache_n_stores_oom;
45203 -atomic_t fscache_n_store_ops;
45204 -atomic_t fscache_n_store_calls;
45205 -atomic_t fscache_n_store_pages;
45206 -atomic_t fscache_n_store_radix_deletes;
45207 -atomic_t fscache_n_store_pages_over_limit;
45208 -
45209 -atomic_t fscache_n_store_vmscan_not_storing;
45210 -atomic_t fscache_n_store_vmscan_gone;
45211 -atomic_t fscache_n_store_vmscan_busy;
45212 -atomic_t fscache_n_store_vmscan_cancelled;
45213 -
45214 -atomic_t fscache_n_marks;
45215 -atomic_t fscache_n_uncaches;
45216 -
45217 -atomic_t fscache_n_acquires;
45218 -atomic_t fscache_n_acquires_null;
45219 -atomic_t fscache_n_acquires_no_cache;
45220 -atomic_t fscache_n_acquires_ok;
45221 -atomic_t fscache_n_acquires_nobufs;
45222 -atomic_t fscache_n_acquires_oom;
45223 -
45224 -atomic_t fscache_n_updates;
45225 -atomic_t fscache_n_updates_null;
45226 -atomic_t fscache_n_updates_run;
45227 -
45228 -atomic_t fscache_n_relinquishes;
45229 -atomic_t fscache_n_relinquishes_null;
45230 -atomic_t fscache_n_relinquishes_waitcrt;
45231 -atomic_t fscache_n_relinquishes_retire;
45232 -
45233 -atomic_t fscache_n_cookie_index;
45234 -atomic_t fscache_n_cookie_data;
45235 -atomic_t fscache_n_cookie_special;
45236 -
45237 -atomic_t fscache_n_object_alloc;
45238 -atomic_t fscache_n_object_no_alloc;
45239 -atomic_t fscache_n_object_lookups;
45240 -atomic_t fscache_n_object_lookups_negative;
45241 -atomic_t fscache_n_object_lookups_positive;
45242 -atomic_t fscache_n_object_lookups_timed_out;
45243 -atomic_t fscache_n_object_created;
45244 -atomic_t fscache_n_object_avail;
45245 -atomic_t fscache_n_object_dead;
45246 -
45247 -atomic_t fscache_n_checkaux_none;
45248 -atomic_t fscache_n_checkaux_okay;
45249 -atomic_t fscache_n_checkaux_update;
45250 -atomic_t fscache_n_checkaux_obsolete;
45251 +atomic_unchecked_t fscache_n_op_pend;
45252 +atomic_unchecked_t fscache_n_op_run;
45253 +atomic_unchecked_t fscache_n_op_enqueue;
45254 +atomic_unchecked_t fscache_n_op_requeue;
45255 +atomic_unchecked_t fscache_n_op_deferred_release;
45256 +atomic_unchecked_t fscache_n_op_release;
45257 +atomic_unchecked_t fscache_n_op_gc;
45258 +atomic_unchecked_t fscache_n_op_cancelled;
45259 +atomic_unchecked_t fscache_n_op_rejected;
45260 +
45261 +atomic_unchecked_t fscache_n_attr_changed;
45262 +atomic_unchecked_t fscache_n_attr_changed_ok;
45263 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
45264 +atomic_unchecked_t fscache_n_attr_changed_nomem;
45265 +atomic_unchecked_t fscache_n_attr_changed_calls;
45266 +
45267 +atomic_unchecked_t fscache_n_allocs;
45268 +atomic_unchecked_t fscache_n_allocs_ok;
45269 +atomic_unchecked_t fscache_n_allocs_wait;
45270 +atomic_unchecked_t fscache_n_allocs_nobufs;
45271 +atomic_unchecked_t fscache_n_allocs_intr;
45272 +atomic_unchecked_t fscache_n_allocs_object_dead;
45273 +atomic_unchecked_t fscache_n_alloc_ops;
45274 +atomic_unchecked_t fscache_n_alloc_op_waits;
45275 +
45276 +atomic_unchecked_t fscache_n_retrievals;
45277 +atomic_unchecked_t fscache_n_retrievals_ok;
45278 +atomic_unchecked_t fscache_n_retrievals_wait;
45279 +atomic_unchecked_t fscache_n_retrievals_nodata;
45280 +atomic_unchecked_t fscache_n_retrievals_nobufs;
45281 +atomic_unchecked_t fscache_n_retrievals_intr;
45282 +atomic_unchecked_t fscache_n_retrievals_nomem;
45283 +atomic_unchecked_t fscache_n_retrievals_object_dead;
45284 +atomic_unchecked_t fscache_n_retrieval_ops;
45285 +atomic_unchecked_t fscache_n_retrieval_op_waits;
45286 +
45287 +atomic_unchecked_t fscache_n_stores;
45288 +atomic_unchecked_t fscache_n_stores_ok;
45289 +atomic_unchecked_t fscache_n_stores_again;
45290 +atomic_unchecked_t fscache_n_stores_nobufs;
45291 +atomic_unchecked_t fscache_n_stores_oom;
45292 +atomic_unchecked_t fscache_n_store_ops;
45293 +atomic_unchecked_t fscache_n_store_calls;
45294 +atomic_unchecked_t fscache_n_store_pages;
45295 +atomic_unchecked_t fscache_n_store_radix_deletes;
45296 +atomic_unchecked_t fscache_n_store_pages_over_limit;
45297 +
45298 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
45299 +atomic_unchecked_t fscache_n_store_vmscan_gone;
45300 +atomic_unchecked_t fscache_n_store_vmscan_busy;
45301 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
45302 +
45303 +atomic_unchecked_t fscache_n_marks;
45304 +atomic_unchecked_t fscache_n_uncaches;
45305 +
45306 +atomic_unchecked_t fscache_n_acquires;
45307 +atomic_unchecked_t fscache_n_acquires_null;
45308 +atomic_unchecked_t fscache_n_acquires_no_cache;
45309 +atomic_unchecked_t fscache_n_acquires_ok;
45310 +atomic_unchecked_t fscache_n_acquires_nobufs;
45311 +atomic_unchecked_t fscache_n_acquires_oom;
45312 +
45313 +atomic_unchecked_t fscache_n_updates;
45314 +atomic_unchecked_t fscache_n_updates_null;
45315 +atomic_unchecked_t fscache_n_updates_run;
45316 +
45317 +atomic_unchecked_t fscache_n_relinquishes;
45318 +atomic_unchecked_t fscache_n_relinquishes_null;
45319 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
45320 +atomic_unchecked_t fscache_n_relinquishes_retire;
45321 +
45322 +atomic_unchecked_t fscache_n_cookie_index;
45323 +atomic_unchecked_t fscache_n_cookie_data;
45324 +atomic_unchecked_t fscache_n_cookie_special;
45325 +
45326 +atomic_unchecked_t fscache_n_object_alloc;
45327 +atomic_unchecked_t fscache_n_object_no_alloc;
45328 +atomic_unchecked_t fscache_n_object_lookups;
45329 +atomic_unchecked_t fscache_n_object_lookups_negative;
45330 +atomic_unchecked_t fscache_n_object_lookups_positive;
45331 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
45332 +atomic_unchecked_t fscache_n_object_created;
45333 +atomic_unchecked_t fscache_n_object_avail;
45334 +atomic_unchecked_t fscache_n_object_dead;
45335 +
45336 +atomic_unchecked_t fscache_n_checkaux_none;
45337 +atomic_unchecked_t fscache_n_checkaux_okay;
45338 +atomic_unchecked_t fscache_n_checkaux_update;
45339 +atomic_unchecked_t fscache_n_checkaux_obsolete;
45340
45341 atomic_t fscache_n_cop_alloc_object;
45342 atomic_t fscache_n_cop_lookup_object;
45343 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
45344 seq_puts(m, "FS-Cache statistics\n");
45345
45346 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
45347 - atomic_read(&fscache_n_cookie_index),
45348 - atomic_read(&fscache_n_cookie_data),
45349 - atomic_read(&fscache_n_cookie_special));
45350 + atomic_read_unchecked(&fscache_n_cookie_index),
45351 + atomic_read_unchecked(&fscache_n_cookie_data),
45352 + atomic_read_unchecked(&fscache_n_cookie_special));
45353
45354 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
45355 - atomic_read(&fscache_n_object_alloc),
45356 - atomic_read(&fscache_n_object_no_alloc),
45357 - atomic_read(&fscache_n_object_avail),
45358 - atomic_read(&fscache_n_object_dead));
45359 + atomic_read_unchecked(&fscache_n_object_alloc),
45360 + atomic_read_unchecked(&fscache_n_object_no_alloc),
45361 + atomic_read_unchecked(&fscache_n_object_avail),
45362 + atomic_read_unchecked(&fscache_n_object_dead));
45363 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
45364 - atomic_read(&fscache_n_checkaux_none),
45365 - atomic_read(&fscache_n_checkaux_okay),
45366 - atomic_read(&fscache_n_checkaux_update),
45367 - atomic_read(&fscache_n_checkaux_obsolete));
45368 + atomic_read_unchecked(&fscache_n_checkaux_none),
45369 + atomic_read_unchecked(&fscache_n_checkaux_okay),
45370 + atomic_read_unchecked(&fscache_n_checkaux_update),
45371 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
45372
45373 seq_printf(m, "Pages : mrk=%u unc=%u\n",
45374 - atomic_read(&fscache_n_marks),
45375 - atomic_read(&fscache_n_uncaches));
45376 + atomic_read_unchecked(&fscache_n_marks),
45377 + atomic_read_unchecked(&fscache_n_uncaches));
45378
45379 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
45380 " oom=%u\n",
45381 - atomic_read(&fscache_n_acquires),
45382 - atomic_read(&fscache_n_acquires_null),
45383 - atomic_read(&fscache_n_acquires_no_cache),
45384 - atomic_read(&fscache_n_acquires_ok),
45385 - atomic_read(&fscache_n_acquires_nobufs),
45386 - atomic_read(&fscache_n_acquires_oom));
45387 + atomic_read_unchecked(&fscache_n_acquires),
45388 + atomic_read_unchecked(&fscache_n_acquires_null),
45389 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
45390 + atomic_read_unchecked(&fscache_n_acquires_ok),
45391 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
45392 + atomic_read_unchecked(&fscache_n_acquires_oom));
45393
45394 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
45395 - atomic_read(&fscache_n_object_lookups),
45396 - atomic_read(&fscache_n_object_lookups_negative),
45397 - atomic_read(&fscache_n_object_lookups_positive),
45398 - atomic_read(&fscache_n_object_lookups_timed_out),
45399 - atomic_read(&fscache_n_object_created));
45400 + atomic_read_unchecked(&fscache_n_object_lookups),
45401 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
45402 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
45403 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
45404 + atomic_read_unchecked(&fscache_n_object_created));
45405
45406 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
45407 - atomic_read(&fscache_n_updates),
45408 - atomic_read(&fscache_n_updates_null),
45409 - atomic_read(&fscache_n_updates_run));
45410 + atomic_read_unchecked(&fscache_n_updates),
45411 + atomic_read_unchecked(&fscache_n_updates_null),
45412 + atomic_read_unchecked(&fscache_n_updates_run));
45413
45414 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
45415 - atomic_read(&fscache_n_relinquishes),
45416 - atomic_read(&fscache_n_relinquishes_null),
45417 - atomic_read(&fscache_n_relinquishes_waitcrt),
45418 - atomic_read(&fscache_n_relinquishes_retire));
45419 + atomic_read_unchecked(&fscache_n_relinquishes),
45420 + atomic_read_unchecked(&fscache_n_relinquishes_null),
45421 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
45422 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
45423
45424 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
45425 - atomic_read(&fscache_n_attr_changed),
45426 - atomic_read(&fscache_n_attr_changed_ok),
45427 - atomic_read(&fscache_n_attr_changed_nobufs),
45428 - atomic_read(&fscache_n_attr_changed_nomem),
45429 - atomic_read(&fscache_n_attr_changed_calls));
45430 + atomic_read_unchecked(&fscache_n_attr_changed),
45431 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
45432 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
45433 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
45434 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
45435
45436 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
45437 - atomic_read(&fscache_n_allocs),
45438 - atomic_read(&fscache_n_allocs_ok),
45439 - atomic_read(&fscache_n_allocs_wait),
45440 - atomic_read(&fscache_n_allocs_nobufs),
45441 - atomic_read(&fscache_n_allocs_intr));
45442 + atomic_read_unchecked(&fscache_n_allocs),
45443 + atomic_read_unchecked(&fscache_n_allocs_ok),
45444 + atomic_read_unchecked(&fscache_n_allocs_wait),
45445 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
45446 + atomic_read_unchecked(&fscache_n_allocs_intr));
45447 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
45448 - atomic_read(&fscache_n_alloc_ops),
45449 - atomic_read(&fscache_n_alloc_op_waits),
45450 - atomic_read(&fscache_n_allocs_object_dead));
45451 + atomic_read_unchecked(&fscache_n_alloc_ops),
45452 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
45453 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
45454
45455 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
45456 " int=%u oom=%u\n",
45457 - atomic_read(&fscache_n_retrievals),
45458 - atomic_read(&fscache_n_retrievals_ok),
45459 - atomic_read(&fscache_n_retrievals_wait),
45460 - atomic_read(&fscache_n_retrievals_nodata),
45461 - atomic_read(&fscache_n_retrievals_nobufs),
45462 - atomic_read(&fscache_n_retrievals_intr),
45463 - atomic_read(&fscache_n_retrievals_nomem));
45464 + atomic_read_unchecked(&fscache_n_retrievals),
45465 + atomic_read_unchecked(&fscache_n_retrievals_ok),
45466 + atomic_read_unchecked(&fscache_n_retrievals_wait),
45467 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
45468 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
45469 + atomic_read_unchecked(&fscache_n_retrievals_intr),
45470 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
45471 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
45472 - atomic_read(&fscache_n_retrieval_ops),
45473 - atomic_read(&fscache_n_retrieval_op_waits),
45474 - atomic_read(&fscache_n_retrievals_object_dead));
45475 + atomic_read_unchecked(&fscache_n_retrieval_ops),
45476 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
45477 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
45478
45479 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
45480 - atomic_read(&fscache_n_stores),
45481 - atomic_read(&fscache_n_stores_ok),
45482 - atomic_read(&fscache_n_stores_again),
45483 - atomic_read(&fscache_n_stores_nobufs),
45484 - atomic_read(&fscache_n_stores_oom));
45485 + atomic_read_unchecked(&fscache_n_stores),
45486 + atomic_read_unchecked(&fscache_n_stores_ok),
45487 + atomic_read_unchecked(&fscache_n_stores_again),
45488 + atomic_read_unchecked(&fscache_n_stores_nobufs),
45489 + atomic_read_unchecked(&fscache_n_stores_oom));
45490 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
45491 - atomic_read(&fscache_n_store_ops),
45492 - atomic_read(&fscache_n_store_calls),
45493 - atomic_read(&fscache_n_store_pages),
45494 - atomic_read(&fscache_n_store_radix_deletes),
45495 - atomic_read(&fscache_n_store_pages_over_limit));
45496 + atomic_read_unchecked(&fscache_n_store_ops),
45497 + atomic_read_unchecked(&fscache_n_store_calls),
45498 + atomic_read_unchecked(&fscache_n_store_pages),
45499 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
45500 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
45501
45502 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
45503 - atomic_read(&fscache_n_store_vmscan_not_storing),
45504 - atomic_read(&fscache_n_store_vmscan_gone),
45505 - atomic_read(&fscache_n_store_vmscan_busy),
45506 - atomic_read(&fscache_n_store_vmscan_cancelled));
45507 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
45508 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
45509 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
45510 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
45511
45512 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
45513 - atomic_read(&fscache_n_op_pend),
45514 - atomic_read(&fscache_n_op_run),
45515 - atomic_read(&fscache_n_op_enqueue),
45516 - atomic_read(&fscache_n_op_cancelled),
45517 - atomic_read(&fscache_n_op_rejected));
45518 + atomic_read_unchecked(&fscache_n_op_pend),
45519 + atomic_read_unchecked(&fscache_n_op_run),
45520 + atomic_read_unchecked(&fscache_n_op_enqueue),
45521 + atomic_read_unchecked(&fscache_n_op_cancelled),
45522 + atomic_read_unchecked(&fscache_n_op_rejected));
45523 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
45524 - atomic_read(&fscache_n_op_deferred_release),
45525 - atomic_read(&fscache_n_op_release),
45526 - atomic_read(&fscache_n_op_gc));
45527 + atomic_read_unchecked(&fscache_n_op_deferred_release),
45528 + atomic_read_unchecked(&fscache_n_op_release),
45529 + atomic_read_unchecked(&fscache_n_op_gc));
45530
45531 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
45532 atomic_read(&fscache_n_cop_alloc_object),
45533 diff -urNp linux-2.6.32.46/fs/fs_struct.c linux-2.6.32.46/fs/fs_struct.c
45534 --- linux-2.6.32.46/fs/fs_struct.c 2011-03-27 14:31:47.000000000 -0400
45535 +++ linux-2.6.32.46/fs/fs_struct.c 2011-04-17 15:56:46.000000000 -0400
45536 @@ -4,6 +4,7 @@
45537 #include <linux/path.h>
45538 #include <linux/slab.h>
45539 #include <linux/fs_struct.h>
45540 +#include <linux/grsecurity.h>
45541
45542 /*
45543 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
45544 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
45545 old_root = fs->root;
45546 fs->root = *path;
45547 path_get(path);
45548 + gr_set_chroot_entries(current, path);
45549 write_unlock(&fs->lock);
45550 if (old_root.dentry)
45551 path_put(&old_root);
45552 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
45553 && fs->root.mnt == old_root->mnt) {
45554 path_get(new_root);
45555 fs->root = *new_root;
45556 + gr_set_chroot_entries(p, new_root);
45557 count++;
45558 }
45559 if (fs->pwd.dentry == old_root->dentry
45560 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
45561 task_lock(tsk);
45562 write_lock(&fs->lock);
45563 tsk->fs = NULL;
45564 - kill = !--fs->users;
45565 + gr_clear_chroot_entries(tsk);
45566 + kill = !atomic_dec_return(&fs->users);
45567 write_unlock(&fs->lock);
45568 task_unlock(tsk);
45569 if (kill)
45570 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
45571 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
45572 /* We don't need to lock fs - think why ;-) */
45573 if (fs) {
45574 - fs->users = 1;
45575 + atomic_set(&fs->users, 1);
45576 fs->in_exec = 0;
45577 rwlock_init(&fs->lock);
45578 fs->umask = old->umask;
45579 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
45580
45581 task_lock(current);
45582 write_lock(&fs->lock);
45583 - kill = !--fs->users;
45584 + kill = !atomic_dec_return(&fs->users);
45585 current->fs = new_fs;
45586 + gr_set_chroot_entries(current, &new_fs->root);
45587 write_unlock(&fs->lock);
45588 task_unlock(current);
45589
45590 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
45591
45592 /* to be mentioned only in INIT_TASK */
45593 struct fs_struct init_fs = {
45594 - .users = 1,
45595 + .users = ATOMIC_INIT(1),
45596 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
45597 .umask = 0022,
45598 };
45599 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
45600 task_lock(current);
45601
45602 write_lock(&init_fs.lock);
45603 - init_fs.users++;
45604 + atomic_inc(&init_fs.users);
45605 write_unlock(&init_fs.lock);
45606
45607 write_lock(&fs->lock);
45608 current->fs = &init_fs;
45609 - kill = !--fs->users;
45610 + gr_set_chroot_entries(current, &current->fs->root);
45611 + kill = !atomic_dec_return(&fs->users);
45612 write_unlock(&fs->lock);
45613
45614 task_unlock(current);
45615 diff -urNp linux-2.6.32.46/fs/fuse/cuse.c linux-2.6.32.46/fs/fuse/cuse.c
45616 --- linux-2.6.32.46/fs/fuse/cuse.c 2011-03-27 14:31:47.000000000 -0400
45617 +++ linux-2.6.32.46/fs/fuse/cuse.c 2011-08-05 20:33:55.000000000 -0400
45618 @@ -576,10 +576,12 @@ static int __init cuse_init(void)
45619 INIT_LIST_HEAD(&cuse_conntbl[i]);
45620
45621 /* inherit and extend fuse_dev_operations */
45622 - cuse_channel_fops = fuse_dev_operations;
45623 - cuse_channel_fops.owner = THIS_MODULE;
45624 - cuse_channel_fops.open = cuse_channel_open;
45625 - cuse_channel_fops.release = cuse_channel_release;
45626 + pax_open_kernel();
45627 + memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
45628 + *(void **)&cuse_channel_fops.owner = THIS_MODULE;
45629 + *(void **)&cuse_channel_fops.open = cuse_channel_open;
45630 + *(void **)&cuse_channel_fops.release = cuse_channel_release;
45631 + pax_close_kernel();
45632
45633 cuse_class = class_create(THIS_MODULE, "cuse");
45634 if (IS_ERR(cuse_class))
45635 diff -urNp linux-2.6.32.46/fs/fuse/dev.c linux-2.6.32.46/fs/fuse/dev.c
45636 --- linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:24:44.000000000 -0400
45637 +++ linux-2.6.32.46/fs/fuse/dev.c 2011-08-29 22:25:07.000000000 -0400
45638 @@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
45639 {
45640 struct fuse_notify_inval_entry_out outarg;
45641 int err = -EINVAL;
45642 - char buf[FUSE_NAME_MAX+1];
45643 + char *buf = NULL;
45644 struct qstr name;
45645
45646 if (size < sizeof(outarg))
45647 @@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
45648 if (outarg.namelen > FUSE_NAME_MAX)
45649 goto err;
45650
45651 + err = -ENOMEM;
45652 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
45653 + if (!buf)
45654 + goto err;
45655 +
45656 err = -EINVAL;
45657 if (size != sizeof(outarg) + outarg.namelen + 1)
45658 goto err;
45659 @@ -914,17 +919,15 @@ static int fuse_notify_inval_entry(struc
45660
45661 down_read(&fc->killsb);
45662 err = -ENOENT;
45663 - if (!fc->sb)
45664 - goto err_unlock;
45665 -
45666 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
45667 -
45668 -err_unlock:
45669 + if (fc->sb)
45670 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
45671 up_read(&fc->killsb);
45672 + kfree(buf);
45673 return err;
45674
45675 err:
45676 fuse_copy_finish(cs);
45677 + kfree(buf);
45678 return err;
45679 }
45680
45681 diff -urNp linux-2.6.32.46/fs/fuse/dir.c linux-2.6.32.46/fs/fuse/dir.c
45682 --- linux-2.6.32.46/fs/fuse/dir.c 2011-03-27 14:31:47.000000000 -0400
45683 +++ linux-2.6.32.46/fs/fuse/dir.c 2011-04-17 15:56:46.000000000 -0400
45684 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
45685 return link;
45686 }
45687
45688 -static void free_link(char *link)
45689 +static void free_link(const char *link)
45690 {
45691 if (!IS_ERR(link))
45692 free_page((unsigned long) link);
45693 diff -urNp linux-2.6.32.46/fs/gfs2/ops_inode.c linux-2.6.32.46/fs/gfs2/ops_inode.c
45694 --- linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-03-27 14:31:47.000000000 -0400
45695 +++ linux-2.6.32.46/fs/gfs2/ops_inode.c 2011-05-16 21:46:57.000000000 -0400
45696 @@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
45697 unsigned int x;
45698 int error;
45699
45700 + pax_track_stack();
45701 +
45702 if (ndentry->d_inode) {
45703 nip = GFS2_I(ndentry->d_inode);
45704 if (ip == nip)
45705 diff -urNp linux-2.6.32.46/fs/gfs2/sys.c linux-2.6.32.46/fs/gfs2/sys.c
45706 --- linux-2.6.32.46/fs/gfs2/sys.c 2011-03-27 14:31:47.000000000 -0400
45707 +++ linux-2.6.32.46/fs/gfs2/sys.c 2011-04-17 15:56:46.000000000 -0400
45708 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
45709 return a->store ? a->store(sdp, buf, len) : len;
45710 }
45711
45712 -static struct sysfs_ops gfs2_attr_ops = {
45713 +static const struct sysfs_ops gfs2_attr_ops = {
45714 .show = gfs2_attr_show,
45715 .store = gfs2_attr_store,
45716 };
45717 @@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
45718 return 0;
45719 }
45720
45721 -static struct kset_uevent_ops gfs2_uevent_ops = {
45722 +static const struct kset_uevent_ops gfs2_uevent_ops = {
45723 .uevent = gfs2_uevent,
45724 };
45725
45726 diff -urNp linux-2.6.32.46/fs/hfsplus/catalog.c linux-2.6.32.46/fs/hfsplus/catalog.c
45727 --- linux-2.6.32.46/fs/hfsplus/catalog.c 2011-03-27 14:31:47.000000000 -0400
45728 +++ linux-2.6.32.46/fs/hfsplus/catalog.c 2011-05-16 21:46:57.000000000 -0400
45729 @@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
45730 int err;
45731 u16 type;
45732
45733 + pax_track_stack();
45734 +
45735 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
45736 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
45737 if (err)
45738 @@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
45739 int entry_size;
45740 int err;
45741
45742 + pax_track_stack();
45743 +
45744 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
45745 sb = dir->i_sb;
45746 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
45747 @@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
45748 int entry_size, type;
45749 int err = 0;
45750
45751 + pax_track_stack();
45752 +
45753 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
45754 dst_dir->i_ino, dst_name->name);
45755 sb = src_dir->i_sb;
45756 diff -urNp linux-2.6.32.46/fs/hfsplus/dir.c linux-2.6.32.46/fs/hfsplus/dir.c
45757 --- linux-2.6.32.46/fs/hfsplus/dir.c 2011-03-27 14:31:47.000000000 -0400
45758 +++ linux-2.6.32.46/fs/hfsplus/dir.c 2011-05-16 21:46:57.000000000 -0400
45759 @@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
45760 struct hfsplus_readdir_data *rd;
45761 u16 type;
45762
45763 + pax_track_stack();
45764 +
45765 if (filp->f_pos >= inode->i_size)
45766 return 0;
45767
45768 diff -urNp linux-2.6.32.46/fs/hfsplus/inode.c linux-2.6.32.46/fs/hfsplus/inode.c
45769 --- linux-2.6.32.46/fs/hfsplus/inode.c 2011-03-27 14:31:47.000000000 -0400
45770 +++ linux-2.6.32.46/fs/hfsplus/inode.c 2011-05-16 21:46:57.000000000 -0400
45771 @@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
45772 int res = 0;
45773 u16 type;
45774
45775 + pax_track_stack();
45776 +
45777 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
45778
45779 HFSPLUS_I(inode).dev = 0;
45780 @@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
45781 struct hfs_find_data fd;
45782 hfsplus_cat_entry entry;
45783
45784 + pax_track_stack();
45785 +
45786 if (HFSPLUS_IS_RSRC(inode))
45787 main_inode = HFSPLUS_I(inode).rsrc_inode;
45788
45789 diff -urNp linux-2.6.32.46/fs/hfsplus/ioctl.c linux-2.6.32.46/fs/hfsplus/ioctl.c
45790 --- linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-03-27 14:31:47.000000000 -0400
45791 +++ linux-2.6.32.46/fs/hfsplus/ioctl.c 2011-05-16 21:46:57.000000000 -0400
45792 @@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
45793 struct hfsplus_cat_file *file;
45794 int res;
45795
45796 + pax_track_stack();
45797 +
45798 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
45799 return -EOPNOTSUPP;
45800
45801 @@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
45802 struct hfsplus_cat_file *file;
45803 ssize_t res = 0;
45804
45805 + pax_track_stack();
45806 +
45807 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
45808 return -EOPNOTSUPP;
45809
45810 diff -urNp linux-2.6.32.46/fs/hfsplus/super.c linux-2.6.32.46/fs/hfsplus/super.c
45811 --- linux-2.6.32.46/fs/hfsplus/super.c 2011-03-27 14:31:47.000000000 -0400
45812 +++ linux-2.6.32.46/fs/hfsplus/super.c 2011-05-16 21:46:57.000000000 -0400
45813 @@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
45814 struct nls_table *nls = NULL;
45815 int err = -EINVAL;
45816
45817 + pax_track_stack();
45818 +
45819 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
45820 if (!sbi)
45821 return -ENOMEM;
45822 diff -urNp linux-2.6.32.46/fs/hugetlbfs/inode.c linux-2.6.32.46/fs/hugetlbfs/inode.c
45823 --- linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-03-27 14:31:47.000000000 -0400
45824 +++ linux-2.6.32.46/fs/hugetlbfs/inode.c 2011-04-17 15:56:46.000000000 -0400
45825 @@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
45826 .kill_sb = kill_litter_super,
45827 };
45828
45829 -static struct vfsmount *hugetlbfs_vfsmount;
45830 +struct vfsmount *hugetlbfs_vfsmount;
45831
45832 static int can_do_hugetlb_shm(void)
45833 {
45834 diff -urNp linux-2.6.32.46/fs/ioctl.c linux-2.6.32.46/fs/ioctl.c
45835 --- linux-2.6.32.46/fs/ioctl.c 2011-03-27 14:31:47.000000000 -0400
45836 +++ linux-2.6.32.46/fs/ioctl.c 2011-04-17 15:56:46.000000000 -0400
45837 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
45838 u64 phys, u64 len, u32 flags)
45839 {
45840 struct fiemap_extent extent;
45841 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
45842 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
45843
45844 /* only count the extents */
45845 if (fieinfo->fi_extents_max == 0) {
45846 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
45847
45848 fieinfo.fi_flags = fiemap.fm_flags;
45849 fieinfo.fi_extents_max = fiemap.fm_extent_count;
45850 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
45851 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
45852
45853 if (fiemap.fm_extent_count != 0 &&
45854 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
45855 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
45856 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
45857 fiemap.fm_flags = fieinfo.fi_flags;
45858 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
45859 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
45860 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
45861 error = -EFAULT;
45862
45863 return error;
45864 diff -urNp linux-2.6.32.46/fs/jbd/checkpoint.c linux-2.6.32.46/fs/jbd/checkpoint.c
45865 --- linux-2.6.32.46/fs/jbd/checkpoint.c 2011-03-27 14:31:47.000000000 -0400
45866 +++ linux-2.6.32.46/fs/jbd/checkpoint.c 2011-05-16 21:46:57.000000000 -0400
45867 @@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
45868 tid_t this_tid;
45869 int result;
45870
45871 + pax_track_stack();
45872 +
45873 jbd_debug(1, "Start checkpoint\n");
45874
45875 /*
45876 diff -urNp linux-2.6.32.46/fs/jffs2/compr_rtime.c linux-2.6.32.46/fs/jffs2/compr_rtime.c
45877 --- linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-03-27 14:31:47.000000000 -0400
45878 +++ linux-2.6.32.46/fs/jffs2/compr_rtime.c 2011-05-16 21:46:57.000000000 -0400
45879 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
45880 int outpos = 0;
45881 int pos=0;
45882
45883 + pax_track_stack();
45884 +
45885 memset(positions,0,sizeof(positions));
45886
45887 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
45888 @@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
45889 int outpos = 0;
45890 int pos=0;
45891
45892 + pax_track_stack();
45893 +
45894 memset(positions,0,sizeof(positions));
45895
45896 while (outpos<destlen) {
45897 diff -urNp linux-2.6.32.46/fs/jffs2/compr_rubin.c linux-2.6.32.46/fs/jffs2/compr_rubin.c
45898 --- linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-03-27 14:31:47.000000000 -0400
45899 +++ linux-2.6.32.46/fs/jffs2/compr_rubin.c 2011-05-16 21:46:57.000000000 -0400
45900 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
45901 int ret;
45902 uint32_t mysrclen, mydstlen;
45903
45904 + pax_track_stack();
45905 +
45906 mysrclen = *sourcelen;
45907 mydstlen = *dstlen - 8;
45908
45909 diff -urNp linux-2.6.32.46/fs/jffs2/erase.c linux-2.6.32.46/fs/jffs2/erase.c
45910 --- linux-2.6.32.46/fs/jffs2/erase.c 2011-03-27 14:31:47.000000000 -0400
45911 +++ linux-2.6.32.46/fs/jffs2/erase.c 2011-04-17 15:56:46.000000000 -0400
45912 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
45913 struct jffs2_unknown_node marker = {
45914 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
45915 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
45916 - .totlen = cpu_to_je32(c->cleanmarker_size)
45917 + .totlen = cpu_to_je32(c->cleanmarker_size),
45918 + .hdr_crc = cpu_to_je32(0)
45919 };
45920
45921 jffs2_prealloc_raw_node_refs(c, jeb, 1);
45922 diff -urNp linux-2.6.32.46/fs/jffs2/wbuf.c linux-2.6.32.46/fs/jffs2/wbuf.c
45923 --- linux-2.6.32.46/fs/jffs2/wbuf.c 2011-03-27 14:31:47.000000000 -0400
45924 +++ linux-2.6.32.46/fs/jffs2/wbuf.c 2011-04-17 15:56:46.000000000 -0400
45925 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
45926 {
45927 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
45928 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
45929 - .totlen = constant_cpu_to_je32(8)
45930 + .totlen = constant_cpu_to_je32(8),
45931 + .hdr_crc = constant_cpu_to_je32(0)
45932 };
45933
45934 /*
45935 diff -urNp linux-2.6.32.46/fs/jffs2/xattr.c linux-2.6.32.46/fs/jffs2/xattr.c
45936 --- linux-2.6.32.46/fs/jffs2/xattr.c 2011-03-27 14:31:47.000000000 -0400
45937 +++ linux-2.6.32.46/fs/jffs2/xattr.c 2011-05-16 21:46:57.000000000 -0400
45938 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
45939
45940 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
45941
45942 + pax_track_stack();
45943 +
45944 /* Phase.1 : Merge same xref */
45945 for (i=0; i < XREF_TMPHASH_SIZE; i++)
45946 xref_tmphash[i] = NULL;
45947 diff -urNp linux-2.6.32.46/fs/jfs/super.c linux-2.6.32.46/fs/jfs/super.c
45948 --- linux-2.6.32.46/fs/jfs/super.c 2011-03-27 14:31:47.000000000 -0400
45949 +++ linux-2.6.32.46/fs/jfs/super.c 2011-06-07 18:06:04.000000000 -0400
45950 @@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
45951
45952 jfs_inode_cachep =
45953 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
45954 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
45955 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
45956 init_once);
45957 if (jfs_inode_cachep == NULL)
45958 return -ENOMEM;
45959 diff -urNp linux-2.6.32.46/fs/Kconfig.binfmt linux-2.6.32.46/fs/Kconfig.binfmt
45960 --- linux-2.6.32.46/fs/Kconfig.binfmt 2011-03-27 14:31:47.000000000 -0400
45961 +++ linux-2.6.32.46/fs/Kconfig.binfmt 2011-04-17 15:56:46.000000000 -0400
45962 @@ -86,7 +86,7 @@ config HAVE_AOUT
45963
45964 config BINFMT_AOUT
45965 tristate "Kernel support for a.out and ECOFF binaries"
45966 - depends on HAVE_AOUT
45967 + depends on HAVE_AOUT && BROKEN
45968 ---help---
45969 A.out (Assembler.OUTput) is a set of formats for libraries and
45970 executables used in the earliest versions of UNIX. Linux used
45971 diff -urNp linux-2.6.32.46/fs/libfs.c linux-2.6.32.46/fs/libfs.c
45972 --- linux-2.6.32.46/fs/libfs.c 2011-03-27 14:31:47.000000000 -0400
45973 +++ linux-2.6.32.46/fs/libfs.c 2011-05-11 18:25:15.000000000 -0400
45974 @@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
45975
45976 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
45977 struct dentry *next;
45978 + char d_name[sizeof(next->d_iname)];
45979 + const unsigned char *name;
45980 +
45981 next = list_entry(p, struct dentry, d_u.d_child);
45982 if (d_unhashed(next) || !next->d_inode)
45983 continue;
45984
45985 spin_unlock(&dcache_lock);
45986 - if (filldir(dirent, next->d_name.name,
45987 + name = next->d_name.name;
45988 + if (name == next->d_iname) {
45989 + memcpy(d_name, name, next->d_name.len);
45990 + name = d_name;
45991 + }
45992 + if (filldir(dirent, name,
45993 next->d_name.len, filp->f_pos,
45994 next->d_inode->i_ino,
45995 dt_type(next->d_inode)) < 0)
45996 diff -urNp linux-2.6.32.46/fs/lockd/clntproc.c linux-2.6.32.46/fs/lockd/clntproc.c
45997 --- linux-2.6.32.46/fs/lockd/clntproc.c 2011-03-27 14:31:47.000000000 -0400
45998 +++ linux-2.6.32.46/fs/lockd/clntproc.c 2011-05-16 21:46:57.000000000 -0400
45999 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
46000 /*
46001 * Cookie counter for NLM requests
46002 */
46003 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
46004 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
46005
46006 void nlmclnt_next_cookie(struct nlm_cookie *c)
46007 {
46008 - u32 cookie = atomic_inc_return(&nlm_cookie);
46009 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
46010
46011 memcpy(c->data, &cookie, 4);
46012 c->len=4;
46013 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
46014 struct nlm_rqst reqst, *req;
46015 int status;
46016
46017 + pax_track_stack();
46018 +
46019 req = &reqst;
46020 memset(req, 0, sizeof(*req));
46021 locks_init_lock(&req->a_args.lock.fl);
46022 diff -urNp linux-2.6.32.46/fs/lockd/svc.c linux-2.6.32.46/fs/lockd/svc.c
46023 --- linux-2.6.32.46/fs/lockd/svc.c 2011-03-27 14:31:47.000000000 -0400
46024 +++ linux-2.6.32.46/fs/lockd/svc.c 2011-04-17 15:56:46.000000000 -0400
46025 @@ -43,7 +43,7 @@
46026
46027 static struct svc_program nlmsvc_program;
46028
46029 -struct nlmsvc_binding * nlmsvc_ops;
46030 +const struct nlmsvc_binding * nlmsvc_ops;
46031 EXPORT_SYMBOL_GPL(nlmsvc_ops);
46032
46033 static DEFINE_MUTEX(nlmsvc_mutex);
46034 diff -urNp linux-2.6.32.46/fs/locks.c linux-2.6.32.46/fs/locks.c
46035 --- linux-2.6.32.46/fs/locks.c 2011-03-27 14:31:47.000000000 -0400
46036 +++ linux-2.6.32.46/fs/locks.c 2011-07-06 19:47:11.000000000 -0400
46037 @@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
46038
46039 static struct kmem_cache *filelock_cache __read_mostly;
46040
46041 +static void locks_init_lock_always(struct file_lock *fl)
46042 +{
46043 + fl->fl_next = NULL;
46044 + fl->fl_fasync = NULL;
46045 + fl->fl_owner = NULL;
46046 + fl->fl_pid = 0;
46047 + fl->fl_nspid = NULL;
46048 + fl->fl_file = NULL;
46049 + fl->fl_flags = 0;
46050 + fl->fl_type = 0;
46051 + fl->fl_start = fl->fl_end = 0;
46052 +}
46053 +
46054 /* Allocate an empty lock structure. */
46055 static struct file_lock *locks_alloc_lock(void)
46056 {
46057 - return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
46058 + struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
46059 +
46060 + if (fl)
46061 + locks_init_lock_always(fl);
46062 +
46063 + return fl;
46064 }
46065
46066 void locks_release_private(struct file_lock *fl)
46067 @@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
46068 INIT_LIST_HEAD(&fl->fl_link);
46069 INIT_LIST_HEAD(&fl->fl_block);
46070 init_waitqueue_head(&fl->fl_wait);
46071 - fl->fl_next = NULL;
46072 - fl->fl_fasync = NULL;
46073 - fl->fl_owner = NULL;
46074 - fl->fl_pid = 0;
46075 - fl->fl_nspid = NULL;
46076 - fl->fl_file = NULL;
46077 - fl->fl_flags = 0;
46078 - fl->fl_type = 0;
46079 - fl->fl_start = fl->fl_end = 0;
46080 fl->fl_ops = NULL;
46081 fl->fl_lmops = NULL;
46082 + locks_init_lock_always(fl);
46083 }
46084
46085 EXPORT_SYMBOL(locks_init_lock);
46086 @@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
46087 return;
46088
46089 if (filp->f_op && filp->f_op->flock) {
46090 - struct file_lock fl = {
46091 + struct file_lock flock = {
46092 .fl_pid = current->tgid,
46093 .fl_file = filp,
46094 .fl_flags = FL_FLOCK,
46095 .fl_type = F_UNLCK,
46096 .fl_end = OFFSET_MAX,
46097 };
46098 - filp->f_op->flock(filp, F_SETLKW, &fl);
46099 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
46100 - fl.fl_ops->fl_release_private(&fl);
46101 + filp->f_op->flock(filp, F_SETLKW, &flock);
46102 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
46103 + flock.fl_ops->fl_release_private(&flock);
46104 }
46105
46106 lock_kernel();
46107 diff -urNp linux-2.6.32.46/fs/mbcache.c linux-2.6.32.46/fs/mbcache.c
46108 --- linux-2.6.32.46/fs/mbcache.c 2011-03-27 14:31:47.000000000 -0400
46109 +++ linux-2.6.32.46/fs/mbcache.c 2011-08-05 20:33:55.000000000 -0400
46110 @@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
46111 if (!cache)
46112 goto fail;
46113 cache->c_name = name;
46114 - cache->c_op.free = NULL;
46115 + *(void **)&cache->c_op.free = NULL;
46116 if (cache_op)
46117 - cache->c_op.free = cache_op->free;
46118 + *(void **)&cache->c_op.free = cache_op->free;
46119 atomic_set(&cache->c_entry_count, 0);
46120 cache->c_bucket_bits = bucket_bits;
46121 #ifdef MB_CACHE_INDEXES_COUNT
46122 diff -urNp linux-2.6.32.46/fs/namei.c linux-2.6.32.46/fs/namei.c
46123 --- linux-2.6.32.46/fs/namei.c 2011-03-27 14:31:47.000000000 -0400
46124 +++ linux-2.6.32.46/fs/namei.c 2011-05-16 21:46:57.000000000 -0400
46125 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
46126 return ret;
46127
46128 /*
46129 - * Read/write DACs are always overridable.
46130 - * Executable DACs are overridable if at least one exec bit is set.
46131 - */
46132 - if (!(mask & MAY_EXEC) || execute_ok(inode))
46133 - if (capable(CAP_DAC_OVERRIDE))
46134 - return 0;
46135 -
46136 - /*
46137 * Searching includes executable on directories, else just read.
46138 */
46139 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
46140 @@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
46141 if (capable(CAP_DAC_READ_SEARCH))
46142 return 0;
46143
46144 + /*
46145 + * Read/write DACs are always overridable.
46146 + * Executable DACs are overridable if at least one exec bit is set.
46147 + */
46148 + if (!(mask & MAY_EXEC) || execute_ok(inode))
46149 + if (capable(CAP_DAC_OVERRIDE))
46150 + return 0;
46151 +
46152 return -EACCES;
46153 }
46154
46155 @@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
46156 if (!ret)
46157 goto ok;
46158
46159 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
46160 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
46161 + capable(CAP_DAC_OVERRIDE))
46162 goto ok;
46163
46164 return ret;
46165 @@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
46166 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
46167 error = PTR_ERR(cookie);
46168 if (!IS_ERR(cookie)) {
46169 - char *s = nd_get_link(nd);
46170 + const char *s = nd_get_link(nd);
46171 error = 0;
46172 if (s)
46173 error = __vfs_follow_link(nd, s);
46174 @@ -669,6 +670,13 @@ static inline int do_follow_link(struct
46175 err = security_inode_follow_link(path->dentry, nd);
46176 if (err)
46177 goto loop;
46178 +
46179 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
46180 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
46181 + err = -EACCES;
46182 + goto loop;
46183 + }
46184 +
46185 current->link_count++;
46186 current->total_link_count++;
46187 nd->depth++;
46188 @@ -1016,11 +1024,18 @@ return_reval:
46189 break;
46190 }
46191 return_base:
46192 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
46193 + path_put(&nd->path);
46194 + return -ENOENT;
46195 + }
46196 return 0;
46197 out_dput:
46198 path_put_conditional(&next, nd);
46199 break;
46200 }
46201 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
46202 + err = -ENOENT;
46203 +
46204 path_put(&nd->path);
46205 return_err:
46206 return err;
46207 @@ -1091,13 +1106,20 @@ static int do_path_lookup(int dfd, const
46208 int retval = path_init(dfd, name, flags, nd);
46209 if (!retval)
46210 retval = path_walk(name, nd);
46211 - if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
46212 - nd->path.dentry->d_inode))
46213 - audit_inode(name, nd->path.dentry);
46214 +
46215 + if (likely(!retval)) {
46216 + if (nd->path.dentry && nd->path.dentry->d_inode) {
46217 + if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
46218 + retval = -ENOENT;
46219 + if (!audit_dummy_context())
46220 + audit_inode(name, nd->path.dentry);
46221 + }
46222 + }
46223 if (nd->root.mnt) {
46224 path_put(&nd->root);
46225 nd->root.mnt = NULL;
46226 }
46227 +
46228 return retval;
46229 }
46230
46231 @@ -1576,6 +1598,20 @@ int may_open(struct path *path, int acc_
46232 if (error)
46233 goto err_out;
46234
46235 +
46236 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
46237 + error = -EPERM;
46238 + goto err_out;
46239 + }
46240 + if (gr_handle_rawio(inode)) {
46241 + error = -EPERM;
46242 + goto err_out;
46243 + }
46244 + if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
46245 + error = -EACCES;
46246 + goto err_out;
46247 + }
46248 +
46249 if (flag & O_TRUNC) {
46250 error = get_write_access(inode);
46251 if (error)
46252 @@ -1621,12 +1657,19 @@ static int __open_namei_create(struct na
46253 int error;
46254 struct dentry *dir = nd->path.dentry;
46255
46256 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
46257 + error = -EACCES;
46258 + goto out_unlock;
46259 + }
46260 +
46261 if (!IS_POSIXACL(dir->d_inode))
46262 mode &= ~current_umask();
46263 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
46264 if (error)
46265 goto out_unlock;
46266 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
46267 + if (!error)
46268 + gr_handle_create(path->dentry, nd->path.mnt);
46269 out_unlock:
46270 mutex_unlock(&dir->d_inode->i_mutex);
46271 dput(nd->path.dentry);
46272 @@ -1709,6 +1752,22 @@ struct file *do_filp_open(int dfd, const
46273 &nd, flag);
46274 if (error)
46275 return ERR_PTR(error);
46276 +
46277 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
46278 + error = -EPERM;
46279 + goto exit;
46280 + }
46281 +
46282 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
46283 + error = -EPERM;
46284 + goto exit;
46285 + }
46286 +
46287 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
46288 + error = -EACCES;
46289 + goto exit;
46290 + }
46291 +
46292 goto ok;
46293 }
46294
46295 @@ -1795,6 +1854,14 @@ do_last:
46296 /*
46297 * It already exists.
46298 */
46299 +
46300 + /* only check if O_CREAT is specified, all other checks need
46301 + to go into may_open */
46302 + if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
46303 + error = -EACCES;
46304 + goto exit_mutex_unlock;
46305 + }
46306 +
46307 mutex_unlock(&dir->d_inode->i_mutex);
46308 audit_inode(pathname, path.dentry);
46309
46310 @@ -1887,6 +1954,13 @@ do_link:
46311 error = security_inode_follow_link(path.dentry, &nd);
46312 if (error)
46313 goto exit_dput;
46314 +
46315 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
46316 + path.dentry, nd.path.mnt)) {
46317 + error = -EACCES;
46318 + goto exit_dput;
46319 + }
46320 +
46321 error = __do_follow_link(&path, &nd);
46322 if (error) {
46323 /* Does someone understand code flow here? Or it is only
46324 @@ -2061,6 +2135,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
46325 error = may_mknod(mode);
46326 if (error)
46327 goto out_dput;
46328 +
46329 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
46330 + error = -EPERM;
46331 + goto out_dput;
46332 + }
46333 +
46334 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
46335 + error = -EACCES;
46336 + goto out_dput;
46337 + }
46338 +
46339 error = mnt_want_write(nd.path.mnt);
46340 if (error)
46341 goto out_dput;
46342 @@ -2081,6 +2166,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
46343 }
46344 out_drop_write:
46345 mnt_drop_write(nd.path.mnt);
46346 +
46347 + if (!error)
46348 + gr_handle_create(dentry, nd.path.mnt);
46349 out_dput:
46350 dput(dentry);
46351 out_unlock:
46352 @@ -2134,6 +2222,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
46353 if (IS_ERR(dentry))
46354 goto out_unlock;
46355
46356 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
46357 + error = -EACCES;
46358 + goto out_dput;
46359 + }
46360 +
46361 if (!IS_POSIXACL(nd.path.dentry->d_inode))
46362 mode &= ~current_umask();
46363 error = mnt_want_write(nd.path.mnt);
46364 @@ -2145,6 +2238,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
46365 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
46366 out_drop_write:
46367 mnt_drop_write(nd.path.mnt);
46368 +
46369 + if (!error)
46370 + gr_handle_create(dentry, nd.path.mnt);
46371 +
46372 out_dput:
46373 dput(dentry);
46374 out_unlock:
46375 @@ -2226,6 +2323,8 @@ static long do_rmdir(int dfd, const char
46376 char * name;
46377 struct dentry *dentry;
46378 struct nameidata nd;
46379 + ino_t saved_ino = 0;
46380 + dev_t saved_dev = 0;
46381
46382 error = user_path_parent(dfd, pathname, &nd, &name);
46383 if (error)
46384 @@ -2250,6 +2349,19 @@ static long do_rmdir(int dfd, const char
46385 error = PTR_ERR(dentry);
46386 if (IS_ERR(dentry))
46387 goto exit2;
46388 +
46389 + if (dentry->d_inode != NULL) {
46390 + if (dentry->d_inode->i_nlink <= 1) {
46391 + saved_ino = dentry->d_inode->i_ino;
46392 + saved_dev = gr_get_dev_from_dentry(dentry);
46393 + }
46394 +
46395 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
46396 + error = -EACCES;
46397 + goto exit3;
46398 + }
46399 + }
46400 +
46401 error = mnt_want_write(nd.path.mnt);
46402 if (error)
46403 goto exit3;
46404 @@ -2257,6 +2369,8 @@ static long do_rmdir(int dfd, const char
46405 if (error)
46406 goto exit4;
46407 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
46408 + if (!error && (saved_dev || saved_ino))
46409 + gr_handle_delete(saved_ino, saved_dev);
46410 exit4:
46411 mnt_drop_write(nd.path.mnt);
46412 exit3:
46413 @@ -2318,6 +2432,8 @@ static long do_unlinkat(int dfd, const c
46414 struct dentry *dentry;
46415 struct nameidata nd;
46416 struct inode *inode = NULL;
46417 + ino_t saved_ino = 0;
46418 + dev_t saved_dev = 0;
46419
46420 error = user_path_parent(dfd, pathname, &nd, &name);
46421 if (error)
46422 @@ -2337,8 +2453,19 @@ static long do_unlinkat(int dfd, const c
46423 if (nd.last.name[nd.last.len])
46424 goto slashes;
46425 inode = dentry->d_inode;
46426 - if (inode)
46427 + if (inode) {
46428 + if (inode->i_nlink <= 1) {
46429 + saved_ino = inode->i_ino;
46430 + saved_dev = gr_get_dev_from_dentry(dentry);
46431 + }
46432 +
46433 atomic_inc(&inode->i_count);
46434 +
46435 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
46436 + error = -EACCES;
46437 + goto exit2;
46438 + }
46439 + }
46440 error = mnt_want_write(nd.path.mnt);
46441 if (error)
46442 goto exit2;
46443 @@ -2346,6 +2473,8 @@ static long do_unlinkat(int dfd, const c
46444 if (error)
46445 goto exit3;
46446 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
46447 + if (!error && (saved_ino || saved_dev))
46448 + gr_handle_delete(saved_ino, saved_dev);
46449 exit3:
46450 mnt_drop_write(nd.path.mnt);
46451 exit2:
46452 @@ -2424,6 +2553,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
46453 if (IS_ERR(dentry))
46454 goto out_unlock;
46455
46456 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
46457 + error = -EACCES;
46458 + goto out_dput;
46459 + }
46460 +
46461 error = mnt_want_write(nd.path.mnt);
46462 if (error)
46463 goto out_dput;
46464 @@ -2431,6 +2565,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
46465 if (error)
46466 goto out_drop_write;
46467 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
46468 + if (!error)
46469 + gr_handle_create(dentry, nd.path.mnt);
46470 out_drop_write:
46471 mnt_drop_write(nd.path.mnt);
46472 out_dput:
46473 @@ -2524,6 +2660,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
46474 error = PTR_ERR(new_dentry);
46475 if (IS_ERR(new_dentry))
46476 goto out_unlock;
46477 +
46478 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
46479 + old_path.dentry->d_inode,
46480 + old_path.dentry->d_inode->i_mode, to)) {
46481 + error = -EACCES;
46482 + goto out_dput;
46483 + }
46484 +
46485 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
46486 + old_path.dentry, old_path.mnt, to)) {
46487 + error = -EACCES;
46488 + goto out_dput;
46489 + }
46490 +
46491 error = mnt_want_write(nd.path.mnt);
46492 if (error)
46493 goto out_dput;
46494 @@ -2531,6 +2681,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
46495 if (error)
46496 goto out_drop_write;
46497 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
46498 + if (!error)
46499 + gr_handle_create(new_dentry, nd.path.mnt);
46500 out_drop_write:
46501 mnt_drop_write(nd.path.mnt);
46502 out_dput:
46503 @@ -2708,6 +2860,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
46504 char *to;
46505 int error;
46506
46507 + pax_track_stack();
46508 +
46509 error = user_path_parent(olddfd, oldname, &oldnd, &from);
46510 if (error)
46511 goto exit;
46512 @@ -2764,6 +2918,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
46513 if (new_dentry == trap)
46514 goto exit5;
46515
46516 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
46517 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
46518 + to);
46519 + if (error)
46520 + goto exit5;
46521 +
46522 error = mnt_want_write(oldnd.path.mnt);
46523 if (error)
46524 goto exit5;
46525 @@ -2773,6 +2933,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
46526 goto exit6;
46527 error = vfs_rename(old_dir->d_inode, old_dentry,
46528 new_dir->d_inode, new_dentry);
46529 + if (!error)
46530 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
46531 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
46532 exit6:
46533 mnt_drop_write(oldnd.path.mnt);
46534 exit5:
46535 @@ -2798,6 +2961,8 @@ SYSCALL_DEFINE2(rename, const char __use
46536
46537 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
46538 {
46539 + char tmpbuf[64];
46540 + const char *newlink;
46541 int len;
46542
46543 len = PTR_ERR(link);
46544 @@ -2807,7 +2972,14 @@ int vfs_readlink(struct dentry *dentry,
46545 len = strlen(link);
46546 if (len > (unsigned) buflen)
46547 len = buflen;
46548 - if (copy_to_user(buffer, link, len))
46549 +
46550 + if (len < sizeof(tmpbuf)) {
46551 + memcpy(tmpbuf, link, len);
46552 + newlink = tmpbuf;
46553 + } else
46554 + newlink = link;
46555 +
46556 + if (copy_to_user(buffer, newlink, len))
46557 len = -EFAULT;
46558 out:
46559 return len;
46560 diff -urNp linux-2.6.32.46/fs/namespace.c linux-2.6.32.46/fs/namespace.c
46561 --- linux-2.6.32.46/fs/namespace.c 2011-03-27 14:31:47.000000000 -0400
46562 +++ linux-2.6.32.46/fs/namespace.c 2011-04-17 15:56:46.000000000 -0400
46563 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
46564 if (!(sb->s_flags & MS_RDONLY))
46565 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
46566 up_write(&sb->s_umount);
46567 +
46568 + gr_log_remount(mnt->mnt_devname, retval);
46569 +
46570 return retval;
46571 }
46572
46573 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
46574 security_sb_umount_busy(mnt);
46575 up_write(&namespace_sem);
46576 release_mounts(&umount_list);
46577 +
46578 + gr_log_unmount(mnt->mnt_devname, retval);
46579 +
46580 return retval;
46581 }
46582
46583 @@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
46584 if (retval)
46585 goto dput_out;
46586
46587 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
46588 + retval = -EPERM;
46589 + goto dput_out;
46590 + }
46591 +
46592 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
46593 + retval = -EPERM;
46594 + goto dput_out;
46595 + }
46596 +
46597 if (flags & MS_REMOUNT)
46598 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
46599 data_page);
46600 @@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
46601 dev_name, data_page);
46602 dput_out:
46603 path_put(&path);
46604 +
46605 + gr_log_mount(dev_name, dir_name, retval);
46606 +
46607 return retval;
46608 }
46609
46610 @@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
46611 goto out1;
46612 }
46613
46614 + if (gr_handle_chroot_pivot()) {
46615 + error = -EPERM;
46616 + path_put(&old);
46617 + goto out1;
46618 + }
46619 +
46620 read_lock(&current->fs->lock);
46621 root = current->fs->root;
46622 path_get(&current->fs->root);
46623 diff -urNp linux-2.6.32.46/fs/ncpfs/dir.c linux-2.6.32.46/fs/ncpfs/dir.c
46624 --- linux-2.6.32.46/fs/ncpfs/dir.c 2011-03-27 14:31:47.000000000 -0400
46625 +++ linux-2.6.32.46/fs/ncpfs/dir.c 2011-05-16 21:46:57.000000000 -0400
46626 @@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
46627 int res, val = 0, len;
46628 __u8 __name[NCP_MAXPATHLEN + 1];
46629
46630 + pax_track_stack();
46631 +
46632 parent = dget_parent(dentry);
46633 dir = parent->d_inode;
46634
46635 @@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
46636 int error, res, len;
46637 __u8 __name[NCP_MAXPATHLEN + 1];
46638
46639 + pax_track_stack();
46640 +
46641 lock_kernel();
46642 error = -EIO;
46643 if (!ncp_conn_valid(server))
46644 @@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
46645 int error, result, len;
46646 int opmode;
46647 __u8 __name[NCP_MAXPATHLEN + 1];
46648 -
46649 +
46650 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
46651 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
46652
46653 + pax_track_stack();
46654 +
46655 error = -EIO;
46656 lock_kernel();
46657 if (!ncp_conn_valid(server))
46658 @@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
46659 int error, len;
46660 __u8 __name[NCP_MAXPATHLEN + 1];
46661
46662 + pax_track_stack();
46663 +
46664 DPRINTK("ncp_mkdir: making %s/%s\n",
46665 dentry->d_parent->d_name.name, dentry->d_name.name);
46666
46667 @@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
46668 if (!ncp_conn_valid(server))
46669 goto out;
46670
46671 + pax_track_stack();
46672 +
46673 ncp_age_dentry(server, dentry);
46674 len = sizeof(__name);
46675 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
46676 @@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
46677 int old_len, new_len;
46678 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
46679
46680 + pax_track_stack();
46681 +
46682 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
46683 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
46684 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
46685 diff -urNp linux-2.6.32.46/fs/ncpfs/inode.c linux-2.6.32.46/fs/ncpfs/inode.c
46686 --- linux-2.6.32.46/fs/ncpfs/inode.c 2011-03-27 14:31:47.000000000 -0400
46687 +++ linux-2.6.32.46/fs/ncpfs/inode.c 2011-05-16 21:46:57.000000000 -0400
46688 @@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
46689 #endif
46690 struct ncp_entry_info finfo;
46691
46692 + pax_track_stack();
46693 +
46694 data.wdog_pid = NULL;
46695 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
46696 if (!server)
46697 diff -urNp linux-2.6.32.46/fs/nfs/inode.c linux-2.6.32.46/fs/nfs/inode.c
46698 --- linux-2.6.32.46/fs/nfs/inode.c 2011-05-10 22:12:01.000000000 -0400
46699 +++ linux-2.6.32.46/fs/nfs/inode.c 2011-07-06 19:53:33.000000000 -0400
46700 @@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
46701 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
46702 nfsi->attrtimeo_timestamp = jiffies;
46703
46704 - memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
46705 + memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
46706 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
46707 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
46708 else
46709 @@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
46710 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
46711 }
46712
46713 -static atomic_long_t nfs_attr_generation_counter;
46714 +static atomic_long_unchecked_t nfs_attr_generation_counter;
46715
46716 static unsigned long nfs_read_attr_generation_counter(void)
46717 {
46718 - return atomic_long_read(&nfs_attr_generation_counter);
46719 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
46720 }
46721
46722 unsigned long nfs_inc_attr_generation_counter(void)
46723 {
46724 - return atomic_long_inc_return(&nfs_attr_generation_counter);
46725 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
46726 }
46727
46728 void nfs_fattr_init(struct nfs_fattr *fattr)
46729 diff -urNp linux-2.6.32.46/fs/nfsd/lockd.c linux-2.6.32.46/fs/nfsd/lockd.c
46730 --- linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:00:52.000000000 -0400
46731 +++ linux-2.6.32.46/fs/nfsd/lockd.c 2011-04-17 17:03:15.000000000 -0400
46732 @@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
46733 fput(filp);
46734 }
46735
46736 -static struct nlmsvc_binding nfsd_nlm_ops = {
46737 +static const struct nlmsvc_binding nfsd_nlm_ops = {
46738 .fopen = nlm_fopen, /* open file for locking */
46739 .fclose = nlm_fclose, /* close file */
46740 };
46741 diff -urNp linux-2.6.32.46/fs/nfsd/nfs4state.c linux-2.6.32.46/fs/nfsd/nfs4state.c
46742 --- linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-03-27 14:31:47.000000000 -0400
46743 +++ linux-2.6.32.46/fs/nfsd/nfs4state.c 2011-05-16 21:46:57.000000000 -0400
46744 @@ -3457,6 +3457,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
46745 unsigned int cmd;
46746 int err;
46747
46748 + pax_track_stack();
46749 +
46750 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
46751 (long long) lock->lk_offset,
46752 (long long) lock->lk_length);
46753 diff -urNp linux-2.6.32.46/fs/nfsd/nfs4xdr.c linux-2.6.32.46/fs/nfsd/nfs4xdr.c
46754 --- linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-03-27 14:31:47.000000000 -0400
46755 +++ linux-2.6.32.46/fs/nfsd/nfs4xdr.c 2011-05-16 21:46:57.000000000 -0400
46756 @@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
46757 struct nfsd4_compoundres *resp = rqstp->rq_resp;
46758 u32 minorversion = resp->cstate.minorversion;
46759
46760 + pax_track_stack();
46761 +
46762 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
46763 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
46764 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
46765 diff -urNp linux-2.6.32.46/fs/nfsd/vfs.c linux-2.6.32.46/fs/nfsd/vfs.c
46766 --- linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400
46767 +++ linux-2.6.32.46/fs/nfsd/vfs.c 2011-05-10 22:12:33.000000000 -0400
46768 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
46769 } else {
46770 oldfs = get_fs();
46771 set_fs(KERNEL_DS);
46772 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
46773 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
46774 set_fs(oldfs);
46775 }
46776
46777 @@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
46778
46779 /* Write the data. */
46780 oldfs = get_fs(); set_fs(KERNEL_DS);
46781 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
46782 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
46783 set_fs(oldfs);
46784 if (host_err < 0)
46785 goto out_nfserr;
46786 @@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
46787 */
46788
46789 oldfs = get_fs(); set_fs(KERNEL_DS);
46790 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
46791 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
46792 set_fs(oldfs);
46793
46794 if (host_err < 0)
46795 diff -urNp linux-2.6.32.46/fs/nilfs2/ioctl.c linux-2.6.32.46/fs/nilfs2/ioctl.c
46796 --- linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-03-27 14:31:47.000000000 -0400
46797 +++ linux-2.6.32.46/fs/nilfs2/ioctl.c 2011-05-04 17:56:28.000000000 -0400
46798 @@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
46799 unsigned int cmd, void __user *argp)
46800 {
46801 struct nilfs_argv argv[5];
46802 - const static size_t argsz[5] = {
46803 + static const size_t argsz[5] = {
46804 sizeof(struct nilfs_vdesc),
46805 sizeof(struct nilfs_period),
46806 sizeof(__u64),
46807 diff -urNp linux-2.6.32.46/fs/notify/dnotify/dnotify.c linux-2.6.32.46/fs/notify/dnotify/dnotify.c
46808 --- linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-03-27 14:31:47.000000000 -0400
46809 +++ linux-2.6.32.46/fs/notify/dnotify/dnotify.c 2011-04-17 15:56:46.000000000 -0400
46810 @@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
46811 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
46812 }
46813
46814 -static struct fsnotify_ops dnotify_fsnotify_ops = {
46815 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
46816 .handle_event = dnotify_handle_event,
46817 .should_send_event = dnotify_should_send_event,
46818 .free_group_priv = NULL,
46819 diff -urNp linux-2.6.32.46/fs/notify/notification.c linux-2.6.32.46/fs/notify/notification.c
46820 --- linux-2.6.32.46/fs/notify/notification.c 2011-03-27 14:31:47.000000000 -0400
46821 +++ linux-2.6.32.46/fs/notify/notification.c 2011-05-04 17:56:28.000000000 -0400
46822 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
46823 * get set to 0 so it will never get 'freed'
46824 */
46825 static struct fsnotify_event q_overflow_event;
46826 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
46827 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
46828
46829 /**
46830 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
46831 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
46832 */
46833 u32 fsnotify_get_cookie(void)
46834 {
46835 - return atomic_inc_return(&fsnotify_sync_cookie);
46836 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
46837 }
46838 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
46839
46840 diff -urNp linux-2.6.32.46/fs/ntfs/dir.c linux-2.6.32.46/fs/ntfs/dir.c
46841 --- linux-2.6.32.46/fs/ntfs/dir.c 2011-03-27 14:31:47.000000000 -0400
46842 +++ linux-2.6.32.46/fs/ntfs/dir.c 2011-04-17 15:56:46.000000000 -0400
46843 @@ -1328,7 +1328,7 @@ find_next_index_buffer:
46844 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
46845 ~(s64)(ndir->itype.index.block_size - 1)));
46846 /* Bounds checks. */
46847 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
46848 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
46849 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
46850 "inode 0x%lx or driver bug.", vdir->i_ino);
46851 goto err_out;
46852 diff -urNp linux-2.6.32.46/fs/ntfs/file.c linux-2.6.32.46/fs/ntfs/file.c
46853 --- linux-2.6.32.46/fs/ntfs/file.c 2011-03-27 14:31:47.000000000 -0400
46854 +++ linux-2.6.32.46/fs/ntfs/file.c 2011-04-17 15:56:46.000000000 -0400
46855 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
46856 #endif /* NTFS_RW */
46857 };
46858
46859 -const struct file_operations ntfs_empty_file_ops = {};
46860 +const struct file_operations ntfs_empty_file_ops __read_only;
46861
46862 -const struct inode_operations ntfs_empty_inode_ops = {};
46863 +const struct inode_operations ntfs_empty_inode_ops __read_only;
46864 diff -urNp linux-2.6.32.46/fs/ocfs2/cluster/masklog.c linux-2.6.32.46/fs/ocfs2/cluster/masklog.c
46865 --- linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-03-27 14:31:47.000000000 -0400
46866 +++ linux-2.6.32.46/fs/ocfs2/cluster/masklog.c 2011-04-17 15:56:46.000000000 -0400
46867 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
46868 return mlog_mask_store(mlog_attr->mask, buf, count);
46869 }
46870
46871 -static struct sysfs_ops mlog_attr_ops = {
46872 +static const struct sysfs_ops mlog_attr_ops = {
46873 .show = mlog_show,
46874 .store = mlog_store,
46875 };
46876 diff -urNp linux-2.6.32.46/fs/ocfs2/localalloc.c linux-2.6.32.46/fs/ocfs2/localalloc.c
46877 --- linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-03-27 14:31:47.000000000 -0400
46878 +++ linux-2.6.32.46/fs/ocfs2/localalloc.c 2011-04-17 15:56:46.000000000 -0400
46879 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
46880 goto bail;
46881 }
46882
46883 - atomic_inc(&osb->alloc_stats.moves);
46884 + atomic_inc_unchecked(&osb->alloc_stats.moves);
46885
46886 status = 0;
46887 bail:
46888 diff -urNp linux-2.6.32.46/fs/ocfs2/namei.c linux-2.6.32.46/fs/ocfs2/namei.c
46889 --- linux-2.6.32.46/fs/ocfs2/namei.c 2011-03-27 14:31:47.000000000 -0400
46890 +++ linux-2.6.32.46/fs/ocfs2/namei.c 2011-05-16 21:46:57.000000000 -0400
46891 @@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
46892 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
46893 struct ocfs2_dir_lookup_result target_insert = { NULL, };
46894
46895 + pax_track_stack();
46896 +
46897 /* At some point it might be nice to break this function up a
46898 * bit. */
46899
46900 diff -urNp linux-2.6.32.46/fs/ocfs2/ocfs2.h linux-2.6.32.46/fs/ocfs2/ocfs2.h
46901 --- linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-03-27 14:31:47.000000000 -0400
46902 +++ linux-2.6.32.46/fs/ocfs2/ocfs2.h 2011-04-17 15:56:46.000000000 -0400
46903 @@ -217,11 +217,11 @@ enum ocfs2_vol_state
46904
46905 struct ocfs2_alloc_stats
46906 {
46907 - atomic_t moves;
46908 - atomic_t local_data;
46909 - atomic_t bitmap_data;
46910 - atomic_t bg_allocs;
46911 - atomic_t bg_extends;
46912 + atomic_unchecked_t moves;
46913 + atomic_unchecked_t local_data;
46914 + atomic_unchecked_t bitmap_data;
46915 + atomic_unchecked_t bg_allocs;
46916 + atomic_unchecked_t bg_extends;
46917 };
46918
46919 enum ocfs2_local_alloc_state
46920 diff -urNp linux-2.6.32.46/fs/ocfs2/suballoc.c linux-2.6.32.46/fs/ocfs2/suballoc.c
46921 --- linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-03-27 14:31:47.000000000 -0400
46922 +++ linux-2.6.32.46/fs/ocfs2/suballoc.c 2011-04-17 15:56:46.000000000 -0400
46923 @@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
46924 mlog_errno(status);
46925 goto bail;
46926 }
46927 - atomic_inc(&osb->alloc_stats.bg_extends);
46928 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
46929
46930 /* You should never ask for this much metadata */
46931 BUG_ON(bits_wanted >
46932 @@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
46933 mlog_errno(status);
46934 goto bail;
46935 }
46936 - atomic_inc(&osb->alloc_stats.bg_allocs);
46937 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
46938
46939 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
46940 ac->ac_bits_given += (*num_bits);
46941 @@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
46942 mlog_errno(status);
46943 goto bail;
46944 }
46945 - atomic_inc(&osb->alloc_stats.bg_allocs);
46946 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
46947
46948 BUG_ON(num_bits != 1);
46949
46950 @@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
46951 cluster_start,
46952 num_clusters);
46953 if (!status)
46954 - atomic_inc(&osb->alloc_stats.local_data);
46955 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
46956 } else {
46957 if (min_clusters > (osb->bitmap_cpg - 1)) {
46958 /* The only paths asking for contiguousness
46959 @@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
46960 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
46961 bg_blkno,
46962 bg_bit_off);
46963 - atomic_inc(&osb->alloc_stats.bitmap_data);
46964 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
46965 }
46966 }
46967 if (status < 0) {
46968 diff -urNp linux-2.6.32.46/fs/ocfs2/super.c linux-2.6.32.46/fs/ocfs2/super.c
46969 --- linux-2.6.32.46/fs/ocfs2/super.c 2011-03-27 14:31:47.000000000 -0400
46970 +++ linux-2.6.32.46/fs/ocfs2/super.c 2011-04-17 15:56:46.000000000 -0400
46971 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
46972 "%10s => GlobalAllocs: %d LocalAllocs: %d "
46973 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
46974 "Stats",
46975 - atomic_read(&osb->alloc_stats.bitmap_data),
46976 - atomic_read(&osb->alloc_stats.local_data),
46977 - atomic_read(&osb->alloc_stats.bg_allocs),
46978 - atomic_read(&osb->alloc_stats.moves),
46979 - atomic_read(&osb->alloc_stats.bg_extends));
46980 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
46981 + atomic_read_unchecked(&osb->alloc_stats.local_data),
46982 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
46983 + atomic_read_unchecked(&osb->alloc_stats.moves),
46984 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
46985
46986 out += snprintf(buf + out, len - out,
46987 "%10s => State: %u Descriptor: %llu Size: %u bits "
46988 @@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
46989 spin_lock_init(&osb->osb_xattr_lock);
46990 ocfs2_init_inode_steal_slot(osb);
46991
46992 - atomic_set(&osb->alloc_stats.moves, 0);
46993 - atomic_set(&osb->alloc_stats.local_data, 0);
46994 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
46995 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
46996 - atomic_set(&osb->alloc_stats.bg_extends, 0);
46997 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
46998 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
46999 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
47000 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
47001 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
47002
47003 /* Copy the blockcheck stats from the superblock probe */
47004 osb->osb_ecc_stats = *stats;
47005 diff -urNp linux-2.6.32.46/fs/open.c linux-2.6.32.46/fs/open.c
47006 --- linux-2.6.32.46/fs/open.c 2011-03-27 14:31:47.000000000 -0400
47007 +++ linux-2.6.32.46/fs/open.c 2011-04-17 15:56:46.000000000 -0400
47008 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
47009 error = locks_verify_truncate(inode, NULL, length);
47010 if (!error)
47011 error = security_path_truncate(&path, length, 0);
47012 +
47013 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
47014 + error = -EACCES;
47015 +
47016 if (!error) {
47017 vfs_dq_init(inode);
47018 error = do_truncate(path.dentry, length, 0, NULL);
47019 @@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
47020 if (__mnt_is_readonly(path.mnt))
47021 res = -EROFS;
47022
47023 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
47024 + res = -EACCES;
47025 +
47026 out_path_release:
47027 path_put(&path);
47028 out:
47029 @@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
47030 if (error)
47031 goto dput_and_out;
47032
47033 + gr_log_chdir(path.dentry, path.mnt);
47034 +
47035 set_fs_pwd(current->fs, &path);
47036
47037 dput_and_out:
47038 @@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
47039 goto out_putf;
47040
47041 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
47042 +
47043 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
47044 + error = -EPERM;
47045 +
47046 + if (!error)
47047 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
47048 +
47049 if (!error)
47050 set_fs_pwd(current->fs, &file->f_path);
47051 out_putf:
47052 @@ -588,7 +604,18 @@ SYSCALL_DEFINE1(chroot, const char __use
47053 if (!capable(CAP_SYS_CHROOT))
47054 goto dput_and_out;
47055
47056 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
47057 + goto dput_and_out;
47058 +
47059 + if (gr_handle_chroot_caps(&path)) {
47060 + error = -ENOMEM;
47061 + goto dput_and_out;
47062 + }
47063 +
47064 set_fs_root(current->fs, &path);
47065 +
47066 + gr_handle_chroot_chdir(&path);
47067 +
47068 error = 0;
47069 dput_and_out:
47070 path_put(&path);
47071 @@ -616,12 +643,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
47072 err = mnt_want_write_file(file);
47073 if (err)
47074 goto out_putf;
47075 +
47076 mutex_lock(&inode->i_mutex);
47077 +
47078 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
47079 + err = -EACCES;
47080 + goto out_unlock;
47081 + }
47082 +
47083 if (mode == (mode_t) -1)
47084 mode = inode->i_mode;
47085 +
47086 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
47087 + err = -EPERM;
47088 + goto out_unlock;
47089 + }
47090 +
47091 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
47092 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
47093 err = notify_change(dentry, &newattrs);
47094 +
47095 +out_unlock:
47096 mutex_unlock(&inode->i_mutex);
47097 mnt_drop_write(file->f_path.mnt);
47098 out_putf:
47099 @@ -645,12 +687,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
47100 error = mnt_want_write(path.mnt);
47101 if (error)
47102 goto dput_and_out;
47103 +
47104 mutex_lock(&inode->i_mutex);
47105 +
47106 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
47107 + error = -EACCES;
47108 + goto out_unlock;
47109 + }
47110 +
47111 if (mode == (mode_t) -1)
47112 mode = inode->i_mode;
47113 +
47114 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
47115 + error = -EACCES;
47116 + goto out_unlock;
47117 + }
47118 +
47119 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
47120 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
47121 error = notify_change(path.dentry, &newattrs);
47122 +
47123 +out_unlock:
47124 mutex_unlock(&inode->i_mutex);
47125 mnt_drop_write(path.mnt);
47126 dput_and_out:
47127 @@ -664,12 +721,15 @@ SYSCALL_DEFINE2(chmod, const char __user
47128 return sys_fchmodat(AT_FDCWD, filename, mode);
47129 }
47130
47131 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
47132 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
47133 {
47134 struct inode *inode = dentry->d_inode;
47135 int error;
47136 struct iattr newattrs;
47137
47138 + if (!gr_acl_handle_chown(dentry, mnt))
47139 + return -EACCES;
47140 +
47141 newattrs.ia_valid = ATTR_CTIME;
47142 if (user != (uid_t) -1) {
47143 newattrs.ia_valid |= ATTR_UID;
47144 @@ -700,7 +760,7 @@ SYSCALL_DEFINE3(chown, const char __user
47145 error = mnt_want_write(path.mnt);
47146 if (error)
47147 goto out_release;
47148 - error = chown_common(path.dentry, user, group);
47149 + error = chown_common(path.dentry, user, group, path.mnt);
47150 mnt_drop_write(path.mnt);
47151 out_release:
47152 path_put(&path);
47153 @@ -725,7 +785,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
47154 error = mnt_want_write(path.mnt);
47155 if (error)
47156 goto out_release;
47157 - error = chown_common(path.dentry, user, group);
47158 + error = chown_common(path.dentry, user, group, path.mnt);
47159 mnt_drop_write(path.mnt);
47160 out_release:
47161 path_put(&path);
47162 @@ -744,7 +804,7 @@ SYSCALL_DEFINE3(lchown, const char __use
47163 error = mnt_want_write(path.mnt);
47164 if (error)
47165 goto out_release;
47166 - error = chown_common(path.dentry, user, group);
47167 + error = chown_common(path.dentry, user, group, path.mnt);
47168 mnt_drop_write(path.mnt);
47169 out_release:
47170 path_put(&path);
47171 @@ -767,7 +827,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
47172 goto out_fput;
47173 dentry = file->f_path.dentry;
47174 audit_inode(NULL, dentry);
47175 - error = chown_common(dentry, user, group);
47176 + error = chown_common(dentry, user, group, file->f_path.mnt);
47177 mnt_drop_write(file->f_path.mnt);
47178 out_fput:
47179 fput(file);
47180 @@ -1036,7 +1096,10 @@ long do_sys_open(int dfd, const char __u
47181 if (!IS_ERR(tmp)) {
47182 fd = get_unused_fd_flags(flags);
47183 if (fd >= 0) {
47184 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
47185 + struct file *f;
47186 + /* don't allow to be set by userland */
47187 + flags &= ~FMODE_GREXEC;
47188 + f = do_filp_open(dfd, tmp, flags, mode, 0);
47189 if (IS_ERR(f)) {
47190 put_unused_fd(fd);
47191 fd = PTR_ERR(f);
47192 diff -urNp linux-2.6.32.46/fs/partitions/ldm.c linux-2.6.32.46/fs/partitions/ldm.c
47193 --- linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:55:34.000000000 -0400
47194 +++ linux-2.6.32.46/fs/partitions/ldm.c 2011-06-25 12:56:37.000000000 -0400
47195 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
47196 ldm_error ("A VBLK claims to have %d parts.", num);
47197 return false;
47198 }
47199 +
47200 if (rec >= num) {
47201 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
47202 return false;
47203 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
47204 goto found;
47205 }
47206
47207 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
47208 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
47209 if (!f) {
47210 ldm_crit ("Out of memory.");
47211 return false;
47212 diff -urNp linux-2.6.32.46/fs/partitions/mac.c linux-2.6.32.46/fs/partitions/mac.c
47213 --- linux-2.6.32.46/fs/partitions/mac.c 2011-03-27 14:31:47.000000000 -0400
47214 +++ linux-2.6.32.46/fs/partitions/mac.c 2011-04-17 15:56:46.000000000 -0400
47215 @@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
47216 return 0; /* not a MacOS disk */
47217 }
47218 blocks_in_map = be32_to_cpu(part->map_count);
47219 + printk(" [mac]");
47220 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
47221 put_dev_sector(sect);
47222 return 0;
47223 }
47224 - printk(" [mac]");
47225 for (slot = 1; slot <= blocks_in_map; ++slot) {
47226 int pos = slot * secsize;
47227 put_dev_sector(sect);
47228 diff -urNp linux-2.6.32.46/fs/pipe.c linux-2.6.32.46/fs/pipe.c
47229 --- linux-2.6.32.46/fs/pipe.c 2011-03-27 14:31:47.000000000 -0400
47230 +++ linux-2.6.32.46/fs/pipe.c 2011-04-23 13:37:17.000000000 -0400
47231 @@ -401,9 +401,9 @@ redo:
47232 }
47233 if (bufs) /* More to do? */
47234 continue;
47235 - if (!pipe->writers)
47236 + if (!atomic_read(&pipe->writers))
47237 break;
47238 - if (!pipe->waiting_writers) {
47239 + if (!atomic_read(&pipe->waiting_writers)) {
47240 /* syscall merging: Usually we must not sleep
47241 * if O_NONBLOCK is set, or if we got some data.
47242 * But if a writer sleeps in kernel space, then
47243 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
47244 mutex_lock(&inode->i_mutex);
47245 pipe = inode->i_pipe;
47246
47247 - if (!pipe->readers) {
47248 + if (!atomic_read(&pipe->readers)) {
47249 send_sig(SIGPIPE, current, 0);
47250 ret = -EPIPE;
47251 goto out;
47252 @@ -511,7 +511,7 @@ redo1:
47253 for (;;) {
47254 int bufs;
47255
47256 - if (!pipe->readers) {
47257 + if (!atomic_read(&pipe->readers)) {
47258 send_sig(SIGPIPE, current, 0);
47259 if (!ret)
47260 ret = -EPIPE;
47261 @@ -597,9 +597,9 @@ redo2:
47262 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
47263 do_wakeup = 0;
47264 }
47265 - pipe->waiting_writers++;
47266 + atomic_inc(&pipe->waiting_writers);
47267 pipe_wait(pipe);
47268 - pipe->waiting_writers--;
47269 + atomic_dec(&pipe->waiting_writers);
47270 }
47271 out:
47272 mutex_unlock(&inode->i_mutex);
47273 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
47274 mask = 0;
47275 if (filp->f_mode & FMODE_READ) {
47276 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
47277 - if (!pipe->writers && filp->f_version != pipe->w_counter)
47278 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
47279 mask |= POLLHUP;
47280 }
47281
47282 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
47283 * Most Unices do not set POLLERR for FIFOs but on Linux they
47284 * behave exactly like pipes for poll().
47285 */
47286 - if (!pipe->readers)
47287 + if (!atomic_read(&pipe->readers))
47288 mask |= POLLERR;
47289 }
47290
47291 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
47292
47293 mutex_lock(&inode->i_mutex);
47294 pipe = inode->i_pipe;
47295 - pipe->readers -= decr;
47296 - pipe->writers -= decw;
47297 + atomic_sub(decr, &pipe->readers);
47298 + atomic_sub(decw, &pipe->writers);
47299
47300 - if (!pipe->readers && !pipe->writers) {
47301 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
47302 free_pipe_info(inode);
47303 } else {
47304 wake_up_interruptible_sync(&pipe->wait);
47305 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
47306
47307 if (inode->i_pipe) {
47308 ret = 0;
47309 - inode->i_pipe->readers++;
47310 + atomic_inc(&inode->i_pipe->readers);
47311 }
47312
47313 mutex_unlock(&inode->i_mutex);
47314 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
47315
47316 if (inode->i_pipe) {
47317 ret = 0;
47318 - inode->i_pipe->writers++;
47319 + atomic_inc(&inode->i_pipe->writers);
47320 }
47321
47322 mutex_unlock(&inode->i_mutex);
47323 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
47324 if (inode->i_pipe) {
47325 ret = 0;
47326 if (filp->f_mode & FMODE_READ)
47327 - inode->i_pipe->readers++;
47328 + atomic_inc(&inode->i_pipe->readers);
47329 if (filp->f_mode & FMODE_WRITE)
47330 - inode->i_pipe->writers++;
47331 + atomic_inc(&inode->i_pipe->writers);
47332 }
47333
47334 mutex_unlock(&inode->i_mutex);
47335 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
47336 inode->i_pipe = NULL;
47337 }
47338
47339 -static struct vfsmount *pipe_mnt __read_mostly;
47340 +struct vfsmount *pipe_mnt __read_mostly;
47341 static int pipefs_delete_dentry(struct dentry *dentry)
47342 {
47343 /*
47344 @@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
47345 goto fail_iput;
47346 inode->i_pipe = pipe;
47347
47348 - pipe->readers = pipe->writers = 1;
47349 + atomic_set(&pipe->readers, 1);
47350 + atomic_set(&pipe->writers, 1);
47351 inode->i_fop = &rdwr_pipefifo_fops;
47352
47353 /*
47354 diff -urNp linux-2.6.32.46/fs/proc/array.c linux-2.6.32.46/fs/proc/array.c
47355 --- linux-2.6.32.46/fs/proc/array.c 2011-03-27 14:31:47.000000000 -0400
47356 +++ linux-2.6.32.46/fs/proc/array.c 2011-05-16 21:46:57.000000000 -0400
47357 @@ -60,6 +60,7 @@
47358 #include <linux/tty.h>
47359 #include <linux/string.h>
47360 #include <linux/mman.h>
47361 +#include <linux/grsecurity.h>
47362 #include <linux/proc_fs.h>
47363 #include <linux/ioport.h>
47364 #include <linux/uaccess.h>
47365 @@ -321,6 +322,21 @@ static inline void task_context_switch_c
47366 p->nivcsw);
47367 }
47368
47369 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47370 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
47371 +{
47372 + if (p->mm)
47373 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
47374 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
47375 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
47376 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
47377 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
47378 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
47379 + else
47380 + seq_printf(m, "PaX:\t-----\n");
47381 +}
47382 +#endif
47383 +
47384 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
47385 struct pid *pid, struct task_struct *task)
47386 {
47387 @@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
47388 task_cap(m, task);
47389 cpuset_task_status_allowed(m, task);
47390 task_context_switch_counts(m, task);
47391 +
47392 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47393 + task_pax(m, task);
47394 +#endif
47395 +
47396 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
47397 + task_grsec_rbac(m, task);
47398 +#endif
47399 +
47400 return 0;
47401 }
47402
47403 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
47404 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
47405 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
47406 + _mm->pax_flags & MF_PAX_SEGMEXEC))
47407 +#endif
47408 +
47409 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
47410 struct pid *pid, struct task_struct *task, int whole)
47411 {
47412 @@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
47413 cputime_t cutime, cstime, utime, stime;
47414 cputime_t cgtime, gtime;
47415 unsigned long rsslim = 0;
47416 - char tcomm[sizeof(task->comm)];
47417 + char tcomm[sizeof(task->comm)] = { 0 };
47418 unsigned long flags;
47419
47420 + pax_track_stack();
47421 +
47422 state = *get_task_state(task);
47423 vsize = eip = esp = 0;
47424 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
47425 @@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
47426 gtime = task_gtime(task);
47427 }
47428
47429 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
47430 + if (PAX_RAND_FLAGS(mm)) {
47431 + eip = 0;
47432 + esp = 0;
47433 + wchan = 0;
47434 + }
47435 +#endif
47436 +#ifdef CONFIG_GRKERNSEC_HIDESYM
47437 + wchan = 0;
47438 + eip =0;
47439 + esp =0;
47440 +#endif
47441 +
47442 /* scale priority and nice values from timeslices to -20..20 */
47443 /* to make it look like a "normal" Unix priority/nice value */
47444 priority = task_prio(task);
47445 @@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
47446 vsize,
47447 mm ? get_mm_rss(mm) : 0,
47448 rsslim,
47449 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
47450 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
47451 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
47452 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
47453 +#else
47454 mm ? (permitted ? mm->start_code : 1) : 0,
47455 mm ? (permitted ? mm->end_code : 1) : 0,
47456 (permitted && mm) ? mm->start_stack : 0,
47457 +#endif
47458 esp,
47459 eip,
47460 /* The signal information here is obsolete.
47461 @@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
47462
47463 return 0;
47464 }
47465 +
47466 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
47467 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
47468 +{
47469 + u32 curr_ip = 0;
47470 + unsigned long flags;
47471 +
47472 + if (lock_task_sighand(task, &flags)) {
47473 + curr_ip = task->signal->curr_ip;
47474 + unlock_task_sighand(task, &flags);
47475 + }
47476 +
47477 + return sprintf(buffer, "%pI4\n", &curr_ip);
47478 +}
47479 +#endif
47480 diff -urNp linux-2.6.32.46/fs/proc/base.c linux-2.6.32.46/fs/proc/base.c
47481 --- linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:35:30.000000000 -0400
47482 +++ linux-2.6.32.46/fs/proc/base.c 2011-08-09 18:34:33.000000000 -0400
47483 @@ -102,6 +102,22 @@ struct pid_entry {
47484 union proc_op op;
47485 };
47486
47487 +struct getdents_callback {
47488 + struct linux_dirent __user * current_dir;
47489 + struct linux_dirent __user * previous;
47490 + struct file * file;
47491 + int count;
47492 + int error;
47493 +};
47494 +
47495 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
47496 + loff_t offset, u64 ino, unsigned int d_type)
47497 +{
47498 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
47499 + buf->error = -EINVAL;
47500 + return 0;
47501 +}
47502 +
47503 #define NOD(NAME, MODE, IOP, FOP, OP) { \
47504 .name = (NAME), \
47505 .len = sizeof(NAME) - 1, \
47506 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
47507 if (task == current)
47508 return 0;
47509
47510 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
47511 + return -EPERM;
47512 +
47513 /*
47514 * If current is actively ptrace'ing, and would also be
47515 * permitted to freshly attach with ptrace now, permit it.
47516 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
47517 if (!mm->arg_end)
47518 goto out_mm; /* Shh! No looking before we're done */
47519
47520 + if (gr_acl_handle_procpidmem(task))
47521 + goto out_mm;
47522 +
47523 len = mm->arg_end - mm->arg_start;
47524
47525 if (len > PAGE_SIZE)
47526 @@ -287,12 +309,28 @@ out:
47527 return res;
47528 }
47529
47530 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
47531 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
47532 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
47533 + _mm->pax_flags & MF_PAX_SEGMEXEC))
47534 +#endif
47535 +
47536 static int proc_pid_auxv(struct task_struct *task, char *buffer)
47537 {
47538 int res = 0;
47539 struct mm_struct *mm = get_task_mm(task);
47540 if (mm) {
47541 unsigned int nwords = 0;
47542 +
47543 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
47544 + /* allow if we're currently ptracing this task */
47545 + if (PAX_RAND_FLAGS(mm) &&
47546 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
47547 + mmput(mm);
47548 + return res;
47549 + }
47550 +#endif
47551 +
47552 do {
47553 nwords += 2;
47554 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
47555 @@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
47556 }
47557
47558
47559 -#ifdef CONFIG_KALLSYMS
47560 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47561 /*
47562 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
47563 * Returns the resolved symbol. If that fails, simply return the address.
47564 @@ -328,7 +366,7 @@ static int proc_pid_wchan(struct task_st
47565 }
47566 #endif /* CONFIG_KALLSYMS */
47567
47568 -#ifdef CONFIG_STACKTRACE
47569 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47570
47571 #define MAX_STACK_TRACE_DEPTH 64
47572
47573 @@ -522,7 +560,7 @@ static int proc_pid_limits(struct task_s
47574 return count;
47575 }
47576
47577 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
47578 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
47579 static int proc_pid_syscall(struct task_struct *task, char *buffer)
47580 {
47581 long nr;
47582 @@ -547,7 +585,7 @@ static int proc_pid_syscall(struct task_
47583 /************************************************************************/
47584
47585 /* permission checks */
47586 -static int proc_fd_access_allowed(struct inode *inode)
47587 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
47588 {
47589 struct task_struct *task;
47590 int allowed = 0;
47591 @@ -557,7 +595,10 @@ static int proc_fd_access_allowed(struct
47592 */
47593 task = get_proc_task(inode);
47594 if (task) {
47595 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
47596 + if (log)
47597 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
47598 + else
47599 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
47600 put_task_struct(task);
47601 }
47602 return allowed;
47603 @@ -936,6 +977,9 @@ static ssize_t environ_read(struct file
47604 if (!task)
47605 goto out_no_task;
47606
47607 + if (gr_acl_handle_procpidmem(task))
47608 + goto out;
47609 +
47610 if (!ptrace_may_access(task, PTRACE_MODE_READ))
47611 goto out;
47612
47613 @@ -1350,7 +1394,7 @@ static void *proc_pid_follow_link(struct
47614 path_put(&nd->path);
47615
47616 /* Are we allowed to snoop on the tasks file descriptors? */
47617 - if (!proc_fd_access_allowed(inode))
47618 + if (!proc_fd_access_allowed(inode,0))
47619 goto out;
47620
47621 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
47622 @@ -1390,8 +1434,18 @@ static int proc_pid_readlink(struct dent
47623 struct path path;
47624
47625 /* Are we allowed to snoop on the tasks file descriptors? */
47626 - if (!proc_fd_access_allowed(inode))
47627 - goto out;
47628 + /* logging this is needed for learning on chromium to work properly,
47629 + but we don't want to flood the logs from 'ps' which does a readlink
47630 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
47631 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
47632 + */
47633 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
47634 + if (!proc_fd_access_allowed(inode,0))
47635 + goto out;
47636 + } else {
47637 + if (!proc_fd_access_allowed(inode,1))
47638 + goto out;
47639 + }
47640
47641 error = PROC_I(inode)->op.proc_get_link(inode, &path);
47642 if (error)
47643 @@ -1456,7 +1510,11 @@ static struct inode *proc_pid_make_inode
47644 rcu_read_lock();
47645 cred = __task_cred(task);
47646 inode->i_uid = cred->euid;
47647 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47648 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
47649 +#else
47650 inode->i_gid = cred->egid;
47651 +#endif
47652 rcu_read_unlock();
47653 }
47654 security_task_to_inode(task, inode);
47655 @@ -1474,6 +1532,9 @@ static int pid_getattr(struct vfsmount *
47656 struct inode *inode = dentry->d_inode;
47657 struct task_struct *task;
47658 const struct cred *cred;
47659 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47660 + const struct cred *tmpcred = current_cred();
47661 +#endif
47662
47663 generic_fillattr(inode, stat);
47664
47665 @@ -1481,13 +1542,41 @@ static int pid_getattr(struct vfsmount *
47666 stat->uid = 0;
47667 stat->gid = 0;
47668 task = pid_task(proc_pid(inode), PIDTYPE_PID);
47669 +
47670 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
47671 + rcu_read_unlock();
47672 + return -ENOENT;
47673 + }
47674 +
47675 if (task) {
47676 + cred = __task_cred(task);
47677 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47678 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
47679 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47680 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
47681 +#endif
47682 + ) {
47683 +#endif
47684 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
47685 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47686 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
47687 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47688 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
47689 +#endif
47690 task_dumpable(task)) {
47691 - cred = __task_cred(task);
47692 stat->uid = cred->euid;
47693 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47694 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
47695 +#else
47696 stat->gid = cred->egid;
47697 +#endif
47698 }
47699 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47700 + } else {
47701 + rcu_read_unlock();
47702 + return -ENOENT;
47703 + }
47704 +#endif
47705 }
47706 rcu_read_unlock();
47707 return 0;
47708 @@ -1518,11 +1607,20 @@ static int pid_revalidate(struct dentry
47709
47710 if (task) {
47711 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
47712 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47713 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
47714 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47715 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
47716 +#endif
47717 task_dumpable(task)) {
47718 rcu_read_lock();
47719 cred = __task_cred(task);
47720 inode->i_uid = cred->euid;
47721 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47722 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
47723 +#else
47724 inode->i_gid = cred->egid;
47725 +#endif
47726 rcu_read_unlock();
47727 } else {
47728 inode->i_uid = 0;
47729 @@ -1643,7 +1741,8 @@ static int proc_fd_info(struct inode *in
47730 int fd = proc_fd(inode);
47731
47732 if (task) {
47733 - files = get_files_struct(task);
47734 + if (!gr_acl_handle_procpidmem(task))
47735 + files = get_files_struct(task);
47736 put_task_struct(task);
47737 }
47738 if (files) {
47739 @@ -1895,12 +1994,22 @@ static const struct file_operations proc
47740 static int proc_fd_permission(struct inode *inode, int mask)
47741 {
47742 int rv;
47743 + struct task_struct *task;
47744
47745 rv = generic_permission(inode, mask, NULL);
47746 - if (rv == 0)
47747 - return 0;
47748 +
47749 if (task_pid(current) == proc_pid(inode))
47750 rv = 0;
47751 +
47752 + task = get_proc_task(inode);
47753 + if (task == NULL)
47754 + return rv;
47755 +
47756 + if (gr_acl_handle_procpidmem(task))
47757 + rv = -EACCES;
47758 +
47759 + put_task_struct(task);
47760 +
47761 return rv;
47762 }
47763
47764 @@ -2009,6 +2118,9 @@ static struct dentry *proc_pident_lookup
47765 if (!task)
47766 goto out_no_task;
47767
47768 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
47769 + goto out;
47770 +
47771 /*
47772 * Yes, it does not scale. And it should not. Don't add
47773 * new entries into /proc/<tgid>/ without very good reasons.
47774 @@ -2053,6 +2165,9 @@ static int proc_pident_readdir(struct fi
47775 if (!task)
47776 goto out_no_task;
47777
47778 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
47779 + goto out;
47780 +
47781 ret = 0;
47782 i = filp->f_pos;
47783 switch (i) {
47784 @@ -2320,7 +2435,7 @@ static void *proc_self_follow_link(struc
47785 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
47786 void *cookie)
47787 {
47788 - char *s = nd_get_link(nd);
47789 + const char *s = nd_get_link(nd);
47790 if (!IS_ERR(s))
47791 __putname(s);
47792 }
47793 @@ -2522,7 +2637,7 @@ static const struct pid_entry tgid_base_
47794 #ifdef CONFIG_SCHED_DEBUG
47795 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
47796 #endif
47797 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
47798 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
47799 INF("syscall", S_IRUSR, proc_pid_syscall),
47800 #endif
47801 INF("cmdline", S_IRUGO, proc_pid_cmdline),
47802 @@ -2547,10 +2662,10 @@ static const struct pid_entry tgid_base_
47803 #ifdef CONFIG_SECURITY
47804 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
47805 #endif
47806 -#ifdef CONFIG_KALLSYMS
47807 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47808 INF("wchan", S_IRUGO, proc_pid_wchan),
47809 #endif
47810 -#ifdef CONFIG_STACKTRACE
47811 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47812 ONE("stack", S_IRUSR, proc_pid_stack),
47813 #endif
47814 #ifdef CONFIG_SCHEDSTATS
47815 @@ -2580,6 +2695,9 @@ static const struct pid_entry tgid_base_
47816 #ifdef CONFIG_TASK_IO_ACCOUNTING
47817 INF("io", S_IRUSR, proc_tgid_io_accounting),
47818 #endif
47819 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
47820 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
47821 +#endif
47822 };
47823
47824 static int proc_tgid_base_readdir(struct file * filp,
47825 @@ -2704,7 +2822,14 @@ static struct dentry *proc_pid_instantia
47826 if (!inode)
47827 goto out;
47828
47829 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47830 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
47831 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47832 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
47833 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
47834 +#else
47835 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
47836 +#endif
47837 inode->i_op = &proc_tgid_base_inode_operations;
47838 inode->i_fop = &proc_tgid_base_operations;
47839 inode->i_flags|=S_IMMUTABLE;
47840 @@ -2746,7 +2871,11 @@ struct dentry *proc_pid_lookup(struct in
47841 if (!task)
47842 goto out;
47843
47844 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
47845 + goto out_put_task;
47846 +
47847 result = proc_pid_instantiate(dir, dentry, task, NULL);
47848 +out_put_task:
47849 put_task_struct(task);
47850 out:
47851 return result;
47852 @@ -2811,6 +2940,11 @@ int proc_pid_readdir(struct file * filp,
47853 {
47854 unsigned int nr;
47855 struct task_struct *reaper;
47856 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47857 + const struct cred *tmpcred = current_cred();
47858 + const struct cred *itercred;
47859 +#endif
47860 + filldir_t __filldir = filldir;
47861 struct tgid_iter iter;
47862 struct pid_namespace *ns;
47863
47864 @@ -2834,8 +2968,27 @@ int proc_pid_readdir(struct file * filp,
47865 for (iter = next_tgid(ns, iter);
47866 iter.task;
47867 iter.tgid += 1, iter = next_tgid(ns, iter)) {
47868 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47869 + rcu_read_lock();
47870 + itercred = __task_cred(iter.task);
47871 +#endif
47872 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
47873 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47874 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
47875 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47876 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
47877 +#endif
47878 + )
47879 +#endif
47880 + )
47881 + __filldir = &gr_fake_filldir;
47882 + else
47883 + __filldir = filldir;
47884 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47885 + rcu_read_unlock();
47886 +#endif
47887 filp->f_pos = iter.tgid + TGID_OFFSET;
47888 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
47889 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
47890 put_task_struct(iter.task);
47891 goto out;
47892 }
47893 @@ -2861,7 +3014,7 @@ static const struct pid_entry tid_base_s
47894 #ifdef CONFIG_SCHED_DEBUG
47895 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
47896 #endif
47897 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
47898 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
47899 INF("syscall", S_IRUSR, proc_pid_syscall),
47900 #endif
47901 INF("cmdline", S_IRUGO, proc_pid_cmdline),
47902 @@ -2885,10 +3038,10 @@ static const struct pid_entry tid_base_s
47903 #ifdef CONFIG_SECURITY
47904 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
47905 #endif
47906 -#ifdef CONFIG_KALLSYMS
47907 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47908 INF("wchan", S_IRUGO, proc_pid_wchan),
47909 #endif
47910 -#ifdef CONFIG_STACKTRACE
47911 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
47912 ONE("stack", S_IRUSR, proc_pid_stack),
47913 #endif
47914 #ifdef CONFIG_SCHEDSTATS
47915 diff -urNp linux-2.6.32.46/fs/proc/cmdline.c linux-2.6.32.46/fs/proc/cmdline.c
47916 --- linux-2.6.32.46/fs/proc/cmdline.c 2011-03-27 14:31:47.000000000 -0400
47917 +++ linux-2.6.32.46/fs/proc/cmdline.c 2011-04-17 15:56:46.000000000 -0400
47918 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
47919
47920 static int __init proc_cmdline_init(void)
47921 {
47922 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
47923 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
47924 +#else
47925 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
47926 +#endif
47927 return 0;
47928 }
47929 module_init(proc_cmdline_init);
47930 diff -urNp linux-2.6.32.46/fs/proc/devices.c linux-2.6.32.46/fs/proc/devices.c
47931 --- linux-2.6.32.46/fs/proc/devices.c 2011-03-27 14:31:47.000000000 -0400
47932 +++ linux-2.6.32.46/fs/proc/devices.c 2011-04-17 15:56:46.000000000 -0400
47933 @@ -64,7 +64,11 @@ static const struct file_operations proc
47934
47935 static int __init proc_devices_init(void)
47936 {
47937 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
47938 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
47939 +#else
47940 proc_create("devices", 0, NULL, &proc_devinfo_operations);
47941 +#endif
47942 return 0;
47943 }
47944 module_init(proc_devices_init);
47945 diff -urNp linux-2.6.32.46/fs/proc/inode.c linux-2.6.32.46/fs/proc/inode.c
47946 --- linux-2.6.32.46/fs/proc/inode.c 2011-03-27 14:31:47.000000000 -0400
47947 +++ linux-2.6.32.46/fs/proc/inode.c 2011-04-17 15:56:46.000000000 -0400
47948 @@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
47949 if (de->mode) {
47950 inode->i_mode = de->mode;
47951 inode->i_uid = de->uid;
47952 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
47953 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
47954 +#else
47955 inode->i_gid = de->gid;
47956 +#endif
47957 }
47958 if (de->size)
47959 inode->i_size = de->size;
47960 diff -urNp linux-2.6.32.46/fs/proc/internal.h linux-2.6.32.46/fs/proc/internal.h
47961 --- linux-2.6.32.46/fs/proc/internal.h 2011-03-27 14:31:47.000000000 -0400
47962 +++ linux-2.6.32.46/fs/proc/internal.h 2011-04-17 15:56:46.000000000 -0400
47963 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
47964 struct pid *pid, struct task_struct *task);
47965 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
47966 struct pid *pid, struct task_struct *task);
47967 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
47968 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
47969 +#endif
47970 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
47971
47972 extern const struct file_operations proc_maps_operations;
47973 diff -urNp linux-2.6.32.46/fs/proc/Kconfig linux-2.6.32.46/fs/proc/Kconfig
47974 --- linux-2.6.32.46/fs/proc/Kconfig 2011-03-27 14:31:47.000000000 -0400
47975 +++ linux-2.6.32.46/fs/proc/Kconfig 2011-04-17 15:56:46.000000000 -0400
47976 @@ -30,12 +30,12 @@ config PROC_FS
47977
47978 config PROC_KCORE
47979 bool "/proc/kcore support" if !ARM
47980 - depends on PROC_FS && MMU
47981 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
47982
47983 config PROC_VMCORE
47984 bool "/proc/vmcore support (EXPERIMENTAL)"
47985 - depends on PROC_FS && CRASH_DUMP
47986 - default y
47987 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
47988 + default n
47989 help
47990 Exports the dump image of crashed kernel in ELF format.
47991
47992 @@ -59,8 +59,8 @@ config PROC_SYSCTL
47993 limited in memory.
47994
47995 config PROC_PAGE_MONITOR
47996 - default y
47997 - depends on PROC_FS && MMU
47998 + default n
47999 + depends on PROC_FS && MMU && !GRKERNSEC
48000 bool "Enable /proc page monitoring" if EMBEDDED
48001 help
48002 Various /proc files exist to monitor process memory utilization:
48003 diff -urNp linux-2.6.32.46/fs/proc/kcore.c linux-2.6.32.46/fs/proc/kcore.c
48004 --- linux-2.6.32.46/fs/proc/kcore.c 2011-03-27 14:31:47.000000000 -0400
48005 +++ linux-2.6.32.46/fs/proc/kcore.c 2011-05-16 21:46:57.000000000 -0400
48006 @@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
48007 off_t offset = 0;
48008 struct kcore_list *m;
48009
48010 + pax_track_stack();
48011 +
48012 /* setup ELF header */
48013 elf = (struct elfhdr *) bufp;
48014 bufp += sizeof(struct elfhdr);
48015 @@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
48016 * the addresses in the elf_phdr on our list.
48017 */
48018 start = kc_offset_to_vaddr(*fpos - elf_buflen);
48019 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
48020 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
48021 + if (tsz > buflen)
48022 tsz = buflen;
48023 -
48024 +
48025 while (buflen) {
48026 struct kcore_list *m;
48027
48028 @@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
48029 kfree(elf_buf);
48030 } else {
48031 if (kern_addr_valid(start)) {
48032 - unsigned long n;
48033 + char *elf_buf;
48034 + mm_segment_t oldfs;
48035
48036 - n = copy_to_user(buffer, (char *)start, tsz);
48037 - /*
48038 - * We cannot distingush between fault on source
48039 - * and fault on destination. When this happens
48040 - * we clear too and hope it will trigger the
48041 - * EFAULT again.
48042 - */
48043 - if (n) {
48044 - if (clear_user(buffer + tsz - n,
48045 - n))
48046 + elf_buf = kmalloc(tsz, GFP_KERNEL);
48047 + if (!elf_buf)
48048 + return -ENOMEM;
48049 + oldfs = get_fs();
48050 + set_fs(KERNEL_DS);
48051 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
48052 + set_fs(oldfs);
48053 + if (copy_to_user(buffer, elf_buf, tsz)) {
48054 + kfree(elf_buf);
48055 return -EFAULT;
48056 + }
48057 }
48058 + set_fs(oldfs);
48059 + kfree(elf_buf);
48060 } else {
48061 if (clear_user(buffer, tsz))
48062 return -EFAULT;
48063 @@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
48064
48065 static int open_kcore(struct inode *inode, struct file *filp)
48066 {
48067 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
48068 + return -EPERM;
48069 +#endif
48070 if (!capable(CAP_SYS_RAWIO))
48071 return -EPERM;
48072 if (kcore_need_update)
48073 diff -urNp linux-2.6.32.46/fs/proc/meminfo.c linux-2.6.32.46/fs/proc/meminfo.c
48074 --- linux-2.6.32.46/fs/proc/meminfo.c 2011-03-27 14:31:47.000000000 -0400
48075 +++ linux-2.6.32.46/fs/proc/meminfo.c 2011-05-16 21:46:57.000000000 -0400
48076 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
48077 unsigned long pages[NR_LRU_LISTS];
48078 int lru;
48079
48080 + pax_track_stack();
48081 +
48082 /*
48083 * display in kilobytes.
48084 */
48085 @@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
48086 vmi.used >> 10,
48087 vmi.largest_chunk >> 10
48088 #ifdef CONFIG_MEMORY_FAILURE
48089 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
48090 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
48091 #endif
48092 );
48093
48094 diff -urNp linux-2.6.32.46/fs/proc/nommu.c linux-2.6.32.46/fs/proc/nommu.c
48095 --- linux-2.6.32.46/fs/proc/nommu.c 2011-03-27 14:31:47.000000000 -0400
48096 +++ linux-2.6.32.46/fs/proc/nommu.c 2011-04-17 15:56:46.000000000 -0400
48097 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
48098 if (len < 1)
48099 len = 1;
48100 seq_printf(m, "%*c", len, ' ');
48101 - seq_path(m, &file->f_path, "");
48102 + seq_path(m, &file->f_path, "\n\\");
48103 }
48104
48105 seq_putc(m, '\n');
48106 diff -urNp linux-2.6.32.46/fs/proc/proc_net.c linux-2.6.32.46/fs/proc/proc_net.c
48107 --- linux-2.6.32.46/fs/proc/proc_net.c 2011-03-27 14:31:47.000000000 -0400
48108 +++ linux-2.6.32.46/fs/proc/proc_net.c 2011-04-17 15:56:46.000000000 -0400
48109 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
48110 struct task_struct *task;
48111 struct nsproxy *ns;
48112 struct net *net = NULL;
48113 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48114 + const struct cred *cred = current_cred();
48115 +#endif
48116 +
48117 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48118 + if (cred->fsuid)
48119 + return net;
48120 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48121 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
48122 + return net;
48123 +#endif
48124
48125 rcu_read_lock();
48126 task = pid_task(proc_pid(dir), PIDTYPE_PID);
48127 diff -urNp linux-2.6.32.46/fs/proc/proc_sysctl.c linux-2.6.32.46/fs/proc/proc_sysctl.c
48128 --- linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-03-27 14:31:47.000000000 -0400
48129 +++ linux-2.6.32.46/fs/proc/proc_sysctl.c 2011-04-17 15:56:46.000000000 -0400
48130 @@ -7,6 +7,8 @@
48131 #include <linux/security.h>
48132 #include "internal.h"
48133
48134 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
48135 +
48136 static const struct dentry_operations proc_sys_dentry_operations;
48137 static const struct file_operations proc_sys_file_operations;
48138 static const struct inode_operations proc_sys_inode_operations;
48139 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
48140 if (!p)
48141 goto out;
48142
48143 + if (gr_handle_sysctl(p, MAY_EXEC))
48144 + goto out;
48145 +
48146 err = ERR_PTR(-ENOMEM);
48147 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
48148 if (h)
48149 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
48150 if (*pos < file->f_pos)
48151 continue;
48152
48153 + if (gr_handle_sysctl(table, 0))
48154 + continue;
48155 +
48156 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
48157 if (res)
48158 return res;
48159 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
48160 if (IS_ERR(head))
48161 return PTR_ERR(head);
48162
48163 + if (table && gr_handle_sysctl(table, MAY_EXEC))
48164 + return -ENOENT;
48165 +
48166 generic_fillattr(inode, stat);
48167 if (table)
48168 stat->mode = (stat->mode & S_IFMT) | table->mode;
48169 diff -urNp linux-2.6.32.46/fs/proc/root.c linux-2.6.32.46/fs/proc/root.c
48170 --- linux-2.6.32.46/fs/proc/root.c 2011-03-27 14:31:47.000000000 -0400
48171 +++ linux-2.6.32.46/fs/proc/root.c 2011-04-17 15:56:46.000000000 -0400
48172 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
48173 #ifdef CONFIG_PROC_DEVICETREE
48174 proc_device_tree_init();
48175 #endif
48176 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
48177 +#ifdef CONFIG_GRKERNSEC_PROC_USER
48178 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
48179 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48180 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
48181 +#endif
48182 +#else
48183 proc_mkdir("bus", NULL);
48184 +#endif
48185 proc_sys_init();
48186 }
48187
48188 diff -urNp linux-2.6.32.46/fs/proc/task_mmu.c linux-2.6.32.46/fs/proc/task_mmu.c
48189 --- linux-2.6.32.46/fs/proc/task_mmu.c 2011-03-27 14:31:47.000000000 -0400
48190 +++ linux-2.6.32.46/fs/proc/task_mmu.c 2011-04-23 13:38:09.000000000 -0400
48191 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
48192 "VmStk:\t%8lu kB\n"
48193 "VmExe:\t%8lu kB\n"
48194 "VmLib:\t%8lu kB\n"
48195 - "VmPTE:\t%8lu kB\n",
48196 - hiwater_vm << (PAGE_SHIFT-10),
48197 + "VmPTE:\t%8lu kB\n"
48198 +
48199 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
48200 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
48201 +#endif
48202 +
48203 + ,hiwater_vm << (PAGE_SHIFT-10),
48204 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
48205 mm->locked_vm << (PAGE_SHIFT-10),
48206 hiwater_rss << (PAGE_SHIFT-10),
48207 total_rss << (PAGE_SHIFT-10),
48208 data << (PAGE_SHIFT-10),
48209 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
48210 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
48211 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
48212 +
48213 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
48214 + , mm->context.user_cs_base, mm->context.user_cs_limit
48215 +#endif
48216 +
48217 + );
48218 }
48219
48220 unsigned long task_vsize(struct mm_struct *mm)
48221 @@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
48222 struct proc_maps_private *priv = m->private;
48223 struct vm_area_struct *vma = v;
48224
48225 - vma_stop(priv, vma);
48226 + if (!IS_ERR(vma))
48227 + vma_stop(priv, vma);
48228 if (priv->task)
48229 put_task_struct(priv->task);
48230 }
48231 @@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
48232 return ret;
48233 }
48234
48235 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48236 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
48237 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
48238 + _mm->pax_flags & MF_PAX_SEGMEXEC))
48239 +#endif
48240 +
48241 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
48242 {
48243 struct mm_struct *mm = vma->vm_mm;
48244 @@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
48245 int flags = vma->vm_flags;
48246 unsigned long ino = 0;
48247 unsigned long long pgoff = 0;
48248 - unsigned long start;
48249 dev_t dev = 0;
48250 int len;
48251
48252 @@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
48253 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
48254 }
48255
48256 - /* We don't show the stack guard page in /proc/maps */
48257 - start = vma->vm_start;
48258 - if (vma->vm_flags & VM_GROWSDOWN)
48259 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
48260 - start += PAGE_SIZE;
48261 -
48262 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
48263 - start,
48264 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48265 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
48266 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
48267 +#else
48268 + vma->vm_start,
48269 vma->vm_end,
48270 +#endif
48271 flags & VM_READ ? 'r' : '-',
48272 flags & VM_WRITE ? 'w' : '-',
48273 flags & VM_EXEC ? 'x' : '-',
48274 flags & VM_MAYSHARE ? 's' : 'p',
48275 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48276 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
48277 +#else
48278 pgoff,
48279 +#endif
48280 MAJOR(dev), MINOR(dev), ino, &len);
48281
48282 /*
48283 @@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
48284 */
48285 if (file) {
48286 pad_len_spaces(m, len);
48287 - seq_path(m, &file->f_path, "\n");
48288 + seq_path(m, &file->f_path, "\n\\");
48289 } else {
48290 const char *name = arch_vma_name(vma);
48291 if (!name) {
48292 @@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
48293 if (vma->vm_start <= mm->brk &&
48294 vma->vm_end >= mm->start_brk) {
48295 name = "[heap]";
48296 - } else if (vma->vm_start <= mm->start_stack &&
48297 - vma->vm_end >= mm->start_stack) {
48298 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
48299 + (vma->vm_start <= mm->start_stack &&
48300 + vma->vm_end >= mm->start_stack)) {
48301 name = "[stack]";
48302 }
48303 } else {
48304 @@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
48305 };
48306
48307 memset(&mss, 0, sizeof mss);
48308 - mss.vma = vma;
48309 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
48310 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
48311 +
48312 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48313 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
48314 +#endif
48315 + mss.vma = vma;
48316 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
48317 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
48318 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48319 + }
48320 +#endif
48321
48322 show_map_vma(m, vma);
48323
48324 @@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
48325 "Swap: %8lu kB\n"
48326 "KernelPageSize: %8lu kB\n"
48327 "MMUPageSize: %8lu kB\n",
48328 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48329 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
48330 +#else
48331 (vma->vm_end - vma->vm_start) >> 10,
48332 +#endif
48333 mss.resident >> 10,
48334 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
48335 mss.shared_clean >> 10,
48336 diff -urNp linux-2.6.32.46/fs/proc/task_nommu.c linux-2.6.32.46/fs/proc/task_nommu.c
48337 --- linux-2.6.32.46/fs/proc/task_nommu.c 2011-03-27 14:31:47.000000000 -0400
48338 +++ linux-2.6.32.46/fs/proc/task_nommu.c 2011-04-17 15:56:46.000000000 -0400
48339 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
48340 else
48341 bytes += kobjsize(mm);
48342
48343 - if (current->fs && current->fs->users > 1)
48344 + if (current->fs && atomic_read(&current->fs->users) > 1)
48345 sbytes += kobjsize(current->fs);
48346 else
48347 bytes += kobjsize(current->fs);
48348 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
48349 if (len < 1)
48350 len = 1;
48351 seq_printf(m, "%*c", len, ' ');
48352 - seq_path(m, &file->f_path, "");
48353 + seq_path(m, &file->f_path, "\n\\");
48354 }
48355
48356 seq_putc(m, '\n');
48357 diff -urNp linux-2.6.32.46/fs/readdir.c linux-2.6.32.46/fs/readdir.c
48358 --- linux-2.6.32.46/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400
48359 +++ linux-2.6.32.46/fs/readdir.c 2011-04-17 15:56:46.000000000 -0400
48360 @@ -16,6 +16,7 @@
48361 #include <linux/security.h>
48362 #include <linux/syscalls.h>
48363 #include <linux/unistd.h>
48364 +#include <linux/namei.h>
48365
48366 #include <asm/uaccess.h>
48367
48368 @@ -67,6 +68,7 @@ struct old_linux_dirent {
48369
48370 struct readdir_callback {
48371 struct old_linux_dirent __user * dirent;
48372 + struct file * file;
48373 int result;
48374 };
48375
48376 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
48377 buf->result = -EOVERFLOW;
48378 return -EOVERFLOW;
48379 }
48380 +
48381 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
48382 + return 0;
48383 +
48384 buf->result++;
48385 dirent = buf->dirent;
48386 if (!access_ok(VERIFY_WRITE, dirent,
48387 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
48388
48389 buf.result = 0;
48390 buf.dirent = dirent;
48391 + buf.file = file;
48392
48393 error = vfs_readdir(file, fillonedir, &buf);
48394 if (buf.result)
48395 @@ -142,6 +149,7 @@ struct linux_dirent {
48396 struct getdents_callback {
48397 struct linux_dirent __user * current_dir;
48398 struct linux_dirent __user * previous;
48399 + struct file * file;
48400 int count;
48401 int error;
48402 };
48403 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
48404 buf->error = -EOVERFLOW;
48405 return -EOVERFLOW;
48406 }
48407 +
48408 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
48409 + return 0;
48410 +
48411 dirent = buf->previous;
48412 if (dirent) {
48413 if (__put_user(offset, &dirent->d_off))
48414 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
48415 buf.previous = NULL;
48416 buf.count = count;
48417 buf.error = 0;
48418 + buf.file = file;
48419
48420 error = vfs_readdir(file, filldir, &buf);
48421 if (error >= 0)
48422 @@ -228,6 +241,7 @@ out:
48423 struct getdents_callback64 {
48424 struct linux_dirent64 __user * current_dir;
48425 struct linux_dirent64 __user * previous;
48426 + struct file *file;
48427 int count;
48428 int error;
48429 };
48430 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
48431 buf->error = -EINVAL; /* only used if we fail.. */
48432 if (reclen > buf->count)
48433 return -EINVAL;
48434 +
48435 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
48436 + return 0;
48437 +
48438 dirent = buf->previous;
48439 if (dirent) {
48440 if (__put_user(offset, &dirent->d_off))
48441 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
48442
48443 buf.current_dir = dirent;
48444 buf.previous = NULL;
48445 + buf.file = file;
48446 buf.count = count;
48447 buf.error = 0;
48448
48449 diff -urNp linux-2.6.32.46/fs/reiserfs/dir.c linux-2.6.32.46/fs/reiserfs/dir.c
48450 --- linux-2.6.32.46/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400
48451 +++ linux-2.6.32.46/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400
48452 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
48453 struct reiserfs_dir_entry de;
48454 int ret = 0;
48455
48456 + pax_track_stack();
48457 +
48458 reiserfs_write_lock(inode->i_sb);
48459
48460 reiserfs_check_lock_depth(inode->i_sb, "readdir");
48461 diff -urNp linux-2.6.32.46/fs/reiserfs/do_balan.c linux-2.6.32.46/fs/reiserfs/do_balan.c
48462 --- linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-03-27 14:31:47.000000000 -0400
48463 +++ linux-2.6.32.46/fs/reiserfs/do_balan.c 2011-04-17 15:56:46.000000000 -0400
48464 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
48465 return;
48466 }
48467
48468 - atomic_inc(&(fs_generation(tb->tb_sb)));
48469 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
48470 do_balance_starts(tb);
48471
48472 /* balance leaf returns 0 except if combining L R and S into
48473 diff -urNp linux-2.6.32.46/fs/reiserfs/item_ops.c linux-2.6.32.46/fs/reiserfs/item_ops.c
48474 --- linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-03-27 14:31:47.000000000 -0400
48475 +++ linux-2.6.32.46/fs/reiserfs/item_ops.c 2011-04-17 15:56:46.000000000 -0400
48476 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
48477 vi->vi_index, vi->vi_type, vi->vi_ih);
48478 }
48479
48480 -static struct item_operations stat_data_ops = {
48481 +static const struct item_operations stat_data_ops = {
48482 .bytes_number = sd_bytes_number,
48483 .decrement_key = sd_decrement_key,
48484 .is_left_mergeable = sd_is_left_mergeable,
48485 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
48486 vi->vi_index, vi->vi_type, vi->vi_ih);
48487 }
48488
48489 -static struct item_operations direct_ops = {
48490 +static const struct item_operations direct_ops = {
48491 .bytes_number = direct_bytes_number,
48492 .decrement_key = direct_decrement_key,
48493 .is_left_mergeable = direct_is_left_mergeable,
48494 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
48495 vi->vi_index, vi->vi_type, vi->vi_ih);
48496 }
48497
48498 -static struct item_operations indirect_ops = {
48499 +static const struct item_operations indirect_ops = {
48500 .bytes_number = indirect_bytes_number,
48501 .decrement_key = indirect_decrement_key,
48502 .is_left_mergeable = indirect_is_left_mergeable,
48503 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
48504 printk("\n");
48505 }
48506
48507 -static struct item_operations direntry_ops = {
48508 +static const struct item_operations direntry_ops = {
48509 .bytes_number = direntry_bytes_number,
48510 .decrement_key = direntry_decrement_key,
48511 .is_left_mergeable = direntry_is_left_mergeable,
48512 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
48513 "Invalid item type observed, run fsck ASAP");
48514 }
48515
48516 -static struct item_operations errcatch_ops = {
48517 +static const struct item_operations errcatch_ops = {
48518 errcatch_bytes_number,
48519 errcatch_decrement_key,
48520 errcatch_is_left_mergeable,
48521 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
48522 #error Item types must use disk-format assigned values.
48523 #endif
48524
48525 -struct item_operations *item_ops[TYPE_ANY + 1] = {
48526 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
48527 &stat_data_ops,
48528 &indirect_ops,
48529 &direct_ops,
48530 diff -urNp linux-2.6.32.46/fs/reiserfs/journal.c linux-2.6.32.46/fs/reiserfs/journal.c
48531 --- linux-2.6.32.46/fs/reiserfs/journal.c 2011-03-27 14:31:47.000000000 -0400
48532 +++ linux-2.6.32.46/fs/reiserfs/journal.c 2011-05-16 21:46:57.000000000 -0400
48533 @@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
48534 struct buffer_head *bh;
48535 int i, j;
48536
48537 + pax_track_stack();
48538 +
48539 bh = __getblk(dev, block, bufsize);
48540 if (buffer_uptodate(bh))
48541 return (bh);
48542 diff -urNp linux-2.6.32.46/fs/reiserfs/namei.c linux-2.6.32.46/fs/reiserfs/namei.c
48543 --- linux-2.6.32.46/fs/reiserfs/namei.c 2011-03-27 14:31:47.000000000 -0400
48544 +++ linux-2.6.32.46/fs/reiserfs/namei.c 2011-05-16 21:46:57.000000000 -0400
48545 @@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
48546 unsigned long savelink = 1;
48547 struct timespec ctime;
48548
48549 + pax_track_stack();
48550 +
48551 /* three balancings: (1) old name removal, (2) new name insertion
48552 and (3) maybe "save" link insertion
48553 stat data updates: (1) old directory,
48554 diff -urNp linux-2.6.32.46/fs/reiserfs/procfs.c linux-2.6.32.46/fs/reiserfs/procfs.c
48555 --- linux-2.6.32.46/fs/reiserfs/procfs.c 2011-03-27 14:31:47.000000000 -0400
48556 +++ linux-2.6.32.46/fs/reiserfs/procfs.c 2011-05-16 21:46:57.000000000 -0400
48557 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
48558 "SMALL_TAILS " : "NO_TAILS ",
48559 replay_only(sb) ? "REPLAY_ONLY " : "",
48560 convert_reiserfs(sb) ? "CONV " : "",
48561 - atomic_read(&r->s_generation_counter),
48562 + atomic_read_unchecked(&r->s_generation_counter),
48563 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
48564 SF(s_do_balance), SF(s_unneeded_left_neighbor),
48565 SF(s_good_search_by_key_reada), SF(s_bmaps),
48566 @@ -309,6 +309,8 @@ static int show_journal(struct seq_file
48567 struct journal_params *jp = &rs->s_v1.s_journal;
48568 char b[BDEVNAME_SIZE];
48569
48570 + pax_track_stack();
48571 +
48572 seq_printf(m, /* on-disk fields */
48573 "jp_journal_1st_block: \t%i\n"
48574 "jp_journal_dev: \t%s[%x]\n"
48575 diff -urNp linux-2.6.32.46/fs/reiserfs/stree.c linux-2.6.32.46/fs/reiserfs/stree.c
48576 --- linux-2.6.32.46/fs/reiserfs/stree.c 2011-03-27 14:31:47.000000000 -0400
48577 +++ linux-2.6.32.46/fs/reiserfs/stree.c 2011-05-16 21:46:57.000000000 -0400
48578 @@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
48579 int iter = 0;
48580 #endif
48581
48582 + pax_track_stack();
48583 +
48584 BUG_ON(!th->t_trans_id);
48585
48586 init_tb_struct(th, &s_del_balance, sb, path,
48587 @@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
48588 int retval;
48589 int quota_cut_bytes = 0;
48590
48591 + pax_track_stack();
48592 +
48593 BUG_ON(!th->t_trans_id);
48594
48595 le_key2cpu_key(&cpu_key, key);
48596 @@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
48597 int quota_cut_bytes;
48598 loff_t tail_pos = 0;
48599
48600 + pax_track_stack();
48601 +
48602 BUG_ON(!th->t_trans_id);
48603
48604 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
48605 @@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
48606 int retval;
48607 int fs_gen;
48608
48609 + pax_track_stack();
48610 +
48611 BUG_ON(!th->t_trans_id);
48612
48613 fs_gen = get_generation(inode->i_sb);
48614 @@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
48615 int fs_gen = 0;
48616 int quota_bytes = 0;
48617
48618 + pax_track_stack();
48619 +
48620 BUG_ON(!th->t_trans_id);
48621
48622 if (inode) { /* Do we count quotas for item? */
48623 diff -urNp linux-2.6.32.46/fs/reiserfs/super.c linux-2.6.32.46/fs/reiserfs/super.c
48624 --- linux-2.6.32.46/fs/reiserfs/super.c 2011-03-27 14:31:47.000000000 -0400
48625 +++ linux-2.6.32.46/fs/reiserfs/super.c 2011-05-16 21:46:57.000000000 -0400
48626 @@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
48627 {.option_name = NULL}
48628 };
48629
48630 + pax_track_stack();
48631 +
48632 *blocks = 0;
48633 if (!options || !*options)
48634 /* use default configuration: create tails, journaling on, no
48635 diff -urNp linux-2.6.32.46/fs/select.c linux-2.6.32.46/fs/select.c
48636 --- linux-2.6.32.46/fs/select.c 2011-03-27 14:31:47.000000000 -0400
48637 +++ linux-2.6.32.46/fs/select.c 2011-05-16 21:46:57.000000000 -0400
48638 @@ -20,6 +20,7 @@
48639 #include <linux/module.h>
48640 #include <linux/slab.h>
48641 #include <linux/poll.h>
48642 +#include <linux/security.h>
48643 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
48644 #include <linux/file.h>
48645 #include <linux/fdtable.h>
48646 @@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
48647 int retval, i, timed_out = 0;
48648 unsigned long slack = 0;
48649
48650 + pax_track_stack();
48651 +
48652 rcu_read_lock();
48653 retval = max_select_fd(n, fds);
48654 rcu_read_unlock();
48655 @@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
48656 /* Allocate small arguments on the stack to save memory and be faster */
48657 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
48658
48659 + pax_track_stack();
48660 +
48661 ret = -EINVAL;
48662 if (n < 0)
48663 goto out_nofds;
48664 @@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
48665 struct poll_list *walk = head;
48666 unsigned long todo = nfds;
48667
48668 + pax_track_stack();
48669 +
48670 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
48671 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
48672 return -EINVAL;
48673
48674 diff -urNp linux-2.6.32.46/fs/seq_file.c linux-2.6.32.46/fs/seq_file.c
48675 --- linux-2.6.32.46/fs/seq_file.c 2011-03-27 14:31:47.000000000 -0400
48676 +++ linux-2.6.32.46/fs/seq_file.c 2011-08-23 21:22:32.000000000 -0400
48677 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
48678 return 0;
48679 }
48680 if (!m->buf) {
48681 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
48682 + m->size = PAGE_SIZE;
48683 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
48684 if (!m->buf)
48685 return -ENOMEM;
48686 }
48687 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
48688 Eoverflow:
48689 m->op->stop(m, p);
48690 kfree(m->buf);
48691 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
48692 + m->size <<= 1;
48693 + m->buf = kmalloc(m->size, GFP_KERNEL);
48694 return !m->buf ? -ENOMEM : -EAGAIN;
48695 }
48696
48697 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
48698 m->version = file->f_version;
48699 /* grab buffer if we didn't have one */
48700 if (!m->buf) {
48701 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
48702 + m->size = PAGE_SIZE;
48703 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
48704 if (!m->buf)
48705 goto Enomem;
48706 }
48707 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
48708 goto Fill;
48709 m->op->stop(m, p);
48710 kfree(m->buf);
48711 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
48712 + m->size <<= 1;
48713 + m->buf = kmalloc(m->size, GFP_KERNEL);
48714 if (!m->buf)
48715 goto Enomem;
48716 m->count = 0;
48717 @@ -551,7 +555,7 @@ static void single_stop(struct seq_file
48718 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
48719 void *data)
48720 {
48721 - struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
48722 + seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
48723 int res = -ENOMEM;
48724
48725 if (op) {
48726 diff -urNp linux-2.6.32.46/fs/smbfs/proc.c linux-2.6.32.46/fs/smbfs/proc.c
48727 --- linux-2.6.32.46/fs/smbfs/proc.c 2011-03-27 14:31:47.000000000 -0400
48728 +++ linux-2.6.32.46/fs/smbfs/proc.c 2011-08-05 20:33:55.000000000 -0400
48729 @@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
48730
48731 out:
48732 if (server->local_nls != NULL && server->remote_nls != NULL)
48733 - server->ops->convert = convert_cp;
48734 + *(void **)&server->ops->convert = convert_cp;
48735 else
48736 - server->ops->convert = convert_memcpy;
48737 + *(void **)&server->ops->convert = convert_memcpy;
48738
48739 smb_unlock_server(server);
48740 return n;
48741 @@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
48742
48743 /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
48744 if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
48745 - server->ops->getattr = smb_proc_getattr_core;
48746 + *(void **)&server->ops->getattr = smb_proc_getattr_core;
48747 } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
48748 - server->ops->getattr = smb_proc_getattr_ff;
48749 + *(void **)&server->ops->getattr = smb_proc_getattr_ff;
48750 }
48751
48752 /* Decode server capabilities */
48753 @@ -3439,7 +3439,7 @@ out:
48754 static void
48755 install_ops(struct smb_ops *dst, struct smb_ops *src)
48756 {
48757 - memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
48758 + memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
48759 }
48760
48761 /* < LANMAN2 */
48762 diff -urNp linux-2.6.32.46/fs/smbfs/symlink.c linux-2.6.32.46/fs/smbfs/symlink.c
48763 --- linux-2.6.32.46/fs/smbfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
48764 +++ linux-2.6.32.46/fs/smbfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
48765 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
48766
48767 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
48768 {
48769 - char *s = nd_get_link(nd);
48770 + const char *s = nd_get_link(nd);
48771 if (!IS_ERR(s))
48772 __putname(s);
48773 }
48774 diff -urNp linux-2.6.32.46/fs/splice.c linux-2.6.32.46/fs/splice.c
48775 --- linux-2.6.32.46/fs/splice.c 2011-03-27 14:31:47.000000000 -0400
48776 +++ linux-2.6.32.46/fs/splice.c 2011-05-16 21:46:57.000000000 -0400
48777 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
48778 pipe_lock(pipe);
48779
48780 for (;;) {
48781 - if (!pipe->readers) {
48782 + if (!atomic_read(&pipe->readers)) {
48783 send_sig(SIGPIPE, current, 0);
48784 if (!ret)
48785 ret = -EPIPE;
48786 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
48787 do_wakeup = 0;
48788 }
48789
48790 - pipe->waiting_writers++;
48791 + atomic_inc(&pipe->waiting_writers);
48792 pipe_wait(pipe);
48793 - pipe->waiting_writers--;
48794 + atomic_dec(&pipe->waiting_writers);
48795 }
48796
48797 pipe_unlock(pipe);
48798 @@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
48799 .spd_release = spd_release_page,
48800 };
48801
48802 + pax_track_stack();
48803 +
48804 index = *ppos >> PAGE_CACHE_SHIFT;
48805 loff = *ppos & ~PAGE_CACHE_MASK;
48806 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
48807 @@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
48808 old_fs = get_fs();
48809 set_fs(get_ds());
48810 /* The cast to a user pointer is valid due to the set_fs() */
48811 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
48812 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
48813 set_fs(old_fs);
48814
48815 return res;
48816 @@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
48817 old_fs = get_fs();
48818 set_fs(get_ds());
48819 /* The cast to a user pointer is valid due to the set_fs() */
48820 - res = vfs_write(file, (const char __user *)buf, count, &pos);
48821 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
48822 set_fs(old_fs);
48823
48824 return res;
48825 @@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
48826 .spd_release = spd_release_page,
48827 };
48828
48829 + pax_track_stack();
48830 +
48831 index = *ppos >> PAGE_CACHE_SHIFT;
48832 offset = *ppos & ~PAGE_CACHE_MASK;
48833 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
48834 @@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
48835 goto err;
48836
48837 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
48838 - vec[i].iov_base = (void __user *) page_address(page);
48839 + vec[i].iov_base = (__force void __user *) page_address(page);
48840 vec[i].iov_len = this_len;
48841 pages[i] = page;
48842 spd.nr_pages++;
48843 @@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
48844 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
48845 {
48846 while (!pipe->nrbufs) {
48847 - if (!pipe->writers)
48848 + if (!atomic_read(&pipe->writers))
48849 return 0;
48850
48851 - if (!pipe->waiting_writers && sd->num_spliced)
48852 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
48853 return 0;
48854
48855 if (sd->flags & SPLICE_F_NONBLOCK)
48856 @@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
48857 * out of the pipe right after the splice_to_pipe(). So set
48858 * PIPE_READERS appropriately.
48859 */
48860 - pipe->readers = 1;
48861 + atomic_set(&pipe->readers, 1);
48862
48863 current->splice_pipe = pipe;
48864 }
48865 @@ -1592,6 +1596,8 @@ static long vmsplice_to_pipe(struct file
48866 .spd_release = spd_release_page,
48867 };
48868
48869 + pax_track_stack();
48870 +
48871 pipe = pipe_info(file->f_path.dentry->d_inode);
48872 if (!pipe)
48873 return -EBADF;
48874 @@ -1700,9 +1706,9 @@ static int ipipe_prep(struct pipe_inode_
48875 ret = -ERESTARTSYS;
48876 break;
48877 }
48878 - if (!pipe->writers)
48879 + if (!atomic_read(&pipe->writers))
48880 break;
48881 - if (!pipe->waiting_writers) {
48882 + if (!atomic_read(&pipe->waiting_writers)) {
48883 if (flags & SPLICE_F_NONBLOCK) {
48884 ret = -EAGAIN;
48885 break;
48886 @@ -1734,7 +1740,7 @@ static int opipe_prep(struct pipe_inode_
48887 pipe_lock(pipe);
48888
48889 while (pipe->nrbufs >= PIPE_BUFFERS) {
48890 - if (!pipe->readers) {
48891 + if (!atomic_read(&pipe->readers)) {
48892 send_sig(SIGPIPE, current, 0);
48893 ret = -EPIPE;
48894 break;
48895 @@ -1747,9 +1753,9 @@ static int opipe_prep(struct pipe_inode_
48896 ret = -ERESTARTSYS;
48897 break;
48898 }
48899 - pipe->waiting_writers++;
48900 + atomic_inc(&pipe->waiting_writers);
48901 pipe_wait(pipe);
48902 - pipe->waiting_writers--;
48903 + atomic_dec(&pipe->waiting_writers);
48904 }
48905
48906 pipe_unlock(pipe);
48907 @@ -1785,14 +1791,14 @@ retry:
48908 pipe_double_lock(ipipe, opipe);
48909
48910 do {
48911 - if (!opipe->readers) {
48912 + if (!atomic_read(&opipe->readers)) {
48913 send_sig(SIGPIPE, current, 0);
48914 if (!ret)
48915 ret = -EPIPE;
48916 break;
48917 }
48918
48919 - if (!ipipe->nrbufs && !ipipe->writers)
48920 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
48921 break;
48922
48923 /*
48924 @@ -1892,7 +1898,7 @@ static int link_pipe(struct pipe_inode_i
48925 pipe_double_lock(ipipe, opipe);
48926
48927 do {
48928 - if (!opipe->readers) {
48929 + if (!atomic_read(&opipe->readers)) {
48930 send_sig(SIGPIPE, current, 0);
48931 if (!ret)
48932 ret = -EPIPE;
48933 @@ -1937,7 +1943,7 @@ static int link_pipe(struct pipe_inode_i
48934 * return EAGAIN if we have the potential of some data in the
48935 * future, otherwise just return 0
48936 */
48937 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
48938 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
48939 ret = -EAGAIN;
48940
48941 pipe_unlock(ipipe);
48942 diff -urNp linux-2.6.32.46/fs/sysfs/file.c linux-2.6.32.46/fs/sysfs/file.c
48943 --- linux-2.6.32.46/fs/sysfs/file.c 2011-03-27 14:31:47.000000000 -0400
48944 +++ linux-2.6.32.46/fs/sysfs/file.c 2011-05-04 17:56:20.000000000 -0400
48945 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
48946
48947 struct sysfs_open_dirent {
48948 atomic_t refcnt;
48949 - atomic_t event;
48950 + atomic_unchecked_t event;
48951 wait_queue_head_t poll;
48952 struct list_head buffers; /* goes through sysfs_buffer.list */
48953 };
48954 @@ -53,7 +53,7 @@ struct sysfs_buffer {
48955 size_t count;
48956 loff_t pos;
48957 char * page;
48958 - struct sysfs_ops * ops;
48959 + const struct sysfs_ops * ops;
48960 struct mutex mutex;
48961 int needs_read_fill;
48962 int event;
48963 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
48964 {
48965 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
48966 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
48967 - struct sysfs_ops * ops = buffer->ops;
48968 + const struct sysfs_ops * ops = buffer->ops;
48969 int ret = 0;
48970 ssize_t count;
48971
48972 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
48973 if (!sysfs_get_active_two(attr_sd))
48974 return -ENODEV;
48975
48976 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
48977 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
48978 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
48979
48980 sysfs_put_active_two(attr_sd);
48981 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
48982 {
48983 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
48984 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
48985 - struct sysfs_ops * ops = buffer->ops;
48986 + const struct sysfs_ops * ops = buffer->ops;
48987 int rc;
48988
48989 /* need attr_sd for attr and ops, its parent for kobj */
48990 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
48991 return -ENOMEM;
48992
48993 atomic_set(&new_od->refcnt, 0);
48994 - atomic_set(&new_od->event, 1);
48995 + atomic_set_unchecked(&new_od->event, 1);
48996 init_waitqueue_head(&new_od->poll);
48997 INIT_LIST_HEAD(&new_od->buffers);
48998 goto retry;
48999 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
49000 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
49001 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
49002 struct sysfs_buffer *buffer;
49003 - struct sysfs_ops *ops;
49004 + const struct sysfs_ops *ops;
49005 int error = -EACCES;
49006 char *p;
49007
49008 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
49009
49010 sysfs_put_active_two(attr_sd);
49011
49012 - if (buffer->event != atomic_read(&od->event))
49013 + if (buffer->event != atomic_read_unchecked(&od->event))
49014 goto trigger;
49015
49016 return DEFAULT_POLLMASK;
49017 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
49018
49019 od = sd->s_attr.open;
49020 if (od) {
49021 - atomic_inc(&od->event);
49022 + atomic_inc_unchecked(&od->event);
49023 wake_up_interruptible(&od->poll);
49024 }
49025
49026 diff -urNp linux-2.6.32.46/fs/sysfs/mount.c linux-2.6.32.46/fs/sysfs/mount.c
49027 --- linux-2.6.32.46/fs/sysfs/mount.c 2011-03-27 14:31:47.000000000 -0400
49028 +++ linux-2.6.32.46/fs/sysfs/mount.c 2011-04-17 15:56:46.000000000 -0400
49029 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
49030 .s_name = "",
49031 .s_count = ATOMIC_INIT(1),
49032 .s_flags = SYSFS_DIR,
49033 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
49034 + .s_mode = S_IFDIR | S_IRWXU,
49035 +#else
49036 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
49037 +#endif
49038 .s_ino = 1,
49039 };
49040
49041 diff -urNp linux-2.6.32.46/fs/sysfs/symlink.c linux-2.6.32.46/fs/sysfs/symlink.c
49042 --- linux-2.6.32.46/fs/sysfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
49043 +++ linux-2.6.32.46/fs/sysfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
49044 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
49045
49046 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
49047 {
49048 - char *page = nd_get_link(nd);
49049 + const char *page = nd_get_link(nd);
49050 if (!IS_ERR(page))
49051 free_page((unsigned long)page);
49052 }
49053 diff -urNp linux-2.6.32.46/fs/udf/balloc.c linux-2.6.32.46/fs/udf/balloc.c
49054 --- linux-2.6.32.46/fs/udf/balloc.c 2011-03-27 14:31:47.000000000 -0400
49055 +++ linux-2.6.32.46/fs/udf/balloc.c 2011-04-17 15:56:46.000000000 -0400
49056 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
49057
49058 mutex_lock(&sbi->s_alloc_mutex);
49059 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
49060 - if (bloc->logicalBlockNum < 0 ||
49061 - (bloc->logicalBlockNum + count) >
49062 - partmap->s_partition_len) {
49063 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
49064 udf_debug("%d < %d || %d + %d > %d\n",
49065 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
49066 count, partmap->s_partition_len);
49067 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
49068
49069 mutex_lock(&sbi->s_alloc_mutex);
49070 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
49071 - if (bloc->logicalBlockNum < 0 ||
49072 - (bloc->logicalBlockNum + count) >
49073 - partmap->s_partition_len) {
49074 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
49075 udf_debug("%d < %d || %d + %d > %d\n",
49076 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
49077 partmap->s_partition_len);
49078 diff -urNp linux-2.6.32.46/fs/udf/inode.c linux-2.6.32.46/fs/udf/inode.c
49079 --- linux-2.6.32.46/fs/udf/inode.c 2011-03-27 14:31:47.000000000 -0400
49080 +++ linux-2.6.32.46/fs/udf/inode.c 2011-05-16 21:46:57.000000000 -0400
49081 @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
49082 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
49083 int lastblock = 0;
49084
49085 + pax_track_stack();
49086 +
49087 prev_epos.offset = udf_file_entry_alloc_offset(inode);
49088 prev_epos.block = iinfo->i_location;
49089 prev_epos.bh = NULL;
49090 diff -urNp linux-2.6.32.46/fs/udf/misc.c linux-2.6.32.46/fs/udf/misc.c
49091 --- linux-2.6.32.46/fs/udf/misc.c 2011-03-27 14:31:47.000000000 -0400
49092 +++ linux-2.6.32.46/fs/udf/misc.c 2011-04-23 12:56:11.000000000 -0400
49093 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
49094
49095 u8 udf_tag_checksum(const struct tag *t)
49096 {
49097 - u8 *data = (u8 *)t;
49098 + const u8 *data = (const u8 *)t;
49099 u8 checksum = 0;
49100 int i;
49101 for (i = 0; i < sizeof(struct tag); ++i)
49102 diff -urNp linux-2.6.32.46/fs/utimes.c linux-2.6.32.46/fs/utimes.c
49103 --- linux-2.6.32.46/fs/utimes.c 2011-03-27 14:31:47.000000000 -0400
49104 +++ linux-2.6.32.46/fs/utimes.c 2011-04-17 15:56:46.000000000 -0400
49105 @@ -1,6 +1,7 @@
49106 #include <linux/compiler.h>
49107 #include <linux/file.h>
49108 #include <linux/fs.h>
49109 +#include <linux/security.h>
49110 #include <linux/linkage.h>
49111 #include <linux/mount.h>
49112 #include <linux/namei.h>
49113 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
49114 goto mnt_drop_write_and_out;
49115 }
49116 }
49117 +
49118 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
49119 + error = -EACCES;
49120 + goto mnt_drop_write_and_out;
49121 + }
49122 +
49123 mutex_lock(&inode->i_mutex);
49124 error = notify_change(path->dentry, &newattrs);
49125 mutex_unlock(&inode->i_mutex);
49126 diff -urNp linux-2.6.32.46/fs/xattr_acl.c linux-2.6.32.46/fs/xattr_acl.c
49127 --- linux-2.6.32.46/fs/xattr_acl.c 2011-03-27 14:31:47.000000000 -0400
49128 +++ linux-2.6.32.46/fs/xattr_acl.c 2011-04-17 15:56:46.000000000 -0400
49129 @@ -17,8 +17,8 @@
49130 struct posix_acl *
49131 posix_acl_from_xattr(const void *value, size_t size)
49132 {
49133 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
49134 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
49135 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
49136 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
49137 int count;
49138 struct posix_acl *acl;
49139 struct posix_acl_entry *acl_e;
49140 diff -urNp linux-2.6.32.46/fs/xattr.c linux-2.6.32.46/fs/xattr.c
49141 --- linux-2.6.32.46/fs/xattr.c 2011-03-27 14:31:47.000000000 -0400
49142 +++ linux-2.6.32.46/fs/xattr.c 2011-04-17 15:56:46.000000000 -0400
49143 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
49144 * Extended attribute SET operations
49145 */
49146 static long
49147 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
49148 +setxattr(struct path *path, const char __user *name, const void __user *value,
49149 size_t size, int flags)
49150 {
49151 int error;
49152 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
49153 return PTR_ERR(kvalue);
49154 }
49155
49156 - error = vfs_setxattr(d, kname, kvalue, size, flags);
49157 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
49158 + error = -EACCES;
49159 + goto out;
49160 + }
49161 +
49162 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
49163 +out:
49164 kfree(kvalue);
49165 return error;
49166 }
49167 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
49168 return error;
49169 error = mnt_want_write(path.mnt);
49170 if (!error) {
49171 - error = setxattr(path.dentry, name, value, size, flags);
49172 + error = setxattr(&path, name, value, size, flags);
49173 mnt_drop_write(path.mnt);
49174 }
49175 path_put(&path);
49176 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
49177 return error;
49178 error = mnt_want_write(path.mnt);
49179 if (!error) {
49180 - error = setxattr(path.dentry, name, value, size, flags);
49181 + error = setxattr(&path, name, value, size, flags);
49182 mnt_drop_write(path.mnt);
49183 }
49184 path_put(&path);
49185 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
49186 const void __user *,value, size_t, size, int, flags)
49187 {
49188 struct file *f;
49189 - struct dentry *dentry;
49190 int error = -EBADF;
49191
49192 f = fget(fd);
49193 if (!f)
49194 return error;
49195 - dentry = f->f_path.dentry;
49196 - audit_inode(NULL, dentry);
49197 + audit_inode(NULL, f->f_path.dentry);
49198 error = mnt_want_write_file(f);
49199 if (!error) {
49200 - error = setxattr(dentry, name, value, size, flags);
49201 + error = setxattr(&f->f_path, name, value, size, flags);
49202 mnt_drop_write(f->f_path.mnt);
49203 }
49204 fput(f);
49205 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c
49206 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-27 14:31:47.000000000 -0400
49207 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:56:46.000000000 -0400
49208 @@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
49209 xfs_fsop_geom_t fsgeo;
49210 int error;
49211
49212 + memset(&fsgeo, 0, sizeof(fsgeo));
49213 error = xfs_fs_geometry(mp, &fsgeo, 3);
49214 if (error)
49215 return -error;
49216 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c
49217 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 17:00:52.000000000 -0400
49218 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:07:09.000000000 -0400
49219 @@ -134,7 +134,7 @@ xfs_find_handle(
49220 }
49221
49222 error = -EFAULT;
49223 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
49224 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
49225 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
49226 goto out_put;
49227
49228 @@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
49229 if (IS_ERR(dentry))
49230 return PTR_ERR(dentry);
49231
49232 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
49233 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
49234 if (!kbuf)
49235 goto out_dput;
49236
49237 @@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
49238 xfs_mount_t *mp,
49239 void __user *arg)
49240 {
49241 - xfs_fsop_geom_t fsgeo;
49242 + xfs_fsop_geom_t fsgeo;
49243 int error;
49244
49245 error = xfs_fs_geometry(mp, &fsgeo, 3);
49246 diff -urNp linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c
49247 --- linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-03-27 14:31:47.000000000 -0400
49248 +++ linux-2.6.32.46/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:56:46.000000000 -0400
49249 @@ -468,7 +468,7 @@ xfs_vn_put_link(
49250 struct nameidata *nd,
49251 void *p)
49252 {
49253 - char *s = nd_get_link(nd);
49254 + const char *s = nd_get_link(nd);
49255
49256 if (!IS_ERR(s))
49257 kfree(s);
49258 diff -urNp linux-2.6.32.46/fs/xfs/xfs_bmap.c linux-2.6.32.46/fs/xfs/xfs_bmap.c
49259 --- linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-03-27 14:31:47.000000000 -0400
49260 +++ linux-2.6.32.46/fs/xfs/xfs_bmap.c 2011-04-17 15:56:46.000000000 -0400
49261 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
49262 int nmap,
49263 int ret_nmap);
49264 #else
49265 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
49266 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
49267 #endif /* DEBUG */
49268
49269 #if defined(XFS_RW_TRACE)
49270 diff -urNp linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c
49271 --- linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-03-27 14:31:47.000000000 -0400
49272 +++ linux-2.6.32.46/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:07:30.000000000 -0400
49273 @@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
49274 }
49275
49276 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
49277 - if (filldir(dirent, sfep->name, sfep->namelen,
49278 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
49279 + char name[sfep->namelen];
49280 + memcpy(name, sfep->name, sfep->namelen);
49281 + if (filldir(dirent, name, sfep->namelen,
49282 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
49283 + *offset = off & 0x7fffffff;
49284 + return 0;
49285 + }
49286 + } else if (filldir(dirent, sfep->name, sfep->namelen,
49287 off & 0x7fffffff, ino, DT_UNKNOWN)) {
49288 *offset = off & 0x7fffffff;
49289 return 0;
49290 diff -urNp linux-2.6.32.46/grsecurity/gracl_alloc.c linux-2.6.32.46/grsecurity/gracl_alloc.c
49291 --- linux-2.6.32.46/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
49292 +++ linux-2.6.32.46/grsecurity/gracl_alloc.c 2011-04-17 15:56:46.000000000 -0400
49293 @@ -0,0 +1,105 @@
49294 +#include <linux/kernel.h>
49295 +#include <linux/mm.h>
49296 +#include <linux/slab.h>
49297 +#include <linux/vmalloc.h>
49298 +#include <linux/gracl.h>
49299 +#include <linux/grsecurity.h>
49300 +
49301 +static unsigned long alloc_stack_next = 1;
49302 +static unsigned long alloc_stack_size = 1;
49303 +static void **alloc_stack;
49304 +
49305 +static __inline__ int
49306 +alloc_pop(void)
49307 +{
49308 + if (alloc_stack_next == 1)
49309 + return 0;
49310 +
49311 + kfree(alloc_stack[alloc_stack_next - 2]);
49312 +
49313 + alloc_stack_next--;
49314 +
49315 + return 1;
49316 +}
49317 +
49318 +static __inline__ int
49319 +alloc_push(void *buf)
49320 +{
49321 + if (alloc_stack_next >= alloc_stack_size)
49322 + return 1;
49323 +
49324 + alloc_stack[alloc_stack_next - 1] = buf;
49325 +
49326 + alloc_stack_next++;
49327 +
49328 + return 0;
49329 +}
49330 +
49331 +void *
49332 +acl_alloc(unsigned long len)
49333 +{
49334 + void *ret = NULL;
49335 +
49336 + if (!len || len > PAGE_SIZE)
49337 + goto out;
49338 +
49339 + ret = kmalloc(len, GFP_KERNEL);
49340 +
49341 + if (ret) {
49342 + if (alloc_push(ret)) {
49343 + kfree(ret);
49344 + ret = NULL;
49345 + }
49346 + }
49347 +
49348 +out:
49349 + return ret;
49350 +}
49351 +
49352 +void *
49353 +acl_alloc_num(unsigned long num, unsigned long len)
49354 +{
49355 + if (!len || (num > (PAGE_SIZE / len)))
49356 + return NULL;
49357 +
49358 + return acl_alloc(num * len);
49359 +}
49360 +
49361 +void
49362 +acl_free_all(void)
49363 +{
49364 + if (gr_acl_is_enabled() || !alloc_stack)
49365 + return;
49366 +
49367 + while (alloc_pop()) ;
49368 +
49369 + if (alloc_stack) {
49370 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
49371 + kfree(alloc_stack);
49372 + else
49373 + vfree(alloc_stack);
49374 + }
49375 +
49376 + alloc_stack = NULL;
49377 + alloc_stack_size = 1;
49378 + alloc_stack_next = 1;
49379 +
49380 + return;
49381 +}
49382 +
49383 +int
49384 +acl_alloc_stack_init(unsigned long size)
49385 +{
49386 + if ((size * sizeof (void *)) <= PAGE_SIZE)
49387 + alloc_stack =
49388 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
49389 + else
49390 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
49391 +
49392 + alloc_stack_size = size;
49393 +
49394 + if (!alloc_stack)
49395 + return 0;
49396 + else
49397 + return 1;
49398 +}
49399 diff -urNp linux-2.6.32.46/grsecurity/gracl.c linux-2.6.32.46/grsecurity/gracl.c
49400 --- linux-2.6.32.46/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
49401 +++ linux-2.6.32.46/grsecurity/gracl.c 2011-07-14 20:02:48.000000000 -0400
49402 @@ -0,0 +1,4082 @@
49403 +#include <linux/kernel.h>
49404 +#include <linux/module.h>
49405 +#include <linux/sched.h>
49406 +#include <linux/mm.h>
49407 +#include <linux/file.h>
49408 +#include <linux/fs.h>
49409 +#include <linux/namei.h>
49410 +#include <linux/mount.h>
49411 +#include <linux/tty.h>
49412 +#include <linux/proc_fs.h>
49413 +#include <linux/smp_lock.h>
49414 +#include <linux/slab.h>
49415 +#include <linux/vmalloc.h>
49416 +#include <linux/types.h>
49417 +#include <linux/sysctl.h>
49418 +#include <linux/netdevice.h>
49419 +#include <linux/ptrace.h>
49420 +#include <linux/gracl.h>
49421 +#include <linux/gralloc.h>
49422 +#include <linux/grsecurity.h>
49423 +#include <linux/grinternal.h>
49424 +#include <linux/pid_namespace.h>
49425 +#include <linux/fdtable.h>
49426 +#include <linux/percpu.h>
49427 +
49428 +#include <asm/uaccess.h>
49429 +#include <asm/errno.h>
49430 +#include <asm/mman.h>
49431 +
49432 +static struct acl_role_db acl_role_set;
49433 +static struct name_db name_set;
49434 +static struct inodev_db inodev_set;
49435 +
49436 +/* for keeping track of userspace pointers used for subjects, so we
49437 + can share references in the kernel as well
49438 +*/
49439 +
49440 +static struct dentry *real_root;
49441 +static struct vfsmount *real_root_mnt;
49442 +
49443 +static struct acl_subj_map_db subj_map_set;
49444 +
49445 +static struct acl_role_label *default_role;
49446 +
49447 +static struct acl_role_label *role_list;
49448 +
49449 +static u16 acl_sp_role_value;
49450 +
49451 +extern char *gr_shared_page[4];
49452 +static DEFINE_MUTEX(gr_dev_mutex);
49453 +DEFINE_RWLOCK(gr_inode_lock);
49454 +
49455 +struct gr_arg *gr_usermode;
49456 +
49457 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
49458 +
49459 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
49460 +extern void gr_clear_learn_entries(void);
49461 +
49462 +#ifdef CONFIG_GRKERNSEC_RESLOG
49463 +extern void gr_log_resource(const struct task_struct *task,
49464 + const int res, const unsigned long wanted, const int gt);
49465 +#endif
49466 +
49467 +unsigned char *gr_system_salt;
49468 +unsigned char *gr_system_sum;
49469 +
49470 +static struct sprole_pw **acl_special_roles = NULL;
49471 +static __u16 num_sprole_pws = 0;
49472 +
49473 +static struct acl_role_label *kernel_role = NULL;
49474 +
49475 +static unsigned int gr_auth_attempts = 0;
49476 +static unsigned long gr_auth_expires = 0UL;
49477 +
49478 +#ifdef CONFIG_NET
49479 +extern struct vfsmount *sock_mnt;
49480 +#endif
49481 +extern struct vfsmount *pipe_mnt;
49482 +extern struct vfsmount *shm_mnt;
49483 +#ifdef CONFIG_HUGETLBFS
49484 +extern struct vfsmount *hugetlbfs_vfsmount;
49485 +#endif
49486 +
49487 +static struct acl_object_label *fakefs_obj_rw;
49488 +static struct acl_object_label *fakefs_obj_rwx;
49489 +
49490 +extern int gr_init_uidset(void);
49491 +extern void gr_free_uidset(void);
49492 +extern void gr_remove_uid(uid_t uid);
49493 +extern int gr_find_uid(uid_t uid);
49494 +
49495 +__inline__ int
49496 +gr_acl_is_enabled(void)
49497 +{
49498 + return (gr_status & GR_READY);
49499 +}
49500 +
49501 +#ifdef CONFIG_BTRFS_FS
49502 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
49503 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
49504 +#endif
49505 +
49506 +static inline dev_t __get_dev(const struct dentry *dentry)
49507 +{
49508 +#ifdef CONFIG_BTRFS_FS
49509 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
49510 + return get_btrfs_dev_from_inode(dentry->d_inode);
49511 + else
49512 +#endif
49513 + return dentry->d_inode->i_sb->s_dev;
49514 +}
49515 +
49516 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
49517 +{
49518 + return __get_dev(dentry);
49519 +}
49520 +
49521 +static char gr_task_roletype_to_char(struct task_struct *task)
49522 +{
49523 + switch (task->role->roletype &
49524 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
49525 + GR_ROLE_SPECIAL)) {
49526 + case GR_ROLE_DEFAULT:
49527 + return 'D';
49528 + case GR_ROLE_USER:
49529 + return 'U';
49530 + case GR_ROLE_GROUP:
49531 + return 'G';
49532 + case GR_ROLE_SPECIAL:
49533 + return 'S';
49534 + }
49535 +
49536 + return 'X';
49537 +}
49538 +
49539 +char gr_roletype_to_char(void)
49540 +{
49541 + return gr_task_roletype_to_char(current);
49542 +}
49543 +
49544 +__inline__ int
49545 +gr_acl_tpe_check(void)
49546 +{
49547 + if (unlikely(!(gr_status & GR_READY)))
49548 + return 0;
49549 + if (current->role->roletype & GR_ROLE_TPE)
49550 + return 1;
49551 + else
49552 + return 0;
49553 +}
49554 +
49555 +int
49556 +gr_handle_rawio(const struct inode *inode)
49557 +{
49558 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
49559 + if (inode && S_ISBLK(inode->i_mode) &&
49560 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
49561 + !capable(CAP_SYS_RAWIO))
49562 + return 1;
49563 +#endif
49564 + return 0;
49565 +}
49566 +
49567 +static int
49568 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
49569 +{
49570 + if (likely(lena != lenb))
49571 + return 0;
49572 +
49573 + return !memcmp(a, b, lena);
49574 +}
49575 +
49576 +/* this must be called with vfsmount_lock and dcache_lock held */
49577 +
49578 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
49579 + struct dentry *root, struct vfsmount *rootmnt,
49580 + char *buffer, int buflen)
49581 +{
49582 + char * end = buffer+buflen;
49583 + char * retval;
49584 + int namelen;
49585 +
49586 + *--end = '\0';
49587 + buflen--;
49588 +
49589 + if (buflen < 1)
49590 + goto Elong;
49591 + /* Get '/' right */
49592 + retval = end-1;
49593 + *retval = '/';
49594 +
49595 + for (;;) {
49596 + struct dentry * parent;
49597 +
49598 + if (dentry == root && vfsmnt == rootmnt)
49599 + break;
49600 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
49601 + /* Global root? */
49602 + if (vfsmnt->mnt_parent == vfsmnt)
49603 + goto global_root;
49604 + dentry = vfsmnt->mnt_mountpoint;
49605 + vfsmnt = vfsmnt->mnt_parent;
49606 + continue;
49607 + }
49608 + parent = dentry->d_parent;
49609 + prefetch(parent);
49610 + namelen = dentry->d_name.len;
49611 + buflen -= namelen + 1;
49612 + if (buflen < 0)
49613 + goto Elong;
49614 + end -= namelen;
49615 + memcpy(end, dentry->d_name.name, namelen);
49616 + *--end = '/';
49617 + retval = end;
49618 + dentry = parent;
49619 + }
49620 +
49621 +out:
49622 + return retval;
49623 +
49624 +global_root:
49625 + namelen = dentry->d_name.len;
49626 + buflen -= namelen;
49627 + if (buflen < 0)
49628 + goto Elong;
49629 + retval -= namelen-1; /* hit the slash */
49630 + memcpy(retval, dentry->d_name.name, namelen);
49631 + goto out;
49632 +Elong:
49633 + retval = ERR_PTR(-ENAMETOOLONG);
49634 + goto out;
49635 +}
49636 +
49637 +static char *
49638 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
49639 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
49640 +{
49641 + char *retval;
49642 +
49643 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
49644 + if (unlikely(IS_ERR(retval)))
49645 + retval = strcpy(buf, "<path too long>");
49646 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
49647 + retval[1] = '\0';
49648 +
49649 + return retval;
49650 +}
49651 +
49652 +static char *
49653 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
49654 + char *buf, int buflen)
49655 +{
49656 + char *res;
49657 +
49658 + /* we can use real_root, real_root_mnt, because this is only called
49659 + by the RBAC system */
49660 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
49661 +
49662 + return res;
49663 +}
49664 +
49665 +static char *
49666 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
49667 + char *buf, int buflen)
49668 +{
49669 + char *res;
49670 + struct dentry *root;
49671 + struct vfsmount *rootmnt;
49672 + struct task_struct *reaper = &init_task;
49673 +
49674 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
49675 + read_lock(&reaper->fs->lock);
49676 + root = dget(reaper->fs->root.dentry);
49677 + rootmnt = mntget(reaper->fs->root.mnt);
49678 + read_unlock(&reaper->fs->lock);
49679 +
49680 + spin_lock(&dcache_lock);
49681 + spin_lock(&vfsmount_lock);
49682 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
49683 + spin_unlock(&vfsmount_lock);
49684 + spin_unlock(&dcache_lock);
49685 +
49686 + dput(root);
49687 + mntput(rootmnt);
49688 + return res;
49689 +}
49690 +
49691 +static char *
49692 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
49693 +{
49694 + char *ret;
49695 + spin_lock(&dcache_lock);
49696 + spin_lock(&vfsmount_lock);
49697 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
49698 + PAGE_SIZE);
49699 + spin_unlock(&vfsmount_lock);
49700 + spin_unlock(&dcache_lock);
49701 + return ret;
49702 +}
49703 +
49704 +char *
49705 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
49706 +{
49707 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
49708 + PAGE_SIZE);
49709 +}
49710 +
49711 +char *
49712 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
49713 +{
49714 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
49715 + PAGE_SIZE);
49716 +}
49717 +
49718 +char *
49719 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
49720 +{
49721 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
49722 + PAGE_SIZE);
49723 +}
49724 +
49725 +char *
49726 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
49727 +{
49728 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
49729 + PAGE_SIZE);
49730 +}
49731 +
49732 +char *
49733 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
49734 +{
49735 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
49736 + PAGE_SIZE);
49737 +}
49738 +
49739 +__inline__ __u32
49740 +to_gr_audit(const __u32 reqmode)
49741 +{
49742 + /* masks off auditable permission flags, then shifts them to create
49743 + auditing flags, and adds the special case of append auditing if
49744 + we're requesting write */
49745 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
49746 +}
49747 +
49748 +struct acl_subject_label *
49749 +lookup_subject_map(const struct acl_subject_label *userp)
49750 +{
49751 + unsigned int index = shash(userp, subj_map_set.s_size);
49752 + struct subject_map *match;
49753 +
49754 + match = subj_map_set.s_hash[index];
49755 +
49756 + while (match && match->user != userp)
49757 + match = match->next;
49758 +
49759 + if (match != NULL)
49760 + return match->kernel;
49761 + else
49762 + return NULL;
49763 +}
49764 +
49765 +static void
49766 +insert_subj_map_entry(struct subject_map *subjmap)
49767 +{
49768 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
49769 + struct subject_map **curr;
49770 +
49771 + subjmap->prev = NULL;
49772 +
49773 + curr = &subj_map_set.s_hash[index];
49774 + if (*curr != NULL)
49775 + (*curr)->prev = subjmap;
49776 +
49777 + subjmap->next = *curr;
49778 + *curr = subjmap;
49779 +
49780 + return;
49781 +}
49782 +
49783 +static struct acl_role_label *
49784 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
49785 + const gid_t gid)
49786 +{
49787 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
49788 + struct acl_role_label *match;
49789 + struct role_allowed_ip *ipp;
49790 + unsigned int x;
49791 + u32 curr_ip = task->signal->curr_ip;
49792 +
49793 + task->signal->saved_ip = curr_ip;
49794 +
49795 + match = acl_role_set.r_hash[index];
49796 +
49797 + while (match) {
49798 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
49799 + for (x = 0; x < match->domain_child_num; x++) {
49800 + if (match->domain_children[x] == uid)
49801 + goto found;
49802 + }
49803 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
49804 + break;
49805 + match = match->next;
49806 + }
49807 +found:
49808 + if (match == NULL) {
49809 + try_group:
49810 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
49811 + match = acl_role_set.r_hash[index];
49812 +
49813 + while (match) {
49814 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
49815 + for (x = 0; x < match->domain_child_num; x++) {
49816 + if (match->domain_children[x] == gid)
49817 + goto found2;
49818 + }
49819 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
49820 + break;
49821 + match = match->next;
49822 + }
49823 +found2:
49824 + if (match == NULL)
49825 + match = default_role;
49826 + if (match->allowed_ips == NULL)
49827 + return match;
49828 + else {
49829 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
49830 + if (likely
49831 + ((ntohl(curr_ip) & ipp->netmask) ==
49832 + (ntohl(ipp->addr) & ipp->netmask)))
49833 + return match;
49834 + }
49835 + match = default_role;
49836 + }
49837 + } else if (match->allowed_ips == NULL) {
49838 + return match;
49839 + } else {
49840 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
49841 + if (likely
49842 + ((ntohl(curr_ip) & ipp->netmask) ==
49843 + (ntohl(ipp->addr) & ipp->netmask)))
49844 + return match;
49845 + }
49846 + goto try_group;
49847 + }
49848 +
49849 + return match;
49850 +}
49851 +
49852 +struct acl_subject_label *
49853 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
49854 + const struct acl_role_label *role)
49855 +{
49856 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
49857 + struct acl_subject_label *match;
49858 +
49859 + match = role->subj_hash[index];
49860 +
49861 + while (match && (match->inode != ino || match->device != dev ||
49862 + (match->mode & GR_DELETED))) {
49863 + match = match->next;
49864 + }
49865 +
49866 + if (match && !(match->mode & GR_DELETED))
49867 + return match;
49868 + else
49869 + return NULL;
49870 +}
49871 +
49872 +struct acl_subject_label *
49873 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
49874 + const struct acl_role_label *role)
49875 +{
49876 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
49877 + struct acl_subject_label *match;
49878 +
49879 + match = role->subj_hash[index];
49880 +
49881 + while (match && (match->inode != ino || match->device != dev ||
49882 + !(match->mode & GR_DELETED))) {
49883 + match = match->next;
49884 + }
49885 +
49886 + if (match && (match->mode & GR_DELETED))
49887 + return match;
49888 + else
49889 + return NULL;
49890 +}
49891 +
49892 +static struct acl_object_label *
49893 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
49894 + const struct acl_subject_label *subj)
49895 +{
49896 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
49897 + struct acl_object_label *match;
49898 +
49899 + match = subj->obj_hash[index];
49900 +
49901 + while (match && (match->inode != ino || match->device != dev ||
49902 + (match->mode & GR_DELETED))) {
49903 + match = match->next;
49904 + }
49905 +
49906 + if (match && !(match->mode & GR_DELETED))
49907 + return match;
49908 + else
49909 + return NULL;
49910 +}
49911 +
49912 +static struct acl_object_label *
49913 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
49914 + const struct acl_subject_label *subj)
49915 +{
49916 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
49917 + struct acl_object_label *match;
49918 +
49919 + match = subj->obj_hash[index];
49920 +
49921 + while (match && (match->inode != ino || match->device != dev ||
49922 + !(match->mode & GR_DELETED))) {
49923 + match = match->next;
49924 + }
49925 +
49926 + if (match && (match->mode & GR_DELETED))
49927 + return match;
49928 +
49929 + match = subj->obj_hash[index];
49930 +
49931 + while (match && (match->inode != ino || match->device != dev ||
49932 + (match->mode & GR_DELETED))) {
49933 + match = match->next;
49934 + }
49935 +
49936 + if (match && !(match->mode & GR_DELETED))
49937 + return match;
49938 + else
49939 + return NULL;
49940 +}
49941 +
49942 +static struct name_entry *
49943 +lookup_name_entry(const char *name)
49944 +{
49945 + unsigned int len = strlen(name);
49946 + unsigned int key = full_name_hash(name, len);
49947 + unsigned int index = key % name_set.n_size;
49948 + struct name_entry *match;
49949 +
49950 + match = name_set.n_hash[index];
49951 +
49952 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
49953 + match = match->next;
49954 +
49955 + return match;
49956 +}
49957 +
49958 +static struct name_entry *
49959 +lookup_name_entry_create(const char *name)
49960 +{
49961 + unsigned int len = strlen(name);
49962 + unsigned int key = full_name_hash(name, len);
49963 + unsigned int index = key % name_set.n_size;
49964 + struct name_entry *match;
49965 +
49966 + match = name_set.n_hash[index];
49967 +
49968 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
49969 + !match->deleted))
49970 + match = match->next;
49971 +
49972 + if (match && match->deleted)
49973 + return match;
49974 +
49975 + match = name_set.n_hash[index];
49976 +
49977 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
49978 + match->deleted))
49979 + match = match->next;
49980 +
49981 + if (match && !match->deleted)
49982 + return match;
49983 + else
49984 + return NULL;
49985 +}
49986 +
49987 +static struct inodev_entry *
49988 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
49989 +{
49990 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
49991 + struct inodev_entry *match;
49992 +
49993 + match = inodev_set.i_hash[index];
49994 +
49995 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
49996 + match = match->next;
49997 +
49998 + return match;
49999 +}
50000 +
50001 +static void
50002 +insert_inodev_entry(struct inodev_entry *entry)
50003 +{
50004 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
50005 + inodev_set.i_size);
50006 + struct inodev_entry **curr;
50007 +
50008 + entry->prev = NULL;
50009 +
50010 + curr = &inodev_set.i_hash[index];
50011 + if (*curr != NULL)
50012 + (*curr)->prev = entry;
50013 +
50014 + entry->next = *curr;
50015 + *curr = entry;
50016 +
50017 + return;
50018 +}
50019 +
50020 +static void
50021 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
50022 +{
50023 + unsigned int index =
50024 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
50025 + struct acl_role_label **curr;
50026 + struct acl_role_label *tmp;
50027 +
50028 + curr = &acl_role_set.r_hash[index];
50029 +
50030 + /* if role was already inserted due to domains and already has
50031 + a role in the same bucket as it attached, then we need to
50032 + combine these two buckets
50033 + */
50034 + if (role->next) {
50035 + tmp = role->next;
50036 + while (tmp->next)
50037 + tmp = tmp->next;
50038 + tmp->next = *curr;
50039 + } else
50040 + role->next = *curr;
50041 + *curr = role;
50042 +
50043 + return;
50044 +}
50045 +
50046 +static void
50047 +insert_acl_role_label(struct acl_role_label *role)
50048 +{
50049 + int i;
50050 +
50051 + if (role_list == NULL) {
50052 + role_list = role;
50053 + role->prev = NULL;
50054 + } else {
50055 + role->prev = role_list;
50056 + role_list = role;
50057 + }
50058 +
50059 + /* used for hash chains */
50060 + role->next = NULL;
50061 +
50062 + if (role->roletype & GR_ROLE_DOMAIN) {
50063 + for (i = 0; i < role->domain_child_num; i++)
50064 + __insert_acl_role_label(role, role->domain_children[i]);
50065 + } else
50066 + __insert_acl_role_label(role, role->uidgid);
50067 +}
50068 +
50069 +static int
50070 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
50071 +{
50072 + struct name_entry **curr, *nentry;
50073 + struct inodev_entry *ientry;
50074 + unsigned int len = strlen(name);
50075 + unsigned int key = full_name_hash(name, len);
50076 + unsigned int index = key % name_set.n_size;
50077 +
50078 + curr = &name_set.n_hash[index];
50079 +
50080 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
50081 + curr = &((*curr)->next);
50082 +
50083 + if (*curr != NULL)
50084 + return 1;
50085 +
50086 + nentry = acl_alloc(sizeof (struct name_entry));
50087 + if (nentry == NULL)
50088 + return 0;
50089 + ientry = acl_alloc(sizeof (struct inodev_entry));
50090 + if (ientry == NULL)
50091 + return 0;
50092 + ientry->nentry = nentry;
50093 +
50094 + nentry->key = key;
50095 + nentry->name = name;
50096 + nentry->inode = inode;
50097 + nentry->device = device;
50098 + nentry->len = len;
50099 + nentry->deleted = deleted;
50100 +
50101 + nentry->prev = NULL;
50102 + curr = &name_set.n_hash[index];
50103 + if (*curr != NULL)
50104 + (*curr)->prev = nentry;
50105 + nentry->next = *curr;
50106 + *curr = nentry;
50107 +
50108 + /* insert us into the table searchable by inode/dev */
50109 + insert_inodev_entry(ientry);
50110 +
50111 + return 1;
50112 +}
50113 +
50114 +static void
50115 +insert_acl_obj_label(struct acl_object_label *obj,
50116 + struct acl_subject_label *subj)
50117 +{
50118 + unsigned int index =
50119 + fhash(obj->inode, obj->device, subj->obj_hash_size);
50120 + struct acl_object_label **curr;
50121 +
50122 +
50123 + obj->prev = NULL;
50124 +
50125 + curr = &subj->obj_hash[index];
50126 + if (*curr != NULL)
50127 + (*curr)->prev = obj;
50128 +
50129 + obj->next = *curr;
50130 + *curr = obj;
50131 +
50132 + return;
50133 +}
50134 +
50135 +static void
50136 +insert_acl_subj_label(struct acl_subject_label *obj,
50137 + struct acl_role_label *role)
50138 +{
50139 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
50140 + struct acl_subject_label **curr;
50141 +
50142 + obj->prev = NULL;
50143 +
50144 + curr = &role->subj_hash[index];
50145 + if (*curr != NULL)
50146 + (*curr)->prev = obj;
50147 +
50148 + obj->next = *curr;
50149 + *curr = obj;
50150 +
50151 + return;
50152 +}
50153 +
50154 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
50155 +
50156 +static void *
50157 +create_table(__u32 * len, int elementsize)
50158 +{
50159 + unsigned int table_sizes[] = {
50160 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
50161 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
50162 + 4194301, 8388593, 16777213, 33554393, 67108859
50163 + };
50164 + void *newtable = NULL;
50165 + unsigned int pwr = 0;
50166 +
50167 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
50168 + table_sizes[pwr] <= *len)
50169 + pwr++;
50170 +
50171 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
50172 + return newtable;
50173 +
50174 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
50175 + newtable =
50176 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
50177 + else
50178 + newtable = vmalloc(table_sizes[pwr] * elementsize);
50179 +
50180 + *len = table_sizes[pwr];
50181 +
50182 + return newtable;
50183 +}
50184 +
50185 +static int
50186 +init_variables(const struct gr_arg *arg)
50187 +{
50188 + struct task_struct *reaper = &init_task;
50189 + unsigned int stacksize;
50190 +
50191 + subj_map_set.s_size = arg->role_db.num_subjects;
50192 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
50193 + name_set.n_size = arg->role_db.num_objects;
50194 + inodev_set.i_size = arg->role_db.num_objects;
50195 +
50196 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
50197 + !name_set.n_size || !inodev_set.i_size)
50198 + return 1;
50199 +
50200 + if (!gr_init_uidset())
50201 + return 1;
50202 +
50203 + /* set up the stack that holds allocation info */
50204 +
50205 + stacksize = arg->role_db.num_pointers + 5;
50206 +
50207 + if (!acl_alloc_stack_init(stacksize))
50208 + return 1;
50209 +
50210 + /* grab reference for the real root dentry and vfsmount */
50211 + read_lock(&reaper->fs->lock);
50212 + real_root = dget(reaper->fs->root.dentry);
50213 + real_root_mnt = mntget(reaper->fs->root.mnt);
50214 + read_unlock(&reaper->fs->lock);
50215 +
50216 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50217 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
50218 +#endif
50219 +
50220 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
50221 + if (fakefs_obj_rw == NULL)
50222 + return 1;
50223 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
50224 +
50225 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
50226 + if (fakefs_obj_rwx == NULL)
50227 + return 1;
50228 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
50229 +
50230 + subj_map_set.s_hash =
50231 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
50232 + acl_role_set.r_hash =
50233 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
50234 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
50235 + inodev_set.i_hash =
50236 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
50237 +
50238 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
50239 + !name_set.n_hash || !inodev_set.i_hash)
50240 + return 1;
50241 +
50242 + memset(subj_map_set.s_hash, 0,
50243 + sizeof(struct subject_map *) * subj_map_set.s_size);
50244 + memset(acl_role_set.r_hash, 0,
50245 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
50246 + memset(name_set.n_hash, 0,
50247 + sizeof (struct name_entry *) * name_set.n_size);
50248 + memset(inodev_set.i_hash, 0,
50249 + sizeof (struct inodev_entry *) * inodev_set.i_size);
50250 +
50251 + return 0;
50252 +}
50253 +
50254 +/* free information not needed after startup
50255 + currently contains user->kernel pointer mappings for subjects
50256 +*/
50257 +
50258 +static void
50259 +free_init_variables(void)
50260 +{
50261 + __u32 i;
50262 +
50263 + if (subj_map_set.s_hash) {
50264 + for (i = 0; i < subj_map_set.s_size; i++) {
50265 + if (subj_map_set.s_hash[i]) {
50266 + kfree(subj_map_set.s_hash[i]);
50267 + subj_map_set.s_hash[i] = NULL;
50268 + }
50269 + }
50270 +
50271 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
50272 + PAGE_SIZE)
50273 + kfree(subj_map_set.s_hash);
50274 + else
50275 + vfree(subj_map_set.s_hash);
50276 + }
50277 +
50278 + return;
50279 +}
50280 +
50281 +static void
50282 +free_variables(void)
50283 +{
50284 + struct acl_subject_label *s;
50285 + struct acl_role_label *r;
50286 + struct task_struct *task, *task2;
50287 + unsigned int x;
50288 +
50289 + gr_clear_learn_entries();
50290 +
50291 + read_lock(&tasklist_lock);
50292 + do_each_thread(task2, task) {
50293 + task->acl_sp_role = 0;
50294 + task->acl_role_id = 0;
50295 + task->acl = NULL;
50296 + task->role = NULL;
50297 + } while_each_thread(task2, task);
50298 + read_unlock(&tasklist_lock);
50299 +
50300 + /* release the reference to the real root dentry and vfsmount */
50301 + if (real_root)
50302 + dput(real_root);
50303 + real_root = NULL;
50304 + if (real_root_mnt)
50305 + mntput(real_root_mnt);
50306 + real_root_mnt = NULL;
50307 +
50308 + /* free all object hash tables */
50309 +
50310 + FOR_EACH_ROLE_START(r)
50311 + if (r->subj_hash == NULL)
50312 + goto next_role;
50313 + FOR_EACH_SUBJECT_START(r, s, x)
50314 + if (s->obj_hash == NULL)
50315 + break;
50316 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
50317 + kfree(s->obj_hash);
50318 + else
50319 + vfree(s->obj_hash);
50320 + FOR_EACH_SUBJECT_END(s, x)
50321 + FOR_EACH_NESTED_SUBJECT_START(r, s)
50322 + if (s->obj_hash == NULL)
50323 + break;
50324 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
50325 + kfree(s->obj_hash);
50326 + else
50327 + vfree(s->obj_hash);
50328 + FOR_EACH_NESTED_SUBJECT_END(s)
50329 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
50330 + kfree(r->subj_hash);
50331 + else
50332 + vfree(r->subj_hash);
50333 + r->subj_hash = NULL;
50334 +next_role:
50335 + FOR_EACH_ROLE_END(r)
50336 +
50337 + acl_free_all();
50338 +
50339 + if (acl_role_set.r_hash) {
50340 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
50341 + PAGE_SIZE)
50342 + kfree(acl_role_set.r_hash);
50343 + else
50344 + vfree(acl_role_set.r_hash);
50345 + }
50346 + if (name_set.n_hash) {
50347 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
50348 + PAGE_SIZE)
50349 + kfree(name_set.n_hash);
50350 + else
50351 + vfree(name_set.n_hash);
50352 + }
50353 +
50354 + if (inodev_set.i_hash) {
50355 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
50356 + PAGE_SIZE)
50357 + kfree(inodev_set.i_hash);
50358 + else
50359 + vfree(inodev_set.i_hash);
50360 + }
50361 +
50362 + gr_free_uidset();
50363 +
50364 + memset(&name_set, 0, sizeof (struct name_db));
50365 + memset(&inodev_set, 0, sizeof (struct inodev_db));
50366 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
50367 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
50368 +
50369 + default_role = NULL;
50370 + role_list = NULL;
50371 +
50372 + return;
50373 +}
50374 +
50375 +static __u32
50376 +count_user_objs(struct acl_object_label *userp)
50377 +{
50378 + struct acl_object_label o_tmp;
50379 + __u32 num = 0;
50380 +
50381 + while (userp) {
50382 + if (copy_from_user(&o_tmp, userp,
50383 + sizeof (struct acl_object_label)))
50384 + break;
50385 +
50386 + userp = o_tmp.prev;
50387 + num++;
50388 + }
50389 +
50390 + return num;
50391 +}
50392 +
50393 +static struct acl_subject_label *
50394 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
50395 +
50396 +static int
50397 +copy_user_glob(struct acl_object_label *obj)
50398 +{
50399 + struct acl_object_label *g_tmp, **guser;
50400 + unsigned int len;
50401 + char *tmp;
50402 +
50403 + if (obj->globbed == NULL)
50404 + return 0;
50405 +
50406 + guser = &obj->globbed;
50407 + while (*guser) {
50408 + g_tmp = (struct acl_object_label *)
50409 + acl_alloc(sizeof (struct acl_object_label));
50410 + if (g_tmp == NULL)
50411 + return -ENOMEM;
50412 +
50413 + if (copy_from_user(g_tmp, *guser,
50414 + sizeof (struct acl_object_label)))
50415 + return -EFAULT;
50416 +
50417 + len = strnlen_user(g_tmp->filename, PATH_MAX);
50418 +
50419 + if (!len || len >= PATH_MAX)
50420 + return -EINVAL;
50421 +
50422 + if ((tmp = (char *) acl_alloc(len)) == NULL)
50423 + return -ENOMEM;
50424 +
50425 + if (copy_from_user(tmp, g_tmp->filename, len))
50426 + return -EFAULT;
50427 + tmp[len-1] = '\0';
50428 + g_tmp->filename = tmp;
50429 +
50430 + *guser = g_tmp;
50431 + guser = &(g_tmp->next);
50432 + }
50433 +
50434 + return 0;
50435 +}
50436 +
50437 +static int
50438 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
50439 + struct acl_role_label *role)
50440 +{
50441 + struct acl_object_label *o_tmp;
50442 + unsigned int len;
50443 + int ret;
50444 + char *tmp;
50445 +
50446 + while (userp) {
50447 + if ((o_tmp = (struct acl_object_label *)
50448 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
50449 + return -ENOMEM;
50450 +
50451 + if (copy_from_user(o_tmp, userp,
50452 + sizeof (struct acl_object_label)))
50453 + return -EFAULT;
50454 +
50455 + userp = o_tmp->prev;
50456 +
50457 + len = strnlen_user(o_tmp->filename, PATH_MAX);
50458 +
50459 + if (!len || len >= PATH_MAX)
50460 + return -EINVAL;
50461 +
50462 + if ((tmp = (char *) acl_alloc(len)) == NULL)
50463 + return -ENOMEM;
50464 +
50465 + if (copy_from_user(tmp, o_tmp->filename, len))
50466 + return -EFAULT;
50467 + tmp[len-1] = '\0';
50468 + o_tmp->filename = tmp;
50469 +
50470 + insert_acl_obj_label(o_tmp, subj);
50471 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
50472 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
50473 + return -ENOMEM;
50474 +
50475 + ret = copy_user_glob(o_tmp);
50476 + if (ret)
50477 + return ret;
50478 +
50479 + if (o_tmp->nested) {
50480 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
50481 + if (IS_ERR(o_tmp->nested))
50482 + return PTR_ERR(o_tmp->nested);
50483 +
50484 + /* insert into nested subject list */
50485 + o_tmp->nested->next = role->hash->first;
50486 + role->hash->first = o_tmp->nested;
50487 + }
50488 + }
50489 +
50490 + return 0;
50491 +}
50492 +
50493 +static __u32
50494 +count_user_subjs(struct acl_subject_label *userp)
50495 +{
50496 + struct acl_subject_label s_tmp;
50497 + __u32 num = 0;
50498 +
50499 + while (userp) {
50500 + if (copy_from_user(&s_tmp, userp,
50501 + sizeof (struct acl_subject_label)))
50502 + break;
50503 +
50504 + userp = s_tmp.prev;
50505 + /* do not count nested subjects against this count, since
50506 + they are not included in the hash table, but are
50507 + attached to objects. We have already counted
50508 + the subjects in userspace for the allocation
50509 + stack
50510 + */
50511 + if (!(s_tmp.mode & GR_NESTED))
50512 + num++;
50513 + }
50514 +
50515 + return num;
50516 +}
50517 +
50518 +static int
50519 +copy_user_allowedips(struct acl_role_label *rolep)
50520 +{
50521 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
50522 +
50523 + ruserip = rolep->allowed_ips;
50524 +
50525 + while (ruserip) {
50526 + rlast = rtmp;
50527 +
50528 + if ((rtmp = (struct role_allowed_ip *)
50529 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
50530 + return -ENOMEM;
50531 +
50532 + if (copy_from_user(rtmp, ruserip,
50533 + sizeof (struct role_allowed_ip)))
50534 + return -EFAULT;
50535 +
50536 + ruserip = rtmp->prev;
50537 +
50538 + if (!rlast) {
50539 + rtmp->prev = NULL;
50540 + rolep->allowed_ips = rtmp;
50541 + } else {
50542 + rlast->next = rtmp;
50543 + rtmp->prev = rlast;
50544 + }
50545 +
50546 + if (!ruserip)
50547 + rtmp->next = NULL;
50548 + }
50549 +
50550 + return 0;
50551 +}
50552 +
50553 +static int
50554 +copy_user_transitions(struct acl_role_label *rolep)
50555 +{
50556 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
50557 +
50558 + unsigned int len;
50559 + char *tmp;
50560 +
50561 + rusertp = rolep->transitions;
50562 +
50563 + while (rusertp) {
50564 + rlast = rtmp;
50565 +
50566 + if ((rtmp = (struct role_transition *)
50567 + acl_alloc(sizeof (struct role_transition))) == NULL)
50568 + return -ENOMEM;
50569 +
50570 + if (copy_from_user(rtmp, rusertp,
50571 + sizeof (struct role_transition)))
50572 + return -EFAULT;
50573 +
50574 + rusertp = rtmp->prev;
50575 +
50576 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
50577 +
50578 + if (!len || len >= GR_SPROLE_LEN)
50579 + return -EINVAL;
50580 +
50581 + if ((tmp = (char *) acl_alloc(len)) == NULL)
50582 + return -ENOMEM;
50583 +
50584 + if (copy_from_user(tmp, rtmp->rolename, len))
50585 + return -EFAULT;
50586 + tmp[len-1] = '\0';
50587 + rtmp->rolename = tmp;
50588 +
50589 + if (!rlast) {
50590 + rtmp->prev = NULL;
50591 + rolep->transitions = rtmp;
50592 + } else {
50593 + rlast->next = rtmp;
50594 + rtmp->prev = rlast;
50595 + }
50596 +
50597 + if (!rusertp)
50598 + rtmp->next = NULL;
50599 + }
50600 +
50601 + return 0;
50602 +}
50603 +
50604 +static struct acl_subject_label *
50605 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
50606 +{
50607 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
50608 + unsigned int len;
50609 + char *tmp;
50610 + __u32 num_objs;
50611 + struct acl_ip_label **i_tmp, *i_utmp2;
50612 + struct gr_hash_struct ghash;
50613 + struct subject_map *subjmap;
50614 + unsigned int i_num;
50615 + int err;
50616 +
50617 + s_tmp = lookup_subject_map(userp);
50618 +
50619 + /* we've already copied this subject into the kernel, just return
50620 + the reference to it, and don't copy it over again
50621 + */
50622 + if (s_tmp)
50623 + return(s_tmp);
50624 +
50625 + if ((s_tmp = (struct acl_subject_label *)
50626 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
50627 + return ERR_PTR(-ENOMEM);
50628 +
50629 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
50630 + if (subjmap == NULL)
50631 + return ERR_PTR(-ENOMEM);
50632 +
50633 + subjmap->user = userp;
50634 + subjmap->kernel = s_tmp;
50635 + insert_subj_map_entry(subjmap);
50636 +
50637 + if (copy_from_user(s_tmp, userp,
50638 + sizeof (struct acl_subject_label)))
50639 + return ERR_PTR(-EFAULT);
50640 +
50641 + len = strnlen_user(s_tmp->filename, PATH_MAX);
50642 +
50643 + if (!len || len >= PATH_MAX)
50644 + return ERR_PTR(-EINVAL);
50645 +
50646 + if ((tmp = (char *) acl_alloc(len)) == NULL)
50647 + return ERR_PTR(-ENOMEM);
50648 +
50649 + if (copy_from_user(tmp, s_tmp->filename, len))
50650 + return ERR_PTR(-EFAULT);
50651 + tmp[len-1] = '\0';
50652 + s_tmp->filename = tmp;
50653 +
50654 + if (!strcmp(s_tmp->filename, "/"))
50655 + role->root_label = s_tmp;
50656 +
50657 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
50658 + return ERR_PTR(-EFAULT);
50659 +
50660 + /* copy user and group transition tables */
50661 +
50662 + if (s_tmp->user_trans_num) {
50663 + uid_t *uidlist;
50664 +
50665 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
50666 + if (uidlist == NULL)
50667 + return ERR_PTR(-ENOMEM);
50668 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
50669 + return ERR_PTR(-EFAULT);
50670 +
50671 + s_tmp->user_transitions = uidlist;
50672 + }
50673 +
50674 + if (s_tmp->group_trans_num) {
50675 + gid_t *gidlist;
50676 +
50677 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
50678 + if (gidlist == NULL)
50679 + return ERR_PTR(-ENOMEM);
50680 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
50681 + return ERR_PTR(-EFAULT);
50682 +
50683 + s_tmp->group_transitions = gidlist;
50684 + }
50685 +
50686 + /* set up object hash table */
50687 + num_objs = count_user_objs(ghash.first);
50688 +
50689 + s_tmp->obj_hash_size = num_objs;
50690 + s_tmp->obj_hash =
50691 + (struct acl_object_label **)
50692 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
50693 +
50694 + if (!s_tmp->obj_hash)
50695 + return ERR_PTR(-ENOMEM);
50696 +
50697 + memset(s_tmp->obj_hash, 0,
50698 + s_tmp->obj_hash_size *
50699 + sizeof (struct acl_object_label *));
50700 +
50701 + /* add in objects */
50702 + err = copy_user_objs(ghash.first, s_tmp, role);
50703 +
50704 + if (err)
50705 + return ERR_PTR(err);
50706 +
50707 + /* set pointer for parent subject */
50708 + if (s_tmp->parent_subject) {
50709 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
50710 +
50711 + if (IS_ERR(s_tmp2))
50712 + return s_tmp2;
50713 +
50714 + s_tmp->parent_subject = s_tmp2;
50715 + }
50716 +
50717 + /* add in ip acls */
50718 +
50719 + if (!s_tmp->ip_num) {
50720 + s_tmp->ips = NULL;
50721 + goto insert;
50722 + }
50723 +
50724 + i_tmp =
50725 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
50726 + sizeof (struct acl_ip_label *));
50727 +
50728 + if (!i_tmp)
50729 + return ERR_PTR(-ENOMEM);
50730 +
50731 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
50732 + *(i_tmp + i_num) =
50733 + (struct acl_ip_label *)
50734 + acl_alloc(sizeof (struct acl_ip_label));
50735 + if (!*(i_tmp + i_num))
50736 + return ERR_PTR(-ENOMEM);
50737 +
50738 + if (copy_from_user
50739 + (&i_utmp2, s_tmp->ips + i_num,
50740 + sizeof (struct acl_ip_label *)))
50741 + return ERR_PTR(-EFAULT);
50742 +
50743 + if (copy_from_user
50744 + (*(i_tmp + i_num), i_utmp2,
50745 + sizeof (struct acl_ip_label)))
50746 + return ERR_PTR(-EFAULT);
50747 +
50748 + if ((*(i_tmp + i_num))->iface == NULL)
50749 + continue;
50750 +
50751 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
50752 + if (!len || len >= IFNAMSIZ)
50753 + return ERR_PTR(-EINVAL);
50754 + tmp = acl_alloc(len);
50755 + if (tmp == NULL)
50756 + return ERR_PTR(-ENOMEM);
50757 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
50758 + return ERR_PTR(-EFAULT);
50759 + (*(i_tmp + i_num))->iface = tmp;
50760 + }
50761 +
50762 + s_tmp->ips = i_tmp;
50763 +
50764 +insert:
50765 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
50766 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
50767 + return ERR_PTR(-ENOMEM);
50768 +
50769 + return s_tmp;
50770 +}
50771 +
50772 +static int
50773 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
50774 +{
50775 + struct acl_subject_label s_pre;
50776 + struct acl_subject_label * ret;
50777 + int err;
50778 +
50779 + while (userp) {
50780 + if (copy_from_user(&s_pre, userp,
50781 + sizeof (struct acl_subject_label)))
50782 + return -EFAULT;
50783 +
50784 + /* do not add nested subjects here, add
50785 + while parsing objects
50786 + */
50787 +
50788 + if (s_pre.mode & GR_NESTED) {
50789 + userp = s_pre.prev;
50790 + continue;
50791 + }
50792 +
50793 + ret = do_copy_user_subj(userp, role);
50794 +
50795 + err = PTR_ERR(ret);
50796 + if (IS_ERR(ret))
50797 + return err;
50798 +
50799 + insert_acl_subj_label(ret, role);
50800 +
50801 + userp = s_pre.prev;
50802 + }
50803 +
50804 + return 0;
50805 +}
50806 +
50807 +static int
50808 +copy_user_acl(struct gr_arg *arg)
50809 +{
50810 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
50811 + struct sprole_pw *sptmp;
50812 + struct gr_hash_struct *ghash;
50813 + uid_t *domainlist;
50814 + unsigned int r_num;
50815 + unsigned int len;
50816 + char *tmp;
50817 + int err = 0;
50818 + __u16 i;
50819 + __u32 num_subjs;
50820 +
50821 + /* we need a default and kernel role */
50822 + if (arg->role_db.num_roles < 2)
50823 + return -EINVAL;
50824 +
50825 + /* copy special role authentication info from userspace */
50826 +
50827 + num_sprole_pws = arg->num_sprole_pws;
50828 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
50829 +
50830 + if (!acl_special_roles) {
50831 + err = -ENOMEM;
50832 + goto cleanup;
50833 + }
50834 +
50835 + for (i = 0; i < num_sprole_pws; i++) {
50836 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
50837 + if (!sptmp) {
50838 + err = -ENOMEM;
50839 + goto cleanup;
50840 + }
50841 + if (copy_from_user(sptmp, arg->sprole_pws + i,
50842 + sizeof (struct sprole_pw))) {
50843 + err = -EFAULT;
50844 + goto cleanup;
50845 + }
50846 +
50847 + len =
50848 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
50849 +
50850 + if (!len || len >= GR_SPROLE_LEN) {
50851 + err = -EINVAL;
50852 + goto cleanup;
50853 + }
50854 +
50855 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
50856 + err = -ENOMEM;
50857 + goto cleanup;
50858 + }
50859 +
50860 + if (copy_from_user(tmp, sptmp->rolename, len)) {
50861 + err = -EFAULT;
50862 + goto cleanup;
50863 + }
50864 + tmp[len-1] = '\0';
50865 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
50866 + printk(KERN_ALERT "Copying special role %s\n", tmp);
50867 +#endif
50868 + sptmp->rolename = tmp;
50869 + acl_special_roles[i] = sptmp;
50870 + }
50871 +
50872 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
50873 +
50874 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
50875 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
50876 +
50877 + if (!r_tmp) {
50878 + err = -ENOMEM;
50879 + goto cleanup;
50880 + }
50881 +
50882 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
50883 + sizeof (struct acl_role_label *))) {
50884 + err = -EFAULT;
50885 + goto cleanup;
50886 + }
50887 +
50888 + if (copy_from_user(r_tmp, r_utmp2,
50889 + sizeof (struct acl_role_label))) {
50890 + err = -EFAULT;
50891 + goto cleanup;
50892 + }
50893 +
50894 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
50895 +
50896 + if (!len || len >= PATH_MAX) {
50897 + err = -EINVAL;
50898 + goto cleanup;
50899 + }
50900 +
50901 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
50902 + err = -ENOMEM;
50903 + goto cleanup;
50904 + }
50905 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
50906 + err = -EFAULT;
50907 + goto cleanup;
50908 + }
50909 + tmp[len-1] = '\0';
50910 + r_tmp->rolename = tmp;
50911 +
50912 + if (!strcmp(r_tmp->rolename, "default")
50913 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
50914 + default_role = r_tmp;
50915 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
50916 + kernel_role = r_tmp;
50917 + }
50918 +
50919 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
50920 + err = -ENOMEM;
50921 + goto cleanup;
50922 + }
50923 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
50924 + err = -EFAULT;
50925 + goto cleanup;
50926 + }
50927 +
50928 + r_tmp->hash = ghash;
50929 +
50930 + num_subjs = count_user_subjs(r_tmp->hash->first);
50931 +
50932 + r_tmp->subj_hash_size = num_subjs;
50933 + r_tmp->subj_hash =
50934 + (struct acl_subject_label **)
50935 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
50936 +
50937 + if (!r_tmp->subj_hash) {
50938 + err = -ENOMEM;
50939 + goto cleanup;
50940 + }
50941 +
50942 + err = copy_user_allowedips(r_tmp);
50943 + if (err)
50944 + goto cleanup;
50945 +
50946 + /* copy domain info */
50947 + if (r_tmp->domain_children != NULL) {
50948 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
50949 + if (domainlist == NULL) {
50950 + err = -ENOMEM;
50951 + goto cleanup;
50952 + }
50953 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
50954 + err = -EFAULT;
50955 + goto cleanup;
50956 + }
50957 + r_tmp->domain_children = domainlist;
50958 + }
50959 +
50960 + err = copy_user_transitions(r_tmp);
50961 + if (err)
50962 + goto cleanup;
50963 +
50964 + memset(r_tmp->subj_hash, 0,
50965 + r_tmp->subj_hash_size *
50966 + sizeof (struct acl_subject_label *));
50967 +
50968 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
50969 +
50970 + if (err)
50971 + goto cleanup;
50972 +
50973 + /* set nested subject list to null */
50974 + r_tmp->hash->first = NULL;
50975 +
50976 + insert_acl_role_label(r_tmp);
50977 + }
50978 +
50979 + goto return_err;
50980 + cleanup:
50981 + free_variables();
50982 + return_err:
50983 + return err;
50984 +
50985 +}
50986 +
50987 +static int
50988 +gracl_init(struct gr_arg *args)
50989 +{
50990 + int error = 0;
50991 +
50992 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
50993 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
50994 +
50995 + if (init_variables(args)) {
50996 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
50997 + error = -ENOMEM;
50998 + free_variables();
50999 + goto out;
51000 + }
51001 +
51002 + error = copy_user_acl(args);
51003 + free_init_variables();
51004 + if (error) {
51005 + free_variables();
51006 + goto out;
51007 + }
51008 +
51009 + if ((error = gr_set_acls(0))) {
51010 + free_variables();
51011 + goto out;
51012 + }
51013 +
51014 + pax_open_kernel();
51015 + gr_status |= GR_READY;
51016 + pax_close_kernel();
51017 +
51018 + out:
51019 + return error;
51020 +}
51021 +
51022 +/* derived from glibc fnmatch() 0: match, 1: no match*/
51023 +
51024 +static int
51025 +glob_match(const char *p, const char *n)
51026 +{
51027 + char c;
51028 +
51029 + while ((c = *p++) != '\0') {
51030 + switch (c) {
51031 + case '?':
51032 + if (*n == '\0')
51033 + return 1;
51034 + else if (*n == '/')
51035 + return 1;
51036 + break;
51037 + case '\\':
51038 + if (*n != c)
51039 + return 1;
51040 + break;
51041 + case '*':
51042 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
51043 + if (*n == '/')
51044 + return 1;
51045 + else if (c == '?') {
51046 + if (*n == '\0')
51047 + return 1;
51048 + else
51049 + ++n;
51050 + }
51051 + }
51052 + if (c == '\0') {
51053 + return 0;
51054 + } else {
51055 + const char *endp;
51056 +
51057 + if ((endp = strchr(n, '/')) == NULL)
51058 + endp = n + strlen(n);
51059 +
51060 + if (c == '[') {
51061 + for (--p; n < endp; ++n)
51062 + if (!glob_match(p, n))
51063 + return 0;
51064 + } else if (c == '/') {
51065 + while (*n != '\0' && *n != '/')
51066 + ++n;
51067 + if (*n == '/' && !glob_match(p, n + 1))
51068 + return 0;
51069 + } else {
51070 + for (--p; n < endp; ++n)
51071 + if (*n == c && !glob_match(p, n))
51072 + return 0;
51073 + }
51074 +
51075 + return 1;
51076 + }
51077 + case '[':
51078 + {
51079 + int not;
51080 + char cold;
51081 +
51082 + if (*n == '\0' || *n == '/')
51083 + return 1;
51084 +
51085 + not = (*p == '!' || *p == '^');
51086 + if (not)
51087 + ++p;
51088 +
51089 + c = *p++;
51090 + for (;;) {
51091 + unsigned char fn = (unsigned char)*n;
51092 +
51093 + if (c == '\0')
51094 + return 1;
51095 + else {
51096 + if (c == fn)
51097 + goto matched;
51098 + cold = c;
51099 + c = *p++;
51100 +
51101 + if (c == '-' && *p != ']') {
51102 + unsigned char cend = *p++;
51103 +
51104 + if (cend == '\0')
51105 + return 1;
51106 +
51107 + if (cold <= fn && fn <= cend)
51108 + goto matched;
51109 +
51110 + c = *p++;
51111 + }
51112 + }
51113 +
51114 + if (c == ']')
51115 + break;
51116 + }
51117 + if (!not)
51118 + return 1;
51119 + break;
51120 + matched:
51121 + while (c != ']') {
51122 + if (c == '\0')
51123 + return 1;
51124 +
51125 + c = *p++;
51126 + }
51127 + if (not)
51128 + return 1;
51129 + }
51130 + break;
51131 + default:
51132 + if (c != *n)
51133 + return 1;
51134 + }
51135 +
51136 + ++n;
51137 + }
51138 +
51139 + if (*n == '\0')
51140 + return 0;
51141 +
51142 + if (*n == '/')
51143 + return 0;
51144 +
51145 + return 1;
51146 +}
51147 +
51148 +static struct acl_object_label *
51149 +chk_glob_label(struct acl_object_label *globbed,
51150 + struct dentry *dentry, struct vfsmount *mnt, char **path)
51151 +{
51152 + struct acl_object_label *tmp;
51153 +
51154 + if (*path == NULL)
51155 + *path = gr_to_filename_nolock(dentry, mnt);
51156 +
51157 + tmp = globbed;
51158 +
51159 + while (tmp) {
51160 + if (!glob_match(tmp->filename, *path))
51161 + return tmp;
51162 + tmp = tmp->next;
51163 + }
51164 +
51165 + return NULL;
51166 +}
51167 +
51168 +static struct acl_object_label *
51169 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
51170 + const ino_t curr_ino, const dev_t curr_dev,
51171 + const struct acl_subject_label *subj, char **path, const int checkglob)
51172 +{
51173 + struct acl_subject_label *tmpsubj;
51174 + struct acl_object_label *retval;
51175 + struct acl_object_label *retval2;
51176 +
51177 + tmpsubj = (struct acl_subject_label *) subj;
51178 + read_lock(&gr_inode_lock);
51179 + do {
51180 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
51181 + if (retval) {
51182 + if (checkglob && retval->globbed) {
51183 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
51184 + (struct vfsmount *)orig_mnt, path);
51185 + if (retval2)
51186 + retval = retval2;
51187 + }
51188 + break;
51189 + }
51190 + } while ((tmpsubj = tmpsubj->parent_subject));
51191 + read_unlock(&gr_inode_lock);
51192 +
51193 + return retval;
51194 +}
51195 +
51196 +static __inline__ struct acl_object_label *
51197 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
51198 + const struct dentry *curr_dentry,
51199 + const struct acl_subject_label *subj, char **path, const int checkglob)
51200 +{
51201 + int newglob = checkglob;
51202 +
51203 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
51204 + as we don't want a / * rule to match instead of the / object
51205 + don't do this for create lookups that call this function though, since they're looking up
51206 + on the parent and thus need globbing checks on all paths
51207 + */
51208 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
51209 + newglob = GR_NO_GLOB;
51210 +
51211 + return __full_lookup(orig_dentry, orig_mnt,
51212 + curr_dentry->d_inode->i_ino,
51213 + __get_dev(curr_dentry), subj, path, newglob);
51214 +}
51215 +
51216 +static struct acl_object_label *
51217 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
51218 + const struct acl_subject_label *subj, char *path, const int checkglob)
51219 +{
51220 + struct dentry *dentry = (struct dentry *) l_dentry;
51221 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
51222 + struct acl_object_label *retval;
51223 +
51224 + spin_lock(&dcache_lock);
51225 + spin_lock(&vfsmount_lock);
51226 +
51227 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
51228 +#ifdef CONFIG_NET
51229 + mnt == sock_mnt ||
51230 +#endif
51231 +#ifdef CONFIG_HUGETLBFS
51232 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
51233 +#endif
51234 + /* ignore Eric Biederman */
51235 + IS_PRIVATE(l_dentry->d_inode))) {
51236 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
51237 + goto out;
51238 + }
51239 +
51240 + for (;;) {
51241 + if (dentry == real_root && mnt == real_root_mnt)
51242 + break;
51243 +
51244 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
51245 + if (mnt->mnt_parent == mnt)
51246 + break;
51247 +
51248 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
51249 + if (retval != NULL)
51250 + goto out;
51251 +
51252 + dentry = mnt->mnt_mountpoint;
51253 + mnt = mnt->mnt_parent;
51254 + continue;
51255 + }
51256 +
51257 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
51258 + if (retval != NULL)
51259 + goto out;
51260 +
51261 + dentry = dentry->d_parent;
51262 + }
51263 +
51264 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
51265 +
51266 + if (retval == NULL)
51267 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
51268 +out:
51269 + spin_unlock(&vfsmount_lock);
51270 + spin_unlock(&dcache_lock);
51271 +
51272 + BUG_ON(retval == NULL);
51273 +
51274 + return retval;
51275 +}
51276 +
51277 +static __inline__ struct acl_object_label *
51278 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
51279 + const struct acl_subject_label *subj)
51280 +{
51281 + char *path = NULL;
51282 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
51283 +}
51284 +
51285 +static __inline__ struct acl_object_label *
51286 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
51287 + const struct acl_subject_label *subj)
51288 +{
51289 + char *path = NULL;
51290 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
51291 +}
51292 +
51293 +static __inline__ struct acl_object_label *
51294 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
51295 + const struct acl_subject_label *subj, char *path)
51296 +{
51297 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
51298 +}
51299 +
51300 +static struct acl_subject_label *
51301 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
51302 + const struct acl_role_label *role)
51303 +{
51304 + struct dentry *dentry = (struct dentry *) l_dentry;
51305 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
51306 + struct acl_subject_label *retval;
51307 +
51308 + spin_lock(&dcache_lock);
51309 + spin_lock(&vfsmount_lock);
51310 +
51311 + for (;;) {
51312 + if (dentry == real_root && mnt == real_root_mnt)
51313 + break;
51314 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
51315 + if (mnt->mnt_parent == mnt)
51316 + break;
51317 +
51318 + read_lock(&gr_inode_lock);
51319 + retval =
51320 + lookup_acl_subj_label(dentry->d_inode->i_ino,
51321 + __get_dev(dentry), role);
51322 + read_unlock(&gr_inode_lock);
51323 + if (retval != NULL)
51324 + goto out;
51325 +
51326 + dentry = mnt->mnt_mountpoint;
51327 + mnt = mnt->mnt_parent;
51328 + continue;
51329 + }
51330 +
51331 + read_lock(&gr_inode_lock);
51332 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
51333 + __get_dev(dentry), role);
51334 + read_unlock(&gr_inode_lock);
51335 + if (retval != NULL)
51336 + goto out;
51337 +
51338 + dentry = dentry->d_parent;
51339 + }
51340 +
51341 + read_lock(&gr_inode_lock);
51342 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
51343 + __get_dev(dentry), role);
51344 + read_unlock(&gr_inode_lock);
51345 +
51346 + if (unlikely(retval == NULL)) {
51347 + read_lock(&gr_inode_lock);
51348 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
51349 + __get_dev(real_root), role);
51350 + read_unlock(&gr_inode_lock);
51351 + }
51352 +out:
51353 + spin_unlock(&vfsmount_lock);
51354 + spin_unlock(&dcache_lock);
51355 +
51356 + BUG_ON(retval == NULL);
51357 +
51358 + return retval;
51359 +}
51360 +
51361 +static void
51362 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
51363 +{
51364 + struct task_struct *task = current;
51365 + const struct cred *cred = current_cred();
51366 +
51367 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
51368 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
51369 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
51370 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
51371 +
51372 + return;
51373 +}
51374 +
51375 +static void
51376 +gr_log_learn_sysctl(const char *path, const __u32 mode)
51377 +{
51378 + struct task_struct *task = current;
51379 + const struct cred *cred = current_cred();
51380 +
51381 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
51382 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
51383 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
51384 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
51385 +
51386 + return;
51387 +}
51388 +
51389 +static void
51390 +gr_log_learn_id_change(const char type, const unsigned int real,
51391 + const unsigned int effective, const unsigned int fs)
51392 +{
51393 + struct task_struct *task = current;
51394 + const struct cred *cred = current_cred();
51395 +
51396 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
51397 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
51398 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
51399 + type, real, effective, fs, &task->signal->saved_ip);
51400 +
51401 + return;
51402 +}
51403 +
51404 +__u32
51405 +gr_check_link(const struct dentry * new_dentry,
51406 + const struct dentry * parent_dentry,
51407 + const struct vfsmount * parent_mnt,
51408 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
51409 +{
51410 + struct acl_object_label *obj;
51411 + __u32 oldmode, newmode;
51412 + __u32 needmode;
51413 +
51414 + if (unlikely(!(gr_status & GR_READY)))
51415 + return (GR_CREATE | GR_LINK);
51416 +
51417 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
51418 + oldmode = obj->mode;
51419 +
51420 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51421 + oldmode |= (GR_CREATE | GR_LINK);
51422 +
51423 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
51424 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
51425 + needmode |= GR_SETID | GR_AUDIT_SETID;
51426 +
51427 + newmode =
51428 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
51429 + oldmode | needmode);
51430 +
51431 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
51432 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
51433 + GR_INHERIT | GR_AUDIT_INHERIT);
51434 +
51435 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
51436 + goto bad;
51437 +
51438 + if ((oldmode & needmode) != needmode)
51439 + goto bad;
51440 +
51441 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
51442 + if ((newmode & needmode) != needmode)
51443 + goto bad;
51444 +
51445 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
51446 + return newmode;
51447 +bad:
51448 + needmode = oldmode;
51449 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
51450 + needmode |= GR_SETID;
51451 +
51452 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
51453 + gr_log_learn(old_dentry, old_mnt, needmode);
51454 + return (GR_CREATE | GR_LINK);
51455 + } else if (newmode & GR_SUPPRESS)
51456 + return GR_SUPPRESS;
51457 + else
51458 + return 0;
51459 +}
51460 +
51461 +__u32
51462 +gr_search_file(const struct dentry * dentry, const __u32 mode,
51463 + const struct vfsmount * mnt)
51464 +{
51465 + __u32 retval = mode;
51466 + struct acl_subject_label *curracl;
51467 + struct acl_object_label *currobj;
51468 +
51469 + if (unlikely(!(gr_status & GR_READY)))
51470 + return (mode & ~GR_AUDITS);
51471 +
51472 + curracl = current->acl;
51473 +
51474 + currobj = chk_obj_label(dentry, mnt, curracl);
51475 + retval = currobj->mode & mode;
51476 +
51477 + /* if we're opening a specified transfer file for writing
51478 + (e.g. /dev/initctl), then transfer our role to init
51479 + */
51480 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
51481 + current->role->roletype & GR_ROLE_PERSIST)) {
51482 + struct task_struct *task = init_pid_ns.child_reaper;
51483 +
51484 + if (task->role != current->role) {
51485 + task->acl_sp_role = 0;
51486 + task->acl_role_id = current->acl_role_id;
51487 + task->role = current->role;
51488 + rcu_read_lock();
51489 + read_lock(&grsec_exec_file_lock);
51490 + gr_apply_subject_to_task(task);
51491 + read_unlock(&grsec_exec_file_lock);
51492 + rcu_read_unlock();
51493 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
51494 + }
51495 + }
51496 +
51497 + if (unlikely
51498 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
51499 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
51500 + __u32 new_mode = mode;
51501 +
51502 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51503 +
51504 + retval = new_mode;
51505 +
51506 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
51507 + new_mode |= GR_INHERIT;
51508 +
51509 + if (!(mode & GR_NOLEARN))
51510 + gr_log_learn(dentry, mnt, new_mode);
51511 + }
51512 +
51513 + return retval;
51514 +}
51515 +
51516 +__u32
51517 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
51518 + const struct vfsmount * mnt, const __u32 mode)
51519 +{
51520 + struct name_entry *match;
51521 + struct acl_object_label *matchpo;
51522 + struct acl_subject_label *curracl;
51523 + char *path;
51524 + __u32 retval;
51525 +
51526 + if (unlikely(!(gr_status & GR_READY)))
51527 + return (mode & ~GR_AUDITS);
51528 +
51529 + preempt_disable();
51530 + path = gr_to_filename_rbac(new_dentry, mnt);
51531 + match = lookup_name_entry_create(path);
51532 +
51533 + if (!match)
51534 + goto check_parent;
51535 +
51536 + curracl = current->acl;
51537 +
51538 + read_lock(&gr_inode_lock);
51539 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
51540 + read_unlock(&gr_inode_lock);
51541 +
51542 + if (matchpo) {
51543 + if ((matchpo->mode & mode) !=
51544 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
51545 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
51546 + __u32 new_mode = mode;
51547 +
51548 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51549 +
51550 + gr_log_learn(new_dentry, mnt, new_mode);
51551 +
51552 + preempt_enable();
51553 + return new_mode;
51554 + }
51555 + preempt_enable();
51556 + return (matchpo->mode & mode);
51557 + }
51558 +
51559 + check_parent:
51560 + curracl = current->acl;
51561 +
51562 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
51563 + retval = matchpo->mode & mode;
51564 +
51565 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
51566 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
51567 + __u32 new_mode = mode;
51568 +
51569 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
51570 +
51571 + gr_log_learn(new_dentry, mnt, new_mode);
51572 + preempt_enable();
51573 + return new_mode;
51574 + }
51575 +
51576 + preempt_enable();
51577 + return retval;
51578 +}
51579 +
51580 +int
51581 +gr_check_hidden_task(const struct task_struct *task)
51582 +{
51583 + if (unlikely(!(gr_status & GR_READY)))
51584 + return 0;
51585 +
51586 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
51587 + return 1;
51588 +
51589 + return 0;
51590 +}
51591 +
51592 +int
51593 +gr_check_protected_task(const struct task_struct *task)
51594 +{
51595 + if (unlikely(!(gr_status & GR_READY) || !task))
51596 + return 0;
51597 +
51598 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
51599 + task->acl != current->acl)
51600 + return 1;
51601 +
51602 + return 0;
51603 +}
51604 +
51605 +int
51606 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
51607 +{
51608 + struct task_struct *p;
51609 + int ret = 0;
51610 +
51611 + if (unlikely(!(gr_status & GR_READY) || !pid))
51612 + return ret;
51613 +
51614 + read_lock(&tasklist_lock);
51615 + do_each_pid_task(pid, type, p) {
51616 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
51617 + p->acl != current->acl) {
51618 + ret = 1;
51619 + goto out;
51620 + }
51621 + } while_each_pid_task(pid, type, p);
51622 +out:
51623 + read_unlock(&tasklist_lock);
51624 +
51625 + return ret;
51626 +}
51627 +
51628 +void
51629 +gr_copy_label(struct task_struct *tsk)
51630 +{
51631 + tsk->signal->used_accept = 0;
51632 + tsk->acl_sp_role = 0;
51633 + tsk->acl_role_id = current->acl_role_id;
51634 + tsk->acl = current->acl;
51635 + tsk->role = current->role;
51636 + tsk->signal->curr_ip = current->signal->curr_ip;
51637 + tsk->signal->saved_ip = current->signal->saved_ip;
51638 + if (current->exec_file)
51639 + get_file(current->exec_file);
51640 + tsk->exec_file = current->exec_file;
51641 + tsk->is_writable = current->is_writable;
51642 + if (unlikely(current->signal->used_accept)) {
51643 + current->signal->curr_ip = 0;
51644 + current->signal->saved_ip = 0;
51645 + }
51646 +
51647 + return;
51648 +}
51649 +
51650 +static void
51651 +gr_set_proc_res(struct task_struct *task)
51652 +{
51653 + struct acl_subject_label *proc;
51654 + unsigned short i;
51655 +
51656 + proc = task->acl;
51657 +
51658 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
51659 + return;
51660 +
51661 + for (i = 0; i < RLIM_NLIMITS; i++) {
51662 + if (!(proc->resmask & (1 << i)))
51663 + continue;
51664 +
51665 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
51666 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
51667 + }
51668 +
51669 + return;
51670 +}
51671 +
51672 +extern int __gr_process_user_ban(struct user_struct *user);
51673 +
51674 +int
51675 +gr_check_user_change(int real, int effective, int fs)
51676 +{
51677 + unsigned int i;
51678 + __u16 num;
51679 + uid_t *uidlist;
51680 + int curuid;
51681 + int realok = 0;
51682 + int effectiveok = 0;
51683 + int fsok = 0;
51684 +
51685 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
51686 + struct user_struct *user;
51687 +
51688 + if (real == -1)
51689 + goto skipit;
51690 +
51691 + user = find_user(real);
51692 + if (user == NULL)
51693 + goto skipit;
51694 +
51695 + if (__gr_process_user_ban(user)) {
51696 + /* for find_user */
51697 + free_uid(user);
51698 + return 1;
51699 + }
51700 +
51701 + /* for find_user */
51702 + free_uid(user);
51703 +
51704 +skipit:
51705 +#endif
51706 +
51707 + if (unlikely(!(gr_status & GR_READY)))
51708 + return 0;
51709 +
51710 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51711 + gr_log_learn_id_change('u', real, effective, fs);
51712 +
51713 + num = current->acl->user_trans_num;
51714 + uidlist = current->acl->user_transitions;
51715 +
51716 + if (uidlist == NULL)
51717 + return 0;
51718 +
51719 + if (real == -1)
51720 + realok = 1;
51721 + if (effective == -1)
51722 + effectiveok = 1;
51723 + if (fs == -1)
51724 + fsok = 1;
51725 +
51726 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
51727 + for (i = 0; i < num; i++) {
51728 + curuid = (int)uidlist[i];
51729 + if (real == curuid)
51730 + realok = 1;
51731 + if (effective == curuid)
51732 + effectiveok = 1;
51733 + if (fs == curuid)
51734 + fsok = 1;
51735 + }
51736 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
51737 + for (i = 0; i < num; i++) {
51738 + curuid = (int)uidlist[i];
51739 + if (real == curuid)
51740 + break;
51741 + if (effective == curuid)
51742 + break;
51743 + if (fs == curuid)
51744 + break;
51745 + }
51746 + /* not in deny list */
51747 + if (i == num) {
51748 + realok = 1;
51749 + effectiveok = 1;
51750 + fsok = 1;
51751 + }
51752 + }
51753 +
51754 + if (realok && effectiveok && fsok)
51755 + return 0;
51756 + else {
51757 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
51758 + return 1;
51759 + }
51760 +}
51761 +
51762 +int
51763 +gr_check_group_change(int real, int effective, int fs)
51764 +{
51765 + unsigned int i;
51766 + __u16 num;
51767 + gid_t *gidlist;
51768 + int curgid;
51769 + int realok = 0;
51770 + int effectiveok = 0;
51771 + int fsok = 0;
51772 +
51773 + if (unlikely(!(gr_status & GR_READY)))
51774 + return 0;
51775 +
51776 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
51777 + gr_log_learn_id_change('g', real, effective, fs);
51778 +
51779 + num = current->acl->group_trans_num;
51780 + gidlist = current->acl->group_transitions;
51781 +
51782 + if (gidlist == NULL)
51783 + return 0;
51784 +
51785 + if (real == -1)
51786 + realok = 1;
51787 + if (effective == -1)
51788 + effectiveok = 1;
51789 + if (fs == -1)
51790 + fsok = 1;
51791 +
51792 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
51793 + for (i = 0; i < num; i++) {
51794 + curgid = (int)gidlist[i];
51795 + if (real == curgid)
51796 + realok = 1;
51797 + if (effective == curgid)
51798 + effectiveok = 1;
51799 + if (fs == curgid)
51800 + fsok = 1;
51801 + }
51802 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
51803 + for (i = 0; i < num; i++) {
51804 + curgid = (int)gidlist[i];
51805 + if (real == curgid)
51806 + break;
51807 + if (effective == curgid)
51808 + break;
51809 + if (fs == curgid)
51810 + break;
51811 + }
51812 + /* not in deny list */
51813 + if (i == num) {
51814 + realok = 1;
51815 + effectiveok = 1;
51816 + fsok = 1;
51817 + }
51818 + }
51819 +
51820 + if (realok && effectiveok && fsok)
51821 + return 0;
51822 + else {
51823 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
51824 + return 1;
51825 + }
51826 +}
51827 +
51828 +void
51829 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
51830 +{
51831 + struct acl_role_label *role = task->role;
51832 + struct acl_subject_label *subj = NULL;
51833 + struct acl_object_label *obj;
51834 + struct file *filp;
51835 +
51836 + if (unlikely(!(gr_status & GR_READY)))
51837 + return;
51838 +
51839 + filp = task->exec_file;
51840 +
51841 + /* kernel process, we'll give them the kernel role */
51842 + if (unlikely(!filp)) {
51843 + task->role = kernel_role;
51844 + task->acl = kernel_role->root_label;
51845 + return;
51846 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
51847 + role = lookup_acl_role_label(task, uid, gid);
51848 +
51849 + /* perform subject lookup in possibly new role
51850 + we can use this result below in the case where role == task->role
51851 + */
51852 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
51853 +
51854 + /* if we changed uid/gid, but result in the same role
51855 + and are using inheritance, don't lose the inherited subject
51856 + if current subject is other than what normal lookup
51857 + would result in, we arrived via inheritance, don't
51858 + lose subject
51859 + */
51860 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
51861 + (subj == task->acl)))
51862 + task->acl = subj;
51863 +
51864 + task->role = role;
51865 +
51866 + task->is_writable = 0;
51867 +
51868 + /* ignore additional mmap checks for processes that are writable
51869 + by the default ACL */
51870 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
51871 + if (unlikely(obj->mode & GR_WRITE))
51872 + task->is_writable = 1;
51873 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
51874 + if (unlikely(obj->mode & GR_WRITE))
51875 + task->is_writable = 1;
51876 +
51877 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51878 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
51879 +#endif
51880 +
51881 + gr_set_proc_res(task);
51882 +
51883 + return;
51884 +}
51885 +
51886 +int
51887 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
51888 + const int unsafe_share)
51889 +{
51890 + struct task_struct *task = current;
51891 + struct acl_subject_label *newacl;
51892 + struct acl_object_label *obj;
51893 + __u32 retmode;
51894 +
51895 + if (unlikely(!(gr_status & GR_READY)))
51896 + return 0;
51897 +
51898 + newacl = chk_subj_label(dentry, mnt, task->role);
51899 +
51900 + task_lock(task);
51901 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
51902 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
51903 + !(task->role->roletype & GR_ROLE_GOD) &&
51904 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
51905 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
51906 + task_unlock(task);
51907 + if (unsafe_share)
51908 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
51909 + else
51910 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
51911 + return -EACCES;
51912 + }
51913 + task_unlock(task);
51914 +
51915 + obj = chk_obj_label(dentry, mnt, task->acl);
51916 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
51917 +
51918 + if (!(task->acl->mode & GR_INHERITLEARN) &&
51919 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
51920 + if (obj->nested)
51921 + task->acl = obj->nested;
51922 + else
51923 + task->acl = newacl;
51924 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
51925 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
51926 +
51927 + task->is_writable = 0;
51928 +
51929 + /* ignore additional mmap checks for processes that are writable
51930 + by the default ACL */
51931 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
51932 + if (unlikely(obj->mode & GR_WRITE))
51933 + task->is_writable = 1;
51934 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
51935 + if (unlikely(obj->mode & GR_WRITE))
51936 + task->is_writable = 1;
51937 +
51938 + gr_set_proc_res(task);
51939 +
51940 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
51941 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
51942 +#endif
51943 + return 0;
51944 +}
51945 +
51946 +/* always called with valid inodev ptr */
51947 +static void
51948 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
51949 +{
51950 + struct acl_object_label *matchpo;
51951 + struct acl_subject_label *matchps;
51952 + struct acl_subject_label *subj;
51953 + struct acl_role_label *role;
51954 + unsigned int x;
51955 +
51956 + FOR_EACH_ROLE_START(role)
51957 + FOR_EACH_SUBJECT_START(role, subj, x)
51958 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
51959 + matchpo->mode |= GR_DELETED;
51960 + FOR_EACH_SUBJECT_END(subj,x)
51961 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
51962 + if (subj->inode == ino && subj->device == dev)
51963 + subj->mode |= GR_DELETED;
51964 + FOR_EACH_NESTED_SUBJECT_END(subj)
51965 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
51966 + matchps->mode |= GR_DELETED;
51967 + FOR_EACH_ROLE_END(role)
51968 +
51969 + inodev->nentry->deleted = 1;
51970 +
51971 + return;
51972 +}
51973 +
51974 +void
51975 +gr_handle_delete(const ino_t ino, const dev_t dev)
51976 +{
51977 + struct inodev_entry *inodev;
51978 +
51979 + if (unlikely(!(gr_status & GR_READY)))
51980 + return;
51981 +
51982 + write_lock(&gr_inode_lock);
51983 + inodev = lookup_inodev_entry(ino, dev);
51984 + if (inodev != NULL)
51985 + do_handle_delete(inodev, ino, dev);
51986 + write_unlock(&gr_inode_lock);
51987 +
51988 + return;
51989 +}
51990 +
51991 +static void
51992 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
51993 + const ino_t newinode, const dev_t newdevice,
51994 + struct acl_subject_label *subj)
51995 +{
51996 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
51997 + struct acl_object_label *match;
51998 +
51999 + match = subj->obj_hash[index];
52000 +
52001 + while (match && (match->inode != oldinode ||
52002 + match->device != olddevice ||
52003 + !(match->mode & GR_DELETED)))
52004 + match = match->next;
52005 +
52006 + if (match && (match->inode == oldinode)
52007 + && (match->device == olddevice)
52008 + && (match->mode & GR_DELETED)) {
52009 + if (match->prev == NULL) {
52010 + subj->obj_hash[index] = match->next;
52011 + if (match->next != NULL)
52012 + match->next->prev = NULL;
52013 + } else {
52014 + match->prev->next = match->next;
52015 + if (match->next != NULL)
52016 + match->next->prev = match->prev;
52017 + }
52018 + match->prev = NULL;
52019 + match->next = NULL;
52020 + match->inode = newinode;
52021 + match->device = newdevice;
52022 + match->mode &= ~GR_DELETED;
52023 +
52024 + insert_acl_obj_label(match, subj);
52025 + }
52026 +
52027 + return;
52028 +}
52029 +
52030 +static void
52031 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
52032 + const ino_t newinode, const dev_t newdevice,
52033 + struct acl_role_label *role)
52034 +{
52035 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
52036 + struct acl_subject_label *match;
52037 +
52038 + match = role->subj_hash[index];
52039 +
52040 + while (match && (match->inode != oldinode ||
52041 + match->device != olddevice ||
52042 + !(match->mode & GR_DELETED)))
52043 + match = match->next;
52044 +
52045 + if (match && (match->inode == oldinode)
52046 + && (match->device == olddevice)
52047 + && (match->mode & GR_DELETED)) {
52048 + if (match->prev == NULL) {
52049 + role->subj_hash[index] = match->next;
52050 + if (match->next != NULL)
52051 + match->next->prev = NULL;
52052 + } else {
52053 + match->prev->next = match->next;
52054 + if (match->next != NULL)
52055 + match->next->prev = match->prev;
52056 + }
52057 + match->prev = NULL;
52058 + match->next = NULL;
52059 + match->inode = newinode;
52060 + match->device = newdevice;
52061 + match->mode &= ~GR_DELETED;
52062 +
52063 + insert_acl_subj_label(match, role);
52064 + }
52065 +
52066 + return;
52067 +}
52068 +
52069 +static void
52070 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
52071 + const ino_t newinode, const dev_t newdevice)
52072 +{
52073 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
52074 + struct inodev_entry *match;
52075 +
52076 + match = inodev_set.i_hash[index];
52077 +
52078 + while (match && (match->nentry->inode != oldinode ||
52079 + match->nentry->device != olddevice || !match->nentry->deleted))
52080 + match = match->next;
52081 +
52082 + if (match && (match->nentry->inode == oldinode)
52083 + && (match->nentry->device == olddevice) &&
52084 + match->nentry->deleted) {
52085 + if (match->prev == NULL) {
52086 + inodev_set.i_hash[index] = match->next;
52087 + if (match->next != NULL)
52088 + match->next->prev = NULL;
52089 + } else {
52090 + match->prev->next = match->next;
52091 + if (match->next != NULL)
52092 + match->next->prev = match->prev;
52093 + }
52094 + match->prev = NULL;
52095 + match->next = NULL;
52096 + match->nentry->inode = newinode;
52097 + match->nentry->device = newdevice;
52098 + match->nentry->deleted = 0;
52099 +
52100 + insert_inodev_entry(match);
52101 + }
52102 +
52103 + return;
52104 +}
52105 +
52106 +static void
52107 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
52108 + const struct vfsmount *mnt)
52109 +{
52110 + struct acl_subject_label *subj;
52111 + struct acl_role_label *role;
52112 + unsigned int x;
52113 + ino_t inode = dentry->d_inode->i_ino;
52114 + dev_t dev = __get_dev(dentry);
52115 +
52116 + FOR_EACH_ROLE_START(role)
52117 + update_acl_subj_label(matchn->inode, matchn->device,
52118 + inode, dev, role);
52119 +
52120 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
52121 + if ((subj->inode == inode) && (subj->device == dev)) {
52122 + subj->inode = inode;
52123 + subj->device = dev;
52124 + }
52125 + FOR_EACH_NESTED_SUBJECT_END(subj)
52126 + FOR_EACH_SUBJECT_START(role, subj, x)
52127 + update_acl_obj_label(matchn->inode, matchn->device,
52128 + inode, dev, subj);
52129 + FOR_EACH_SUBJECT_END(subj,x)
52130 + FOR_EACH_ROLE_END(role)
52131 +
52132 + update_inodev_entry(matchn->inode, matchn->device, inode, dev);
52133 +
52134 + return;
52135 +}
52136 +
52137 +void
52138 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
52139 +{
52140 + struct name_entry *matchn;
52141 +
52142 + if (unlikely(!(gr_status & GR_READY)))
52143 + return;
52144 +
52145 + preempt_disable();
52146 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
52147 +
52148 + if (unlikely((unsigned long)matchn)) {
52149 + write_lock(&gr_inode_lock);
52150 + do_handle_create(matchn, dentry, mnt);
52151 + write_unlock(&gr_inode_lock);
52152 + }
52153 + preempt_enable();
52154 +
52155 + return;
52156 +}
52157 +
52158 +void
52159 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
52160 + struct dentry *old_dentry,
52161 + struct dentry *new_dentry,
52162 + struct vfsmount *mnt, const __u8 replace)
52163 +{
52164 + struct name_entry *matchn;
52165 + struct inodev_entry *inodev;
52166 + ino_t oldinode = old_dentry->d_inode->i_ino;
52167 + dev_t olddev = __get_dev(old_dentry);
52168 +
52169 + /* vfs_rename swaps the name and parent link for old_dentry and
52170 + new_dentry
52171 + at this point, old_dentry has the new name, parent link, and inode
52172 + for the renamed file
52173 + if a file is being replaced by a rename, new_dentry has the inode
52174 + and name for the replaced file
52175 + */
52176 +
52177 + if (unlikely(!(gr_status & GR_READY)))
52178 + return;
52179 +
52180 + preempt_disable();
52181 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
52182 +
52183 + /* we wouldn't have to check d_inode if it weren't for
52184 + NFS silly-renaming
52185 + */
52186 +
52187 + write_lock(&gr_inode_lock);
52188 + if (unlikely(replace && new_dentry->d_inode)) {
52189 + ino_t newinode = new_dentry->d_inode->i_ino;
52190 + dev_t newdev = __get_dev(new_dentry);
52191 + inodev = lookup_inodev_entry(newinode, newdev);
52192 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
52193 + do_handle_delete(inodev, newinode, newdev);
52194 + }
52195 +
52196 + inodev = lookup_inodev_entry(oldinode, olddev);
52197 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
52198 + do_handle_delete(inodev, oldinode, olddev);
52199 +
52200 + if (unlikely((unsigned long)matchn))
52201 + do_handle_create(matchn, old_dentry, mnt);
52202 +
52203 + write_unlock(&gr_inode_lock);
52204 + preempt_enable();
52205 +
52206 + return;
52207 +}
52208 +
52209 +static int
52210 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
52211 + unsigned char **sum)
52212 +{
52213 + struct acl_role_label *r;
52214 + struct role_allowed_ip *ipp;
52215 + struct role_transition *trans;
52216 + unsigned int i;
52217 + int found = 0;
52218 + u32 curr_ip = current->signal->curr_ip;
52219 +
52220 + current->signal->saved_ip = curr_ip;
52221 +
52222 + /* check transition table */
52223 +
52224 + for (trans = current->role->transitions; trans; trans = trans->next) {
52225 + if (!strcmp(rolename, trans->rolename)) {
52226 + found = 1;
52227 + break;
52228 + }
52229 + }
52230 +
52231 + if (!found)
52232 + return 0;
52233 +
52234 + /* handle special roles that do not require authentication
52235 + and check ip */
52236 +
52237 + FOR_EACH_ROLE_START(r)
52238 + if (!strcmp(rolename, r->rolename) &&
52239 + (r->roletype & GR_ROLE_SPECIAL)) {
52240 + found = 0;
52241 + if (r->allowed_ips != NULL) {
52242 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
52243 + if ((ntohl(curr_ip) & ipp->netmask) ==
52244 + (ntohl(ipp->addr) & ipp->netmask))
52245 + found = 1;
52246 + }
52247 + } else
52248 + found = 2;
52249 + if (!found)
52250 + return 0;
52251 +
52252 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
52253 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
52254 + *salt = NULL;
52255 + *sum = NULL;
52256 + return 1;
52257 + }
52258 + }
52259 + FOR_EACH_ROLE_END(r)
52260 +
52261 + for (i = 0; i < num_sprole_pws; i++) {
52262 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
52263 + *salt = acl_special_roles[i]->salt;
52264 + *sum = acl_special_roles[i]->sum;
52265 + return 1;
52266 + }
52267 + }
52268 +
52269 + return 0;
52270 +}
52271 +
52272 +static void
52273 +assign_special_role(char *rolename)
52274 +{
52275 + struct acl_object_label *obj;
52276 + struct acl_role_label *r;
52277 + struct acl_role_label *assigned = NULL;
52278 + struct task_struct *tsk;
52279 + struct file *filp;
52280 +
52281 + FOR_EACH_ROLE_START(r)
52282 + if (!strcmp(rolename, r->rolename) &&
52283 + (r->roletype & GR_ROLE_SPECIAL)) {
52284 + assigned = r;
52285 + break;
52286 + }
52287 + FOR_EACH_ROLE_END(r)
52288 +
52289 + if (!assigned)
52290 + return;
52291 +
52292 + read_lock(&tasklist_lock);
52293 + read_lock(&grsec_exec_file_lock);
52294 +
52295 + tsk = current->real_parent;
52296 + if (tsk == NULL)
52297 + goto out_unlock;
52298 +
52299 + filp = tsk->exec_file;
52300 + if (filp == NULL)
52301 + goto out_unlock;
52302 +
52303 + tsk->is_writable = 0;
52304 +
52305 + tsk->acl_sp_role = 1;
52306 + tsk->acl_role_id = ++acl_sp_role_value;
52307 + tsk->role = assigned;
52308 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
52309 +
52310 + /* ignore additional mmap checks for processes that are writable
52311 + by the default ACL */
52312 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
52313 + if (unlikely(obj->mode & GR_WRITE))
52314 + tsk->is_writable = 1;
52315 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
52316 + if (unlikely(obj->mode & GR_WRITE))
52317 + tsk->is_writable = 1;
52318 +
52319 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52320 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
52321 +#endif
52322 +
52323 +out_unlock:
52324 + read_unlock(&grsec_exec_file_lock);
52325 + read_unlock(&tasklist_lock);
52326 + return;
52327 +}
52328 +
52329 +int gr_check_secure_terminal(struct task_struct *task)
52330 +{
52331 + struct task_struct *p, *p2, *p3;
52332 + struct files_struct *files;
52333 + struct fdtable *fdt;
52334 + struct file *our_file = NULL, *file;
52335 + int i;
52336 +
52337 + if (task->signal->tty == NULL)
52338 + return 1;
52339 +
52340 + files = get_files_struct(task);
52341 + if (files != NULL) {
52342 + rcu_read_lock();
52343 + fdt = files_fdtable(files);
52344 + for (i=0; i < fdt->max_fds; i++) {
52345 + file = fcheck_files(files, i);
52346 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
52347 + get_file(file);
52348 + our_file = file;
52349 + }
52350 + }
52351 + rcu_read_unlock();
52352 + put_files_struct(files);
52353 + }
52354 +
52355 + if (our_file == NULL)
52356 + return 1;
52357 +
52358 + read_lock(&tasklist_lock);
52359 + do_each_thread(p2, p) {
52360 + files = get_files_struct(p);
52361 + if (files == NULL ||
52362 + (p->signal && p->signal->tty == task->signal->tty)) {
52363 + if (files != NULL)
52364 + put_files_struct(files);
52365 + continue;
52366 + }
52367 + rcu_read_lock();
52368 + fdt = files_fdtable(files);
52369 + for (i=0; i < fdt->max_fds; i++) {
52370 + file = fcheck_files(files, i);
52371 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
52372 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
52373 + p3 = task;
52374 + while (p3->pid > 0) {
52375 + if (p3 == p)
52376 + break;
52377 + p3 = p3->real_parent;
52378 + }
52379 + if (p3 == p)
52380 + break;
52381 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
52382 + gr_handle_alertkill(p);
52383 + rcu_read_unlock();
52384 + put_files_struct(files);
52385 + read_unlock(&tasklist_lock);
52386 + fput(our_file);
52387 + return 0;
52388 + }
52389 + }
52390 + rcu_read_unlock();
52391 + put_files_struct(files);
52392 + } while_each_thread(p2, p);
52393 + read_unlock(&tasklist_lock);
52394 +
52395 + fput(our_file);
52396 + return 1;
52397 +}
52398 +
52399 +ssize_t
52400 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
52401 +{
52402 + struct gr_arg_wrapper uwrap;
52403 + unsigned char *sprole_salt = NULL;
52404 + unsigned char *sprole_sum = NULL;
52405 + int error = sizeof (struct gr_arg_wrapper);
52406 + int error2 = 0;
52407 +
52408 + mutex_lock(&gr_dev_mutex);
52409 +
52410 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
52411 + error = -EPERM;
52412 + goto out;
52413 + }
52414 +
52415 + if (count != sizeof (struct gr_arg_wrapper)) {
52416 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
52417 + error = -EINVAL;
52418 + goto out;
52419 + }
52420 +
52421 +
52422 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
52423 + gr_auth_expires = 0;
52424 + gr_auth_attempts = 0;
52425 + }
52426 +
52427 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
52428 + error = -EFAULT;
52429 + goto out;
52430 + }
52431 +
52432 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
52433 + error = -EINVAL;
52434 + goto out;
52435 + }
52436 +
52437 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
52438 + error = -EFAULT;
52439 + goto out;
52440 + }
52441 +
52442 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
52443 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
52444 + time_after(gr_auth_expires, get_seconds())) {
52445 + error = -EBUSY;
52446 + goto out;
52447 + }
52448 +
52449 + /* if non-root trying to do anything other than use a special role,
52450 + do not attempt authentication, do not count towards authentication
52451 + locking
52452 + */
52453 +
52454 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
52455 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
52456 + current_uid()) {
52457 + error = -EPERM;
52458 + goto out;
52459 + }
52460 +
52461 + /* ensure pw and special role name are null terminated */
52462 +
52463 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
52464 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
52465 +
52466 + /* Okay.
52467 + * We have our enough of the argument structure..(we have yet
52468 + * to copy_from_user the tables themselves) . Copy the tables
52469 + * only if we need them, i.e. for loading operations. */
52470 +
52471 + switch (gr_usermode->mode) {
52472 + case GR_STATUS:
52473 + if (gr_status & GR_READY) {
52474 + error = 1;
52475 + if (!gr_check_secure_terminal(current))
52476 + error = 3;
52477 + } else
52478 + error = 2;
52479 + goto out;
52480 + case GR_SHUTDOWN:
52481 + if ((gr_status & GR_READY)
52482 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
52483 + pax_open_kernel();
52484 + gr_status &= ~GR_READY;
52485 + pax_close_kernel();
52486 +
52487 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
52488 + free_variables();
52489 + memset(gr_usermode, 0, sizeof (struct gr_arg));
52490 + memset(gr_system_salt, 0, GR_SALT_LEN);
52491 + memset(gr_system_sum, 0, GR_SHA_LEN);
52492 + } else if (gr_status & GR_READY) {
52493 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
52494 + error = -EPERM;
52495 + } else {
52496 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
52497 + error = -EAGAIN;
52498 + }
52499 + break;
52500 + case GR_ENABLE:
52501 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
52502 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
52503 + else {
52504 + if (gr_status & GR_READY)
52505 + error = -EAGAIN;
52506 + else
52507 + error = error2;
52508 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
52509 + }
52510 + break;
52511 + case GR_RELOAD:
52512 + if (!(gr_status & GR_READY)) {
52513 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
52514 + error = -EAGAIN;
52515 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
52516 + lock_kernel();
52517 +
52518 + pax_open_kernel();
52519 + gr_status &= ~GR_READY;
52520 + pax_close_kernel();
52521 +
52522 + free_variables();
52523 + if (!(error2 = gracl_init(gr_usermode))) {
52524 + unlock_kernel();
52525 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
52526 + } else {
52527 + unlock_kernel();
52528 + error = error2;
52529 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
52530 + }
52531 + } else {
52532 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
52533 + error = -EPERM;
52534 + }
52535 + break;
52536 + case GR_SEGVMOD:
52537 + if (unlikely(!(gr_status & GR_READY))) {
52538 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
52539 + error = -EAGAIN;
52540 + break;
52541 + }
52542 +
52543 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
52544 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
52545 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
52546 + struct acl_subject_label *segvacl;
52547 + segvacl =
52548 + lookup_acl_subj_label(gr_usermode->segv_inode,
52549 + gr_usermode->segv_device,
52550 + current->role);
52551 + if (segvacl) {
52552 + segvacl->crashes = 0;
52553 + segvacl->expires = 0;
52554 + }
52555 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
52556 + gr_remove_uid(gr_usermode->segv_uid);
52557 + }
52558 + } else {
52559 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
52560 + error = -EPERM;
52561 + }
52562 + break;
52563 + case GR_SPROLE:
52564 + case GR_SPROLEPAM:
52565 + if (unlikely(!(gr_status & GR_READY))) {
52566 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
52567 + error = -EAGAIN;
52568 + break;
52569 + }
52570 +
52571 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
52572 + current->role->expires = 0;
52573 + current->role->auth_attempts = 0;
52574 + }
52575 +
52576 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
52577 + time_after(current->role->expires, get_seconds())) {
52578 + error = -EBUSY;
52579 + goto out;
52580 + }
52581 +
52582 + if (lookup_special_role_auth
52583 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
52584 + && ((!sprole_salt && !sprole_sum)
52585 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
52586 + char *p = "";
52587 + assign_special_role(gr_usermode->sp_role);
52588 + read_lock(&tasklist_lock);
52589 + if (current->real_parent)
52590 + p = current->real_parent->role->rolename;
52591 + read_unlock(&tasklist_lock);
52592 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
52593 + p, acl_sp_role_value);
52594 + } else {
52595 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
52596 + error = -EPERM;
52597 + if(!(current->role->auth_attempts++))
52598 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
52599 +
52600 + goto out;
52601 + }
52602 + break;
52603 + case GR_UNSPROLE:
52604 + if (unlikely(!(gr_status & GR_READY))) {
52605 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
52606 + error = -EAGAIN;
52607 + break;
52608 + }
52609 +
52610 + if (current->role->roletype & GR_ROLE_SPECIAL) {
52611 + char *p = "";
52612 + int i = 0;
52613 +
52614 + read_lock(&tasklist_lock);
52615 + if (current->real_parent) {
52616 + p = current->real_parent->role->rolename;
52617 + i = current->real_parent->acl_role_id;
52618 + }
52619 + read_unlock(&tasklist_lock);
52620 +
52621 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
52622 + gr_set_acls(1);
52623 + } else {
52624 + error = -EPERM;
52625 + goto out;
52626 + }
52627 + break;
52628 + default:
52629 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
52630 + error = -EINVAL;
52631 + break;
52632 + }
52633 +
52634 + if (error != -EPERM)
52635 + goto out;
52636 +
52637 + if(!(gr_auth_attempts++))
52638 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
52639 +
52640 + out:
52641 + mutex_unlock(&gr_dev_mutex);
52642 + return error;
52643 +}
52644 +
52645 +/* must be called with
52646 + rcu_read_lock();
52647 + read_lock(&tasklist_lock);
52648 + read_lock(&grsec_exec_file_lock);
52649 +*/
52650 +int gr_apply_subject_to_task(struct task_struct *task)
52651 +{
52652 + struct acl_object_label *obj;
52653 + char *tmpname;
52654 + struct acl_subject_label *tmpsubj;
52655 + struct file *filp;
52656 + struct name_entry *nmatch;
52657 +
52658 + filp = task->exec_file;
52659 + if (filp == NULL)
52660 + return 0;
52661 +
52662 + /* the following is to apply the correct subject
52663 + on binaries running when the RBAC system
52664 + is enabled, when the binaries have been
52665 + replaced or deleted since their execution
52666 + -----
52667 + when the RBAC system starts, the inode/dev
52668 + from exec_file will be one the RBAC system
52669 + is unaware of. It only knows the inode/dev
52670 + of the present file on disk, or the absence
52671 + of it.
52672 + */
52673 + preempt_disable();
52674 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
52675 +
52676 + nmatch = lookup_name_entry(tmpname);
52677 + preempt_enable();
52678 + tmpsubj = NULL;
52679 + if (nmatch) {
52680 + if (nmatch->deleted)
52681 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
52682 + else
52683 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
52684 + if (tmpsubj != NULL)
52685 + task->acl = tmpsubj;
52686 + }
52687 + if (tmpsubj == NULL)
52688 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
52689 + task->role);
52690 + if (task->acl) {
52691 + task->is_writable = 0;
52692 + /* ignore additional mmap checks for processes that are writable
52693 + by the default ACL */
52694 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
52695 + if (unlikely(obj->mode & GR_WRITE))
52696 + task->is_writable = 1;
52697 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
52698 + if (unlikely(obj->mode & GR_WRITE))
52699 + task->is_writable = 1;
52700 +
52701 + gr_set_proc_res(task);
52702 +
52703 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
52704 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
52705 +#endif
52706 + } else {
52707 + return 1;
52708 + }
52709 +
52710 + return 0;
52711 +}
52712 +
52713 +int
52714 +gr_set_acls(const int type)
52715 +{
52716 + struct task_struct *task, *task2;
52717 + struct acl_role_label *role = current->role;
52718 + __u16 acl_role_id = current->acl_role_id;
52719 + const struct cred *cred;
52720 + int ret;
52721 +
52722 + rcu_read_lock();
52723 + read_lock(&tasklist_lock);
52724 + read_lock(&grsec_exec_file_lock);
52725 + do_each_thread(task2, task) {
52726 + /* check to see if we're called from the exit handler,
52727 + if so, only replace ACLs that have inherited the admin
52728 + ACL */
52729 +
52730 + if (type && (task->role != role ||
52731 + task->acl_role_id != acl_role_id))
52732 + continue;
52733 +
52734 + task->acl_role_id = 0;
52735 + task->acl_sp_role = 0;
52736 +
52737 + if (task->exec_file) {
52738 + cred = __task_cred(task);
52739 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
52740 +
52741 + ret = gr_apply_subject_to_task(task);
52742 + if (ret) {
52743 + read_unlock(&grsec_exec_file_lock);
52744 + read_unlock(&tasklist_lock);
52745 + rcu_read_unlock();
52746 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
52747 + return ret;
52748 + }
52749 + } else {
52750 + // it's a kernel process
52751 + task->role = kernel_role;
52752 + task->acl = kernel_role->root_label;
52753 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
52754 + task->acl->mode &= ~GR_PROCFIND;
52755 +#endif
52756 + }
52757 + } while_each_thread(task2, task);
52758 + read_unlock(&grsec_exec_file_lock);
52759 + read_unlock(&tasklist_lock);
52760 + rcu_read_unlock();
52761 +
52762 + return 0;
52763 +}
52764 +
52765 +void
52766 +gr_learn_resource(const struct task_struct *task,
52767 + const int res, const unsigned long wanted, const int gt)
52768 +{
52769 + struct acl_subject_label *acl;
52770 + const struct cred *cred;
52771 +
52772 + if (unlikely((gr_status & GR_READY) &&
52773 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
52774 + goto skip_reslog;
52775 +
52776 +#ifdef CONFIG_GRKERNSEC_RESLOG
52777 + gr_log_resource(task, res, wanted, gt);
52778 +#endif
52779 + skip_reslog:
52780 +
52781 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
52782 + return;
52783 +
52784 + acl = task->acl;
52785 +
52786 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
52787 + !(acl->resmask & (1 << (unsigned short) res))))
52788 + return;
52789 +
52790 + if (wanted >= acl->res[res].rlim_cur) {
52791 + unsigned long res_add;
52792 +
52793 + res_add = wanted;
52794 + switch (res) {
52795 + case RLIMIT_CPU:
52796 + res_add += GR_RLIM_CPU_BUMP;
52797 + break;
52798 + case RLIMIT_FSIZE:
52799 + res_add += GR_RLIM_FSIZE_BUMP;
52800 + break;
52801 + case RLIMIT_DATA:
52802 + res_add += GR_RLIM_DATA_BUMP;
52803 + break;
52804 + case RLIMIT_STACK:
52805 + res_add += GR_RLIM_STACK_BUMP;
52806 + break;
52807 + case RLIMIT_CORE:
52808 + res_add += GR_RLIM_CORE_BUMP;
52809 + break;
52810 + case RLIMIT_RSS:
52811 + res_add += GR_RLIM_RSS_BUMP;
52812 + break;
52813 + case RLIMIT_NPROC:
52814 + res_add += GR_RLIM_NPROC_BUMP;
52815 + break;
52816 + case RLIMIT_NOFILE:
52817 + res_add += GR_RLIM_NOFILE_BUMP;
52818 + break;
52819 + case RLIMIT_MEMLOCK:
52820 + res_add += GR_RLIM_MEMLOCK_BUMP;
52821 + break;
52822 + case RLIMIT_AS:
52823 + res_add += GR_RLIM_AS_BUMP;
52824 + break;
52825 + case RLIMIT_LOCKS:
52826 + res_add += GR_RLIM_LOCKS_BUMP;
52827 + break;
52828 + case RLIMIT_SIGPENDING:
52829 + res_add += GR_RLIM_SIGPENDING_BUMP;
52830 + break;
52831 + case RLIMIT_MSGQUEUE:
52832 + res_add += GR_RLIM_MSGQUEUE_BUMP;
52833 + break;
52834 + case RLIMIT_NICE:
52835 + res_add += GR_RLIM_NICE_BUMP;
52836 + break;
52837 + case RLIMIT_RTPRIO:
52838 + res_add += GR_RLIM_RTPRIO_BUMP;
52839 + break;
52840 + case RLIMIT_RTTIME:
52841 + res_add += GR_RLIM_RTTIME_BUMP;
52842 + break;
52843 + }
52844 +
52845 + acl->res[res].rlim_cur = res_add;
52846 +
52847 + if (wanted > acl->res[res].rlim_max)
52848 + acl->res[res].rlim_max = res_add;
52849 +
52850 + /* only log the subject filename, since resource logging is supported for
52851 + single-subject learning only */
52852 + rcu_read_lock();
52853 + cred = __task_cred(task);
52854 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
52855 + task->role->roletype, cred->uid, cred->gid, acl->filename,
52856 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
52857 + "", (unsigned long) res, &task->signal->saved_ip);
52858 + rcu_read_unlock();
52859 + }
52860 +
52861 + return;
52862 +}
52863 +
52864 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
52865 +void
52866 +pax_set_initial_flags(struct linux_binprm *bprm)
52867 +{
52868 + struct task_struct *task = current;
52869 + struct acl_subject_label *proc;
52870 + unsigned long flags;
52871 +
52872 + if (unlikely(!(gr_status & GR_READY)))
52873 + return;
52874 +
52875 + flags = pax_get_flags(task);
52876 +
52877 + proc = task->acl;
52878 +
52879 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
52880 + flags &= ~MF_PAX_PAGEEXEC;
52881 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
52882 + flags &= ~MF_PAX_SEGMEXEC;
52883 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
52884 + flags &= ~MF_PAX_RANDMMAP;
52885 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
52886 + flags &= ~MF_PAX_EMUTRAMP;
52887 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
52888 + flags &= ~MF_PAX_MPROTECT;
52889 +
52890 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
52891 + flags |= MF_PAX_PAGEEXEC;
52892 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
52893 + flags |= MF_PAX_SEGMEXEC;
52894 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
52895 + flags |= MF_PAX_RANDMMAP;
52896 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
52897 + flags |= MF_PAX_EMUTRAMP;
52898 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
52899 + flags |= MF_PAX_MPROTECT;
52900 +
52901 + pax_set_flags(task, flags);
52902 +
52903 + return;
52904 +}
52905 +#endif
52906 +
52907 +#ifdef CONFIG_SYSCTL
52908 +/* Eric Biederman likes breaking userland ABI and every inode-based security
52909 + system to save 35kb of memory */
52910 +
52911 +/* we modify the passed in filename, but adjust it back before returning */
52912 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
52913 +{
52914 + struct name_entry *nmatch;
52915 + char *p, *lastp = NULL;
52916 + struct acl_object_label *obj = NULL, *tmp;
52917 + struct acl_subject_label *tmpsubj;
52918 + char c = '\0';
52919 +
52920 + read_lock(&gr_inode_lock);
52921 +
52922 + p = name + len - 1;
52923 + do {
52924 + nmatch = lookup_name_entry(name);
52925 + if (lastp != NULL)
52926 + *lastp = c;
52927 +
52928 + if (nmatch == NULL)
52929 + goto next_component;
52930 + tmpsubj = current->acl;
52931 + do {
52932 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
52933 + if (obj != NULL) {
52934 + tmp = obj->globbed;
52935 + while (tmp) {
52936 + if (!glob_match(tmp->filename, name)) {
52937 + obj = tmp;
52938 + goto found_obj;
52939 + }
52940 + tmp = tmp->next;
52941 + }
52942 + goto found_obj;
52943 + }
52944 + } while ((tmpsubj = tmpsubj->parent_subject));
52945 +next_component:
52946 + /* end case */
52947 + if (p == name)
52948 + break;
52949 +
52950 + while (*p != '/')
52951 + p--;
52952 + if (p == name)
52953 + lastp = p + 1;
52954 + else {
52955 + lastp = p;
52956 + p--;
52957 + }
52958 + c = *lastp;
52959 + *lastp = '\0';
52960 + } while (1);
52961 +found_obj:
52962 + read_unlock(&gr_inode_lock);
52963 + /* obj returned will always be non-null */
52964 + return obj;
52965 +}
52966 +
52967 +/* returns 0 when allowing, non-zero on error
52968 + op of 0 is used for readdir, so we don't log the names of hidden files
52969 +*/
52970 +__u32
52971 +gr_handle_sysctl(const struct ctl_table *table, const int op)
52972 +{
52973 + ctl_table *tmp;
52974 + const char *proc_sys = "/proc/sys";
52975 + char *path;
52976 + struct acl_object_label *obj;
52977 + unsigned short len = 0, pos = 0, depth = 0, i;
52978 + __u32 err = 0;
52979 + __u32 mode = 0;
52980 +
52981 + if (unlikely(!(gr_status & GR_READY)))
52982 + return 0;
52983 +
52984 + /* for now, ignore operations on non-sysctl entries if it's not a
52985 + readdir*/
52986 + if (table->child != NULL && op != 0)
52987 + return 0;
52988 +
52989 + mode |= GR_FIND;
52990 + /* it's only a read if it's an entry, read on dirs is for readdir */
52991 + if (op & MAY_READ)
52992 + mode |= GR_READ;
52993 + if (op & MAY_WRITE)
52994 + mode |= GR_WRITE;
52995 +
52996 + preempt_disable();
52997 +
52998 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
52999 +
53000 + /* it's only a read/write if it's an actual entry, not a dir
53001 + (which are opened for readdir)
53002 + */
53003 +
53004 + /* convert the requested sysctl entry into a pathname */
53005 +
53006 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
53007 + len += strlen(tmp->procname);
53008 + len++;
53009 + depth++;
53010 + }
53011 +
53012 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
53013 + /* deny */
53014 + goto out;
53015 + }
53016 +
53017 + memset(path, 0, PAGE_SIZE);
53018 +
53019 + memcpy(path, proc_sys, strlen(proc_sys));
53020 +
53021 + pos += strlen(proc_sys);
53022 +
53023 + for (; depth > 0; depth--) {
53024 + path[pos] = '/';
53025 + pos++;
53026 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
53027 + if (depth == i) {
53028 + memcpy(path + pos, tmp->procname,
53029 + strlen(tmp->procname));
53030 + pos += strlen(tmp->procname);
53031 + }
53032 + i++;
53033 + }
53034 + }
53035 +
53036 + obj = gr_lookup_by_name(path, pos);
53037 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
53038 +
53039 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
53040 + ((err & mode) != mode))) {
53041 + __u32 new_mode = mode;
53042 +
53043 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
53044 +
53045 + err = 0;
53046 + gr_log_learn_sysctl(path, new_mode);
53047 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
53048 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
53049 + err = -ENOENT;
53050 + } else if (!(err & GR_FIND)) {
53051 + err = -ENOENT;
53052 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
53053 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
53054 + path, (mode & GR_READ) ? " reading" : "",
53055 + (mode & GR_WRITE) ? " writing" : "");
53056 + err = -EACCES;
53057 + } else if ((err & mode) != mode) {
53058 + err = -EACCES;
53059 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
53060 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
53061 + path, (mode & GR_READ) ? " reading" : "",
53062 + (mode & GR_WRITE) ? " writing" : "");
53063 + err = 0;
53064 + } else
53065 + err = 0;
53066 +
53067 + out:
53068 + preempt_enable();
53069 +
53070 + return err;
53071 +}
53072 +#endif
53073 +
53074 +int
53075 +gr_handle_proc_ptrace(struct task_struct *task)
53076 +{
53077 + struct file *filp;
53078 + struct task_struct *tmp = task;
53079 + struct task_struct *curtemp = current;
53080 + __u32 retmode;
53081 +
53082 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
53083 + if (unlikely(!(gr_status & GR_READY)))
53084 + return 0;
53085 +#endif
53086 +
53087 + read_lock(&tasklist_lock);
53088 + read_lock(&grsec_exec_file_lock);
53089 + filp = task->exec_file;
53090 +
53091 + while (tmp->pid > 0) {
53092 + if (tmp == curtemp)
53093 + break;
53094 + tmp = tmp->real_parent;
53095 + }
53096 +
53097 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
53098 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
53099 + read_unlock(&grsec_exec_file_lock);
53100 + read_unlock(&tasklist_lock);
53101 + return 1;
53102 + }
53103 +
53104 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
53105 + if (!(gr_status & GR_READY)) {
53106 + read_unlock(&grsec_exec_file_lock);
53107 + read_unlock(&tasklist_lock);
53108 + return 0;
53109 + }
53110 +#endif
53111 +
53112 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
53113 + read_unlock(&grsec_exec_file_lock);
53114 + read_unlock(&tasklist_lock);
53115 +
53116 + if (retmode & GR_NOPTRACE)
53117 + return 1;
53118 +
53119 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
53120 + && (current->acl != task->acl || (current->acl != current->role->root_label
53121 + && current->pid != task->pid)))
53122 + return 1;
53123 +
53124 + return 0;
53125 +}
53126 +
53127 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
53128 +{
53129 + if (unlikely(!(gr_status & GR_READY)))
53130 + return;
53131 +
53132 + if (!(current->role->roletype & GR_ROLE_GOD))
53133 + return;
53134 +
53135 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
53136 + p->role->rolename, gr_task_roletype_to_char(p),
53137 + p->acl->filename);
53138 +}
53139 +
53140 +int
53141 +gr_handle_ptrace(struct task_struct *task, const long request)
53142 +{
53143 + struct task_struct *tmp = task;
53144 + struct task_struct *curtemp = current;
53145 + __u32 retmode;
53146 +
53147 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
53148 + if (unlikely(!(gr_status & GR_READY)))
53149 + return 0;
53150 +#endif
53151 +
53152 + read_lock(&tasklist_lock);
53153 + while (tmp->pid > 0) {
53154 + if (tmp == curtemp)
53155 + break;
53156 + tmp = tmp->real_parent;
53157 + }
53158 +
53159 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
53160 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
53161 + read_unlock(&tasklist_lock);
53162 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
53163 + return 1;
53164 + }
53165 + read_unlock(&tasklist_lock);
53166 +
53167 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
53168 + if (!(gr_status & GR_READY))
53169 + return 0;
53170 +#endif
53171 +
53172 + read_lock(&grsec_exec_file_lock);
53173 + if (unlikely(!task->exec_file)) {
53174 + read_unlock(&grsec_exec_file_lock);
53175 + return 0;
53176 + }
53177 +
53178 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
53179 + read_unlock(&grsec_exec_file_lock);
53180 +
53181 + if (retmode & GR_NOPTRACE) {
53182 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
53183 + return 1;
53184 + }
53185 +
53186 + if (retmode & GR_PTRACERD) {
53187 + switch (request) {
53188 + case PTRACE_POKETEXT:
53189 + case PTRACE_POKEDATA:
53190 + case PTRACE_POKEUSR:
53191 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
53192 + case PTRACE_SETREGS:
53193 + case PTRACE_SETFPREGS:
53194 +#endif
53195 +#ifdef CONFIG_X86
53196 + case PTRACE_SETFPXREGS:
53197 +#endif
53198 +#ifdef CONFIG_ALTIVEC
53199 + case PTRACE_SETVRREGS:
53200 +#endif
53201 + return 1;
53202 + default:
53203 + return 0;
53204 + }
53205 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
53206 + !(current->role->roletype & GR_ROLE_GOD) &&
53207 + (current->acl != task->acl)) {
53208 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
53209 + return 1;
53210 + }
53211 +
53212 + return 0;
53213 +}
53214 +
53215 +static int is_writable_mmap(const struct file *filp)
53216 +{
53217 + struct task_struct *task = current;
53218 + struct acl_object_label *obj, *obj2;
53219 +
53220 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
53221 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
53222 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
53223 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
53224 + task->role->root_label);
53225 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
53226 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
53227 + return 1;
53228 + }
53229 + }
53230 + return 0;
53231 +}
53232 +
53233 +int
53234 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
53235 +{
53236 + __u32 mode;
53237 +
53238 + if (unlikely(!file || !(prot & PROT_EXEC)))
53239 + return 1;
53240 +
53241 + if (is_writable_mmap(file))
53242 + return 0;
53243 +
53244 + mode =
53245 + gr_search_file(file->f_path.dentry,
53246 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
53247 + file->f_path.mnt);
53248 +
53249 + if (!gr_tpe_allow(file))
53250 + return 0;
53251 +
53252 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
53253 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
53254 + return 0;
53255 + } else if (unlikely(!(mode & GR_EXEC))) {
53256 + return 0;
53257 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
53258 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
53259 + return 1;
53260 + }
53261 +
53262 + return 1;
53263 +}
53264 +
53265 +int
53266 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
53267 +{
53268 + __u32 mode;
53269 +
53270 + if (unlikely(!file || !(prot & PROT_EXEC)))
53271 + return 1;
53272 +
53273 + if (is_writable_mmap(file))
53274 + return 0;
53275 +
53276 + mode =
53277 + gr_search_file(file->f_path.dentry,
53278 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
53279 + file->f_path.mnt);
53280 +
53281 + if (!gr_tpe_allow(file))
53282 + return 0;
53283 +
53284 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
53285 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
53286 + return 0;
53287 + } else if (unlikely(!(mode & GR_EXEC))) {
53288 + return 0;
53289 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
53290 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
53291 + return 1;
53292 + }
53293 +
53294 + return 1;
53295 +}
53296 +
53297 +void
53298 +gr_acl_handle_psacct(struct task_struct *task, const long code)
53299 +{
53300 + unsigned long runtime;
53301 + unsigned long cputime;
53302 + unsigned int wday, cday;
53303 + __u8 whr, chr;
53304 + __u8 wmin, cmin;
53305 + __u8 wsec, csec;
53306 + struct timespec timeval;
53307 +
53308 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
53309 + !(task->acl->mode & GR_PROCACCT)))
53310 + return;
53311 +
53312 + do_posix_clock_monotonic_gettime(&timeval);
53313 + runtime = timeval.tv_sec - task->start_time.tv_sec;
53314 + wday = runtime / (3600 * 24);
53315 + runtime -= wday * (3600 * 24);
53316 + whr = runtime / 3600;
53317 + runtime -= whr * 3600;
53318 + wmin = runtime / 60;
53319 + runtime -= wmin * 60;
53320 + wsec = runtime;
53321 +
53322 + cputime = (task->utime + task->stime) / HZ;
53323 + cday = cputime / (3600 * 24);
53324 + cputime -= cday * (3600 * 24);
53325 + chr = cputime / 3600;
53326 + cputime -= chr * 3600;
53327 + cmin = cputime / 60;
53328 + cputime -= cmin * 60;
53329 + csec = cputime;
53330 +
53331 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
53332 +
53333 + return;
53334 +}
53335 +
53336 +void gr_set_kernel_label(struct task_struct *task)
53337 +{
53338 + if (gr_status & GR_READY) {
53339 + task->role = kernel_role;
53340 + task->acl = kernel_role->root_label;
53341 + }
53342 + return;
53343 +}
53344 +
53345 +#ifdef CONFIG_TASKSTATS
53346 +int gr_is_taskstats_denied(int pid)
53347 +{
53348 + struct task_struct *task;
53349 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
53350 + const struct cred *cred;
53351 +#endif
53352 + int ret = 0;
53353 +
53354 + /* restrict taskstats viewing to un-chrooted root users
53355 + who have the 'view' subject flag if the RBAC system is enabled
53356 + */
53357 +
53358 + rcu_read_lock();
53359 + read_lock(&tasklist_lock);
53360 + task = find_task_by_vpid(pid);
53361 + if (task) {
53362 +#ifdef CONFIG_GRKERNSEC_CHROOT
53363 + if (proc_is_chrooted(task))
53364 + ret = -EACCES;
53365 +#endif
53366 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
53367 + cred = __task_cred(task);
53368 +#ifdef CONFIG_GRKERNSEC_PROC_USER
53369 + if (cred->uid != 0)
53370 + ret = -EACCES;
53371 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
53372 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
53373 + ret = -EACCES;
53374 +#endif
53375 +#endif
53376 + if (gr_status & GR_READY) {
53377 + if (!(task->acl->mode & GR_VIEW))
53378 + ret = -EACCES;
53379 + }
53380 + } else
53381 + ret = -ENOENT;
53382 +
53383 + read_unlock(&tasklist_lock);
53384 + rcu_read_unlock();
53385 +
53386 + return ret;
53387 +}
53388 +#endif
53389 +
53390 +/* AUXV entries are filled via a descendant of search_binary_handler
53391 + after we've already applied the subject for the target
53392 +*/
53393 +int gr_acl_enable_at_secure(void)
53394 +{
53395 + if (unlikely(!(gr_status & GR_READY)))
53396 + return 0;
53397 +
53398 + if (current->acl->mode & GR_ATSECURE)
53399 + return 1;
53400 +
53401 + return 0;
53402 +}
53403 +
53404 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
53405 +{
53406 + struct task_struct *task = current;
53407 + struct dentry *dentry = file->f_path.dentry;
53408 + struct vfsmount *mnt = file->f_path.mnt;
53409 + struct acl_object_label *obj, *tmp;
53410 + struct acl_subject_label *subj;
53411 + unsigned int bufsize;
53412 + int is_not_root;
53413 + char *path;
53414 + dev_t dev = __get_dev(dentry);
53415 +
53416 + if (unlikely(!(gr_status & GR_READY)))
53417 + return 1;
53418 +
53419 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
53420 + return 1;
53421 +
53422 + /* ignore Eric Biederman */
53423 + if (IS_PRIVATE(dentry->d_inode))
53424 + return 1;
53425 +
53426 + subj = task->acl;
53427 + do {
53428 + obj = lookup_acl_obj_label(ino, dev, subj);
53429 + if (obj != NULL)
53430 + return (obj->mode & GR_FIND) ? 1 : 0;
53431 + } while ((subj = subj->parent_subject));
53432 +
53433 + /* this is purely an optimization since we're looking for an object
53434 + for the directory we're doing a readdir on
53435 + if it's possible for any globbed object to match the entry we're
53436 + filling into the directory, then the object we find here will be
53437 + an anchor point with attached globbed objects
53438 + */
53439 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
53440 + if (obj->globbed == NULL)
53441 + return (obj->mode & GR_FIND) ? 1 : 0;
53442 +
53443 + is_not_root = ((obj->filename[0] == '/') &&
53444 + (obj->filename[1] == '\0')) ? 0 : 1;
53445 + bufsize = PAGE_SIZE - namelen - is_not_root;
53446 +
53447 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
53448 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
53449 + return 1;
53450 +
53451 + preempt_disable();
53452 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
53453 + bufsize);
53454 +
53455 + bufsize = strlen(path);
53456 +
53457 + /* if base is "/", don't append an additional slash */
53458 + if (is_not_root)
53459 + *(path + bufsize) = '/';
53460 + memcpy(path + bufsize + is_not_root, name, namelen);
53461 + *(path + bufsize + namelen + is_not_root) = '\0';
53462 +
53463 + tmp = obj->globbed;
53464 + while (tmp) {
53465 + if (!glob_match(tmp->filename, path)) {
53466 + preempt_enable();
53467 + return (tmp->mode & GR_FIND) ? 1 : 0;
53468 + }
53469 + tmp = tmp->next;
53470 + }
53471 + preempt_enable();
53472 + return (obj->mode & GR_FIND) ? 1 : 0;
53473 +}
53474 +
53475 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
53476 +EXPORT_SYMBOL(gr_acl_is_enabled);
53477 +#endif
53478 +EXPORT_SYMBOL(gr_learn_resource);
53479 +EXPORT_SYMBOL(gr_set_kernel_label);
53480 +#ifdef CONFIG_SECURITY
53481 +EXPORT_SYMBOL(gr_check_user_change);
53482 +EXPORT_SYMBOL(gr_check_group_change);
53483 +#endif
53484 +
53485 diff -urNp linux-2.6.32.46/grsecurity/gracl_cap.c linux-2.6.32.46/grsecurity/gracl_cap.c
53486 --- linux-2.6.32.46/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
53487 +++ linux-2.6.32.46/grsecurity/gracl_cap.c 2011-04-17 15:56:46.000000000 -0400
53488 @@ -0,0 +1,138 @@
53489 +#include <linux/kernel.h>
53490 +#include <linux/module.h>
53491 +#include <linux/sched.h>
53492 +#include <linux/gracl.h>
53493 +#include <linux/grsecurity.h>
53494 +#include <linux/grinternal.h>
53495 +
53496 +static const char *captab_log[] = {
53497 + "CAP_CHOWN",
53498 + "CAP_DAC_OVERRIDE",
53499 + "CAP_DAC_READ_SEARCH",
53500 + "CAP_FOWNER",
53501 + "CAP_FSETID",
53502 + "CAP_KILL",
53503 + "CAP_SETGID",
53504 + "CAP_SETUID",
53505 + "CAP_SETPCAP",
53506 + "CAP_LINUX_IMMUTABLE",
53507 + "CAP_NET_BIND_SERVICE",
53508 + "CAP_NET_BROADCAST",
53509 + "CAP_NET_ADMIN",
53510 + "CAP_NET_RAW",
53511 + "CAP_IPC_LOCK",
53512 + "CAP_IPC_OWNER",
53513 + "CAP_SYS_MODULE",
53514 + "CAP_SYS_RAWIO",
53515 + "CAP_SYS_CHROOT",
53516 + "CAP_SYS_PTRACE",
53517 + "CAP_SYS_PACCT",
53518 + "CAP_SYS_ADMIN",
53519 + "CAP_SYS_BOOT",
53520 + "CAP_SYS_NICE",
53521 + "CAP_SYS_RESOURCE",
53522 + "CAP_SYS_TIME",
53523 + "CAP_SYS_TTY_CONFIG",
53524 + "CAP_MKNOD",
53525 + "CAP_LEASE",
53526 + "CAP_AUDIT_WRITE",
53527 + "CAP_AUDIT_CONTROL",
53528 + "CAP_SETFCAP",
53529 + "CAP_MAC_OVERRIDE",
53530 + "CAP_MAC_ADMIN"
53531 +};
53532 +
53533 +EXPORT_SYMBOL(gr_is_capable);
53534 +EXPORT_SYMBOL(gr_is_capable_nolog);
53535 +
53536 +int
53537 +gr_is_capable(const int cap)
53538 +{
53539 + struct task_struct *task = current;
53540 + const struct cred *cred = current_cred();
53541 + struct acl_subject_label *curracl;
53542 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
53543 + kernel_cap_t cap_audit = __cap_empty_set;
53544 +
53545 + if (!gr_acl_is_enabled())
53546 + return 1;
53547 +
53548 + curracl = task->acl;
53549 +
53550 + cap_drop = curracl->cap_lower;
53551 + cap_mask = curracl->cap_mask;
53552 + cap_audit = curracl->cap_invert_audit;
53553 +
53554 + while ((curracl = curracl->parent_subject)) {
53555 + /* if the cap isn't specified in the current computed mask but is specified in the
53556 + current level subject, and is lowered in the current level subject, then add
53557 + it to the set of dropped capabilities
53558 + otherwise, add the current level subject's mask to the current computed mask
53559 + */
53560 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
53561 + cap_raise(cap_mask, cap);
53562 + if (cap_raised(curracl->cap_lower, cap))
53563 + cap_raise(cap_drop, cap);
53564 + if (cap_raised(curracl->cap_invert_audit, cap))
53565 + cap_raise(cap_audit, cap);
53566 + }
53567 + }
53568 +
53569 + if (!cap_raised(cap_drop, cap)) {
53570 + if (cap_raised(cap_audit, cap))
53571 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
53572 + return 1;
53573 + }
53574 +
53575 + curracl = task->acl;
53576 +
53577 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
53578 + && cap_raised(cred->cap_effective, cap)) {
53579 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
53580 + task->role->roletype, cred->uid,
53581 + cred->gid, task->exec_file ?
53582 + gr_to_filename(task->exec_file->f_path.dentry,
53583 + task->exec_file->f_path.mnt) : curracl->filename,
53584 + curracl->filename, 0UL,
53585 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
53586 + return 1;
53587 + }
53588 +
53589 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
53590 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
53591 + return 0;
53592 +}
53593 +
53594 +int
53595 +gr_is_capable_nolog(const int cap)
53596 +{
53597 + struct acl_subject_label *curracl;
53598 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
53599 +
53600 + if (!gr_acl_is_enabled())
53601 + return 1;
53602 +
53603 + curracl = current->acl;
53604 +
53605 + cap_drop = curracl->cap_lower;
53606 + cap_mask = curracl->cap_mask;
53607 +
53608 + while ((curracl = curracl->parent_subject)) {
53609 + /* if the cap isn't specified in the current computed mask but is specified in the
53610 + current level subject, and is lowered in the current level subject, then add
53611 + it to the set of dropped capabilities
53612 + otherwise, add the current level subject's mask to the current computed mask
53613 + */
53614 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
53615 + cap_raise(cap_mask, cap);
53616 + if (cap_raised(curracl->cap_lower, cap))
53617 + cap_raise(cap_drop, cap);
53618 + }
53619 + }
53620 +
53621 + if (!cap_raised(cap_drop, cap))
53622 + return 1;
53623 +
53624 + return 0;
53625 +}
53626 +
53627 diff -urNp linux-2.6.32.46/grsecurity/gracl_fs.c linux-2.6.32.46/grsecurity/gracl_fs.c
53628 --- linux-2.6.32.46/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
53629 +++ linux-2.6.32.46/grsecurity/gracl_fs.c 2011-04-17 15:56:46.000000000 -0400
53630 @@ -0,0 +1,431 @@
53631 +#include <linux/kernel.h>
53632 +#include <linux/sched.h>
53633 +#include <linux/types.h>
53634 +#include <linux/fs.h>
53635 +#include <linux/file.h>
53636 +#include <linux/stat.h>
53637 +#include <linux/grsecurity.h>
53638 +#include <linux/grinternal.h>
53639 +#include <linux/gracl.h>
53640 +
53641 +__u32
53642 +gr_acl_handle_hidden_file(const struct dentry * dentry,
53643 + const struct vfsmount * mnt)
53644 +{
53645 + __u32 mode;
53646 +
53647 + if (unlikely(!dentry->d_inode))
53648 + return GR_FIND;
53649 +
53650 + mode =
53651 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
53652 +
53653 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
53654 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
53655 + return mode;
53656 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
53657 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
53658 + return 0;
53659 + } else if (unlikely(!(mode & GR_FIND)))
53660 + return 0;
53661 +
53662 + return GR_FIND;
53663 +}
53664 +
53665 +__u32
53666 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
53667 + const int fmode)
53668 +{
53669 + __u32 reqmode = GR_FIND;
53670 + __u32 mode;
53671 +
53672 + if (unlikely(!dentry->d_inode))
53673 + return reqmode;
53674 +
53675 + if (unlikely(fmode & O_APPEND))
53676 + reqmode |= GR_APPEND;
53677 + else if (unlikely(fmode & FMODE_WRITE))
53678 + reqmode |= GR_WRITE;
53679 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
53680 + reqmode |= GR_READ;
53681 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
53682 + reqmode &= ~GR_READ;
53683 + mode =
53684 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
53685 + mnt);
53686 +
53687 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
53688 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
53689 + reqmode & GR_READ ? " reading" : "",
53690 + reqmode & GR_WRITE ? " writing" : reqmode &
53691 + GR_APPEND ? " appending" : "");
53692 + return reqmode;
53693 + } else
53694 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
53695 + {
53696 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
53697 + reqmode & GR_READ ? " reading" : "",
53698 + reqmode & GR_WRITE ? " writing" : reqmode &
53699 + GR_APPEND ? " appending" : "");
53700 + return 0;
53701 + } else if (unlikely((mode & reqmode) != reqmode))
53702 + return 0;
53703 +
53704 + return reqmode;
53705 +}
53706 +
53707 +__u32
53708 +gr_acl_handle_creat(const struct dentry * dentry,
53709 + const struct dentry * p_dentry,
53710 + const struct vfsmount * p_mnt, const int fmode,
53711 + const int imode)
53712 +{
53713 + __u32 reqmode = GR_WRITE | GR_CREATE;
53714 + __u32 mode;
53715 +
53716 + if (unlikely(fmode & O_APPEND))
53717 + reqmode |= GR_APPEND;
53718 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
53719 + reqmode |= GR_READ;
53720 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
53721 + reqmode |= GR_SETID;
53722 +
53723 + mode =
53724 + gr_check_create(dentry, p_dentry, p_mnt,
53725 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
53726 +
53727 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
53728 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
53729 + reqmode & GR_READ ? " reading" : "",
53730 + reqmode & GR_WRITE ? " writing" : reqmode &
53731 + GR_APPEND ? " appending" : "");
53732 + return reqmode;
53733 + } else
53734 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
53735 + {
53736 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
53737 + reqmode & GR_READ ? " reading" : "",
53738 + reqmode & GR_WRITE ? " writing" : reqmode &
53739 + GR_APPEND ? " appending" : "");
53740 + return 0;
53741 + } else if (unlikely((mode & reqmode) != reqmode))
53742 + return 0;
53743 +
53744 + return reqmode;
53745 +}
53746 +
53747 +__u32
53748 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
53749 + const int fmode)
53750 +{
53751 + __u32 mode, reqmode = GR_FIND;
53752 +
53753 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
53754 + reqmode |= GR_EXEC;
53755 + if (fmode & S_IWOTH)
53756 + reqmode |= GR_WRITE;
53757 + if (fmode & S_IROTH)
53758 + reqmode |= GR_READ;
53759 +
53760 + mode =
53761 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
53762 + mnt);
53763 +
53764 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
53765 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
53766 + reqmode & GR_READ ? " reading" : "",
53767 + reqmode & GR_WRITE ? " writing" : "",
53768 + reqmode & GR_EXEC ? " executing" : "");
53769 + return reqmode;
53770 + } else
53771 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
53772 + {
53773 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
53774 + reqmode & GR_READ ? " reading" : "",
53775 + reqmode & GR_WRITE ? " writing" : "",
53776 + reqmode & GR_EXEC ? " executing" : "");
53777 + return 0;
53778 + } else if (unlikely((mode & reqmode) != reqmode))
53779 + return 0;
53780 +
53781 + return reqmode;
53782 +}
53783 +
53784 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
53785 +{
53786 + __u32 mode;
53787 +
53788 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
53789 +
53790 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
53791 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
53792 + return mode;
53793 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
53794 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
53795 + return 0;
53796 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
53797 + return 0;
53798 +
53799 + return (reqmode);
53800 +}
53801 +
53802 +__u32
53803 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
53804 +{
53805 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
53806 +}
53807 +
53808 +__u32
53809 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
53810 +{
53811 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
53812 +}
53813 +
53814 +__u32
53815 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
53816 +{
53817 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
53818 +}
53819 +
53820 +__u32
53821 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
53822 +{
53823 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
53824 +}
53825 +
53826 +__u32
53827 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
53828 + mode_t mode)
53829 +{
53830 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
53831 + return 1;
53832 +
53833 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
53834 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
53835 + GR_FCHMOD_ACL_MSG);
53836 + } else {
53837 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
53838 + }
53839 +}
53840 +
53841 +__u32
53842 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
53843 + mode_t mode)
53844 +{
53845 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
53846 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
53847 + GR_CHMOD_ACL_MSG);
53848 + } else {
53849 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
53850 + }
53851 +}
53852 +
53853 +__u32
53854 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
53855 +{
53856 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
53857 +}
53858 +
53859 +__u32
53860 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
53861 +{
53862 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
53863 +}
53864 +
53865 +__u32
53866 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
53867 +{
53868 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
53869 +}
53870 +
53871 +__u32
53872 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
53873 +{
53874 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
53875 + GR_UNIXCONNECT_ACL_MSG);
53876 +}
53877 +
53878 +/* hardlinks require at minimum create permission,
53879 + any additional privilege required is based on the
53880 + privilege of the file being linked to
53881 +*/
53882 +__u32
53883 +gr_acl_handle_link(const struct dentry * new_dentry,
53884 + const struct dentry * parent_dentry,
53885 + const struct vfsmount * parent_mnt,
53886 + const struct dentry * old_dentry,
53887 + const struct vfsmount * old_mnt, const char *to)
53888 +{
53889 + __u32 mode;
53890 + __u32 needmode = GR_CREATE | GR_LINK;
53891 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
53892 +
53893 + mode =
53894 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
53895 + old_mnt);
53896 +
53897 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
53898 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
53899 + return mode;
53900 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
53901 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
53902 + return 0;
53903 + } else if (unlikely((mode & needmode) != needmode))
53904 + return 0;
53905 +
53906 + return 1;
53907 +}
53908 +
53909 +__u32
53910 +gr_acl_handle_symlink(const struct dentry * new_dentry,
53911 + const struct dentry * parent_dentry,
53912 + const struct vfsmount * parent_mnt, const char *from)
53913 +{
53914 + __u32 needmode = GR_WRITE | GR_CREATE;
53915 + __u32 mode;
53916 +
53917 + mode =
53918 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
53919 + GR_CREATE | GR_AUDIT_CREATE |
53920 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
53921 +
53922 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
53923 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
53924 + return mode;
53925 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
53926 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
53927 + return 0;
53928 + } else if (unlikely((mode & needmode) != needmode))
53929 + return 0;
53930 +
53931 + return (GR_WRITE | GR_CREATE);
53932 +}
53933 +
53934 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
53935 +{
53936 + __u32 mode;
53937 +
53938 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
53939 +
53940 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
53941 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
53942 + return mode;
53943 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
53944 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
53945 + return 0;
53946 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
53947 + return 0;
53948 +
53949 + return (reqmode);
53950 +}
53951 +
53952 +__u32
53953 +gr_acl_handle_mknod(const struct dentry * new_dentry,
53954 + const struct dentry * parent_dentry,
53955 + const struct vfsmount * parent_mnt,
53956 + const int mode)
53957 +{
53958 + __u32 reqmode = GR_WRITE | GR_CREATE;
53959 + if (unlikely(mode & (S_ISUID | S_ISGID)))
53960 + reqmode |= GR_SETID;
53961 +
53962 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
53963 + reqmode, GR_MKNOD_ACL_MSG);
53964 +}
53965 +
53966 +__u32
53967 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
53968 + const struct dentry *parent_dentry,
53969 + const struct vfsmount *parent_mnt)
53970 +{
53971 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
53972 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
53973 +}
53974 +
53975 +#define RENAME_CHECK_SUCCESS(old, new) \
53976 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
53977 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
53978 +
53979 +int
53980 +gr_acl_handle_rename(struct dentry *new_dentry,
53981 + struct dentry *parent_dentry,
53982 + const struct vfsmount *parent_mnt,
53983 + struct dentry *old_dentry,
53984 + struct inode *old_parent_inode,
53985 + struct vfsmount *old_mnt, const char *newname)
53986 +{
53987 + __u32 comp1, comp2;
53988 + int error = 0;
53989 +
53990 + if (unlikely(!gr_acl_is_enabled()))
53991 + return 0;
53992 +
53993 + if (!new_dentry->d_inode) {
53994 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
53995 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
53996 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
53997 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
53998 + GR_DELETE | GR_AUDIT_DELETE |
53999 + GR_AUDIT_READ | GR_AUDIT_WRITE |
54000 + GR_SUPPRESS, old_mnt);
54001 + } else {
54002 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
54003 + GR_CREATE | GR_DELETE |
54004 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
54005 + GR_AUDIT_READ | GR_AUDIT_WRITE |
54006 + GR_SUPPRESS, parent_mnt);
54007 + comp2 =
54008 + gr_search_file(old_dentry,
54009 + GR_READ | GR_WRITE | GR_AUDIT_READ |
54010 + GR_DELETE | GR_AUDIT_DELETE |
54011 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
54012 + }
54013 +
54014 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
54015 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
54016 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
54017 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
54018 + && !(comp2 & GR_SUPPRESS)) {
54019 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
54020 + error = -EACCES;
54021 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
54022 + error = -EACCES;
54023 +
54024 + return error;
54025 +}
54026 +
54027 +void
54028 +gr_acl_handle_exit(void)
54029 +{
54030 + u16 id;
54031 + char *rolename;
54032 + struct file *exec_file;
54033 +
54034 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
54035 + !(current->role->roletype & GR_ROLE_PERSIST))) {
54036 + id = current->acl_role_id;
54037 + rolename = current->role->rolename;
54038 + gr_set_acls(1);
54039 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
54040 + }
54041 +
54042 + write_lock(&grsec_exec_file_lock);
54043 + exec_file = current->exec_file;
54044 + current->exec_file = NULL;
54045 + write_unlock(&grsec_exec_file_lock);
54046 +
54047 + if (exec_file)
54048 + fput(exec_file);
54049 +}
54050 +
54051 +int
54052 +gr_acl_handle_procpidmem(const struct task_struct *task)
54053 +{
54054 + if (unlikely(!gr_acl_is_enabled()))
54055 + return 0;
54056 +
54057 + if (task != current && task->acl->mode & GR_PROTPROCFD)
54058 + return -EACCES;
54059 +
54060 + return 0;
54061 +}
54062 diff -urNp linux-2.6.32.46/grsecurity/gracl_ip.c linux-2.6.32.46/grsecurity/gracl_ip.c
54063 --- linux-2.6.32.46/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
54064 +++ linux-2.6.32.46/grsecurity/gracl_ip.c 2011-04-17 15:56:46.000000000 -0400
54065 @@ -0,0 +1,382 @@
54066 +#include <linux/kernel.h>
54067 +#include <asm/uaccess.h>
54068 +#include <asm/errno.h>
54069 +#include <net/sock.h>
54070 +#include <linux/file.h>
54071 +#include <linux/fs.h>
54072 +#include <linux/net.h>
54073 +#include <linux/in.h>
54074 +#include <linux/skbuff.h>
54075 +#include <linux/ip.h>
54076 +#include <linux/udp.h>
54077 +#include <linux/smp_lock.h>
54078 +#include <linux/types.h>
54079 +#include <linux/sched.h>
54080 +#include <linux/netdevice.h>
54081 +#include <linux/inetdevice.h>
54082 +#include <linux/gracl.h>
54083 +#include <linux/grsecurity.h>
54084 +#include <linux/grinternal.h>
54085 +
54086 +#define GR_BIND 0x01
54087 +#define GR_CONNECT 0x02
54088 +#define GR_INVERT 0x04
54089 +#define GR_BINDOVERRIDE 0x08
54090 +#define GR_CONNECTOVERRIDE 0x10
54091 +#define GR_SOCK_FAMILY 0x20
54092 +
54093 +static const char * gr_protocols[IPPROTO_MAX] = {
54094 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
54095 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
54096 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
54097 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
54098 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
54099 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
54100 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
54101 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
54102 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
54103 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
54104 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
54105 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
54106 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
54107 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
54108 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
54109 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
54110 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
54111 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
54112 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
54113 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
54114 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
54115 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
54116 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
54117 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
54118 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
54119 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
54120 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
54121 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
54122 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
54123 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
54124 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
54125 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
54126 + };
54127 +
54128 +static const char * gr_socktypes[SOCK_MAX] = {
54129 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
54130 + "unknown:7", "unknown:8", "unknown:9", "packet"
54131 + };
54132 +
54133 +static const char * gr_sockfamilies[AF_MAX+1] = {
54134 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
54135 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
54136 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
54137 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
54138 + };
54139 +
54140 +const char *
54141 +gr_proto_to_name(unsigned char proto)
54142 +{
54143 + return gr_protocols[proto];
54144 +}
54145 +
54146 +const char *
54147 +gr_socktype_to_name(unsigned char type)
54148 +{
54149 + return gr_socktypes[type];
54150 +}
54151 +
54152 +const char *
54153 +gr_sockfamily_to_name(unsigned char family)
54154 +{
54155 + return gr_sockfamilies[family];
54156 +}
54157 +
54158 +int
54159 +gr_search_socket(const int domain, const int type, const int protocol)
54160 +{
54161 + struct acl_subject_label *curr;
54162 + const struct cred *cred = current_cred();
54163 +
54164 + if (unlikely(!gr_acl_is_enabled()))
54165 + goto exit;
54166 +
54167 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
54168 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
54169 + goto exit; // let the kernel handle it
54170 +
54171 + curr = current->acl;
54172 +
54173 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
54174 + /* the family is allowed, if this is PF_INET allow it only if
54175 + the extra sock type/protocol checks pass */
54176 + if (domain == PF_INET)
54177 + goto inet_check;
54178 + goto exit;
54179 + } else {
54180 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
54181 + __u32 fakeip = 0;
54182 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
54183 + current->role->roletype, cred->uid,
54184 + cred->gid, current->exec_file ?
54185 + gr_to_filename(current->exec_file->f_path.dentry,
54186 + current->exec_file->f_path.mnt) :
54187 + curr->filename, curr->filename,
54188 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
54189 + &current->signal->saved_ip);
54190 + goto exit;
54191 + }
54192 + goto exit_fail;
54193 + }
54194 +
54195 +inet_check:
54196 + /* the rest of this checking is for IPv4 only */
54197 + if (!curr->ips)
54198 + goto exit;
54199 +
54200 + if ((curr->ip_type & (1 << type)) &&
54201 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
54202 + goto exit;
54203 +
54204 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
54205 + /* we don't place acls on raw sockets , and sometimes
54206 + dgram/ip sockets are opened for ioctl and not
54207 + bind/connect, so we'll fake a bind learn log */
54208 + if (type == SOCK_RAW || type == SOCK_PACKET) {
54209 + __u32 fakeip = 0;
54210 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
54211 + current->role->roletype, cred->uid,
54212 + cred->gid, current->exec_file ?
54213 + gr_to_filename(current->exec_file->f_path.dentry,
54214 + current->exec_file->f_path.mnt) :
54215 + curr->filename, curr->filename,
54216 + &fakeip, 0, type,
54217 + protocol, GR_CONNECT, &current->signal->saved_ip);
54218 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
54219 + __u32 fakeip = 0;
54220 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
54221 + current->role->roletype, cred->uid,
54222 + cred->gid, current->exec_file ?
54223 + gr_to_filename(current->exec_file->f_path.dentry,
54224 + current->exec_file->f_path.mnt) :
54225 + curr->filename, curr->filename,
54226 + &fakeip, 0, type,
54227 + protocol, GR_BIND, &current->signal->saved_ip);
54228 + }
54229 + /* we'll log when they use connect or bind */
54230 + goto exit;
54231 + }
54232 +
54233 +exit_fail:
54234 + if (domain == PF_INET)
54235 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
54236 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
54237 + else
54238 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
54239 + gr_socktype_to_name(type), protocol);
54240 +
54241 + return 0;
54242 +exit:
54243 + return 1;
54244 +}
54245 +
54246 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
54247 +{
54248 + if ((ip->mode & mode) &&
54249 + (ip_port >= ip->low) &&
54250 + (ip_port <= ip->high) &&
54251 + ((ntohl(ip_addr) & our_netmask) ==
54252 + (ntohl(our_addr) & our_netmask))
54253 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
54254 + && (ip->type & (1 << type))) {
54255 + if (ip->mode & GR_INVERT)
54256 + return 2; // specifically denied
54257 + else
54258 + return 1; // allowed
54259 + }
54260 +
54261 + return 0; // not specifically allowed, may continue parsing
54262 +}
54263 +
54264 +static int
54265 +gr_search_connectbind(const int full_mode, struct sock *sk,
54266 + struct sockaddr_in *addr, const int type)
54267 +{
54268 + char iface[IFNAMSIZ] = {0};
54269 + struct acl_subject_label *curr;
54270 + struct acl_ip_label *ip;
54271 + struct inet_sock *isk;
54272 + struct net_device *dev;
54273 + struct in_device *idev;
54274 + unsigned long i;
54275 + int ret;
54276 + int mode = full_mode & (GR_BIND | GR_CONNECT);
54277 + __u32 ip_addr = 0;
54278 + __u32 our_addr;
54279 + __u32 our_netmask;
54280 + char *p;
54281 + __u16 ip_port = 0;
54282 + const struct cred *cred = current_cred();
54283 +
54284 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
54285 + return 0;
54286 +
54287 + curr = current->acl;
54288 + isk = inet_sk(sk);
54289 +
54290 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
54291 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
54292 + addr->sin_addr.s_addr = curr->inaddr_any_override;
54293 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
54294 + struct sockaddr_in saddr;
54295 + int err;
54296 +
54297 + saddr.sin_family = AF_INET;
54298 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
54299 + saddr.sin_port = isk->sport;
54300 +
54301 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
54302 + if (err)
54303 + return err;
54304 +
54305 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
54306 + if (err)
54307 + return err;
54308 + }
54309 +
54310 + if (!curr->ips)
54311 + return 0;
54312 +
54313 + ip_addr = addr->sin_addr.s_addr;
54314 + ip_port = ntohs(addr->sin_port);
54315 +
54316 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
54317 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
54318 + current->role->roletype, cred->uid,
54319 + cred->gid, current->exec_file ?
54320 + gr_to_filename(current->exec_file->f_path.dentry,
54321 + current->exec_file->f_path.mnt) :
54322 + curr->filename, curr->filename,
54323 + &ip_addr, ip_port, type,
54324 + sk->sk_protocol, mode, &current->signal->saved_ip);
54325 + return 0;
54326 + }
54327 +
54328 + for (i = 0; i < curr->ip_num; i++) {
54329 + ip = *(curr->ips + i);
54330 + if (ip->iface != NULL) {
54331 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
54332 + p = strchr(iface, ':');
54333 + if (p != NULL)
54334 + *p = '\0';
54335 + dev = dev_get_by_name(sock_net(sk), iface);
54336 + if (dev == NULL)
54337 + continue;
54338 + idev = in_dev_get(dev);
54339 + if (idev == NULL) {
54340 + dev_put(dev);
54341 + continue;
54342 + }
54343 + rcu_read_lock();
54344 + for_ifa(idev) {
54345 + if (!strcmp(ip->iface, ifa->ifa_label)) {
54346 + our_addr = ifa->ifa_address;
54347 + our_netmask = 0xffffffff;
54348 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
54349 + if (ret == 1) {
54350 + rcu_read_unlock();
54351 + in_dev_put(idev);
54352 + dev_put(dev);
54353 + return 0;
54354 + } else if (ret == 2) {
54355 + rcu_read_unlock();
54356 + in_dev_put(idev);
54357 + dev_put(dev);
54358 + goto denied;
54359 + }
54360 + }
54361 + } endfor_ifa(idev);
54362 + rcu_read_unlock();
54363 + in_dev_put(idev);
54364 + dev_put(dev);
54365 + } else {
54366 + our_addr = ip->addr;
54367 + our_netmask = ip->netmask;
54368 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
54369 + if (ret == 1)
54370 + return 0;
54371 + else if (ret == 2)
54372 + goto denied;
54373 + }
54374 + }
54375 +
54376 +denied:
54377 + if (mode == GR_BIND)
54378 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
54379 + else if (mode == GR_CONNECT)
54380 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
54381 +
54382 + return -EACCES;
54383 +}
54384 +
54385 +int
54386 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
54387 +{
54388 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
54389 +}
54390 +
54391 +int
54392 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
54393 +{
54394 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
54395 +}
54396 +
54397 +int gr_search_listen(struct socket *sock)
54398 +{
54399 + struct sock *sk = sock->sk;
54400 + struct sockaddr_in addr;
54401 +
54402 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
54403 + addr.sin_port = inet_sk(sk)->sport;
54404 +
54405 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
54406 +}
54407 +
54408 +int gr_search_accept(struct socket *sock)
54409 +{
54410 + struct sock *sk = sock->sk;
54411 + struct sockaddr_in addr;
54412 +
54413 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
54414 + addr.sin_port = inet_sk(sk)->sport;
54415 +
54416 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
54417 +}
54418 +
54419 +int
54420 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
54421 +{
54422 + if (addr)
54423 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
54424 + else {
54425 + struct sockaddr_in sin;
54426 + const struct inet_sock *inet = inet_sk(sk);
54427 +
54428 + sin.sin_addr.s_addr = inet->daddr;
54429 + sin.sin_port = inet->dport;
54430 +
54431 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
54432 + }
54433 +}
54434 +
54435 +int
54436 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
54437 +{
54438 + struct sockaddr_in sin;
54439 +
54440 + if (unlikely(skb->len < sizeof (struct udphdr)))
54441 + return 0; // skip this packet
54442 +
54443 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
54444 + sin.sin_port = udp_hdr(skb)->source;
54445 +
54446 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
54447 +}
54448 diff -urNp linux-2.6.32.46/grsecurity/gracl_learn.c linux-2.6.32.46/grsecurity/gracl_learn.c
54449 --- linux-2.6.32.46/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
54450 +++ linux-2.6.32.46/grsecurity/gracl_learn.c 2011-07-14 21:02:03.000000000 -0400
54451 @@ -0,0 +1,208 @@
54452 +#include <linux/kernel.h>
54453 +#include <linux/mm.h>
54454 +#include <linux/sched.h>
54455 +#include <linux/poll.h>
54456 +#include <linux/smp_lock.h>
54457 +#include <linux/string.h>
54458 +#include <linux/file.h>
54459 +#include <linux/types.h>
54460 +#include <linux/vmalloc.h>
54461 +#include <linux/grinternal.h>
54462 +
54463 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
54464 + size_t count, loff_t *ppos);
54465 +extern int gr_acl_is_enabled(void);
54466 +
54467 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
54468 +static int gr_learn_attached;
54469 +
54470 +/* use a 512k buffer */
54471 +#define LEARN_BUFFER_SIZE (512 * 1024)
54472 +
54473 +static DEFINE_SPINLOCK(gr_learn_lock);
54474 +static DEFINE_MUTEX(gr_learn_user_mutex);
54475 +
54476 +/* we need to maintain two buffers, so that the kernel context of grlearn
54477 + uses a semaphore around the userspace copying, and the other kernel contexts
54478 + use a spinlock when copying into the buffer, since they cannot sleep
54479 +*/
54480 +static char *learn_buffer;
54481 +static char *learn_buffer_user;
54482 +static int learn_buffer_len;
54483 +static int learn_buffer_user_len;
54484 +
54485 +static ssize_t
54486 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
54487 +{
54488 + DECLARE_WAITQUEUE(wait, current);
54489 + ssize_t retval = 0;
54490 +
54491 + add_wait_queue(&learn_wait, &wait);
54492 + set_current_state(TASK_INTERRUPTIBLE);
54493 + do {
54494 + mutex_lock(&gr_learn_user_mutex);
54495 + spin_lock(&gr_learn_lock);
54496 + if (learn_buffer_len)
54497 + break;
54498 + spin_unlock(&gr_learn_lock);
54499 + mutex_unlock(&gr_learn_user_mutex);
54500 + if (file->f_flags & O_NONBLOCK) {
54501 + retval = -EAGAIN;
54502 + goto out;
54503 + }
54504 + if (signal_pending(current)) {
54505 + retval = -ERESTARTSYS;
54506 + goto out;
54507 + }
54508 +
54509 + schedule();
54510 + } while (1);
54511 +
54512 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
54513 + learn_buffer_user_len = learn_buffer_len;
54514 + retval = learn_buffer_len;
54515 + learn_buffer_len = 0;
54516 +
54517 + spin_unlock(&gr_learn_lock);
54518 +
54519 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
54520 + retval = -EFAULT;
54521 +
54522 + mutex_unlock(&gr_learn_user_mutex);
54523 +out:
54524 + set_current_state(TASK_RUNNING);
54525 + remove_wait_queue(&learn_wait, &wait);
54526 + return retval;
54527 +}
54528 +
54529 +static unsigned int
54530 +poll_learn(struct file * file, poll_table * wait)
54531 +{
54532 + poll_wait(file, &learn_wait, wait);
54533 +
54534 + if (learn_buffer_len)
54535 + return (POLLIN | POLLRDNORM);
54536 +
54537 + return 0;
54538 +}
54539 +
54540 +void
54541 +gr_clear_learn_entries(void)
54542 +{
54543 + char *tmp;
54544 +
54545 + mutex_lock(&gr_learn_user_mutex);
54546 + spin_lock(&gr_learn_lock);
54547 + tmp = learn_buffer;
54548 + learn_buffer = NULL;
54549 + spin_unlock(&gr_learn_lock);
54550 + if (tmp)
54551 + vfree(tmp);
54552 + if (learn_buffer_user != NULL) {
54553 + vfree(learn_buffer_user);
54554 + learn_buffer_user = NULL;
54555 + }
54556 + learn_buffer_len = 0;
54557 + mutex_unlock(&gr_learn_user_mutex);
54558 +
54559 + return;
54560 +}
54561 +
54562 +void
54563 +gr_add_learn_entry(const char *fmt, ...)
54564 +{
54565 + va_list args;
54566 + unsigned int len;
54567 +
54568 + if (!gr_learn_attached)
54569 + return;
54570 +
54571 + spin_lock(&gr_learn_lock);
54572 +
54573 + /* leave a gap at the end so we know when it's "full" but don't have to
54574 + compute the exact length of the string we're trying to append
54575 + */
54576 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
54577 + spin_unlock(&gr_learn_lock);
54578 + wake_up_interruptible(&learn_wait);
54579 + return;
54580 + }
54581 + if (learn_buffer == NULL) {
54582 + spin_unlock(&gr_learn_lock);
54583 + return;
54584 + }
54585 +
54586 + va_start(args, fmt);
54587 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
54588 + va_end(args);
54589 +
54590 + learn_buffer_len += len + 1;
54591 +
54592 + spin_unlock(&gr_learn_lock);
54593 + wake_up_interruptible(&learn_wait);
54594 +
54595 + return;
54596 +}
54597 +
54598 +static int
54599 +open_learn(struct inode *inode, struct file *file)
54600 +{
54601 + if (file->f_mode & FMODE_READ && gr_learn_attached)
54602 + return -EBUSY;
54603 + if (file->f_mode & FMODE_READ) {
54604 + int retval = 0;
54605 + mutex_lock(&gr_learn_user_mutex);
54606 + if (learn_buffer == NULL)
54607 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
54608 + if (learn_buffer_user == NULL)
54609 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
54610 + if (learn_buffer == NULL) {
54611 + retval = -ENOMEM;
54612 + goto out_error;
54613 + }
54614 + if (learn_buffer_user == NULL) {
54615 + retval = -ENOMEM;
54616 + goto out_error;
54617 + }
54618 + learn_buffer_len = 0;
54619 + learn_buffer_user_len = 0;
54620 + gr_learn_attached = 1;
54621 +out_error:
54622 + mutex_unlock(&gr_learn_user_mutex);
54623 + return retval;
54624 + }
54625 + return 0;
54626 +}
54627 +
54628 +static int
54629 +close_learn(struct inode *inode, struct file *file)
54630 +{
54631 + if (file->f_mode & FMODE_READ) {
54632 + char *tmp = NULL;
54633 + mutex_lock(&gr_learn_user_mutex);
54634 + spin_lock(&gr_learn_lock);
54635 + tmp = learn_buffer;
54636 + learn_buffer = NULL;
54637 + spin_unlock(&gr_learn_lock);
54638 + if (tmp)
54639 + vfree(tmp);
54640 + if (learn_buffer_user != NULL) {
54641 + vfree(learn_buffer_user);
54642 + learn_buffer_user = NULL;
54643 + }
54644 + learn_buffer_len = 0;
54645 + learn_buffer_user_len = 0;
54646 + gr_learn_attached = 0;
54647 + mutex_unlock(&gr_learn_user_mutex);
54648 + }
54649 +
54650 + return 0;
54651 +}
54652 +
54653 +const struct file_operations grsec_fops = {
54654 + .read = read_learn,
54655 + .write = write_grsec_handler,
54656 + .open = open_learn,
54657 + .release = close_learn,
54658 + .poll = poll_learn,
54659 +};
54660 diff -urNp linux-2.6.32.46/grsecurity/gracl_res.c linux-2.6.32.46/grsecurity/gracl_res.c
54661 --- linux-2.6.32.46/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
54662 +++ linux-2.6.32.46/grsecurity/gracl_res.c 2011-04-17 15:56:46.000000000 -0400
54663 @@ -0,0 +1,67 @@
54664 +#include <linux/kernel.h>
54665 +#include <linux/sched.h>
54666 +#include <linux/gracl.h>
54667 +#include <linux/grinternal.h>
54668 +
54669 +static const char *restab_log[] = {
54670 + [RLIMIT_CPU] = "RLIMIT_CPU",
54671 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
54672 + [RLIMIT_DATA] = "RLIMIT_DATA",
54673 + [RLIMIT_STACK] = "RLIMIT_STACK",
54674 + [RLIMIT_CORE] = "RLIMIT_CORE",
54675 + [RLIMIT_RSS] = "RLIMIT_RSS",
54676 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
54677 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
54678 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
54679 + [RLIMIT_AS] = "RLIMIT_AS",
54680 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
54681 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
54682 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
54683 + [RLIMIT_NICE] = "RLIMIT_NICE",
54684 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
54685 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
54686 + [GR_CRASH_RES] = "RLIMIT_CRASH"
54687 +};
54688 +
54689 +void
54690 +gr_log_resource(const struct task_struct *task,
54691 + const int res, const unsigned long wanted, const int gt)
54692 +{
54693 + const struct cred *cred;
54694 + unsigned long rlim;
54695 +
54696 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
54697 + return;
54698 +
54699 + // not yet supported resource
54700 + if (unlikely(!restab_log[res]))
54701 + return;
54702 +
54703 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
54704 + rlim = task->signal->rlim[res].rlim_max;
54705 + else
54706 + rlim = task->signal->rlim[res].rlim_cur;
54707 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
54708 + return;
54709 +
54710 + rcu_read_lock();
54711 + cred = __task_cred(task);
54712 +
54713 + if (res == RLIMIT_NPROC &&
54714 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
54715 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
54716 + goto out_rcu_unlock;
54717 + else if (res == RLIMIT_MEMLOCK &&
54718 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
54719 + goto out_rcu_unlock;
54720 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
54721 + goto out_rcu_unlock;
54722 + rcu_read_unlock();
54723 +
54724 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
54725 +
54726 + return;
54727 +out_rcu_unlock:
54728 + rcu_read_unlock();
54729 + return;
54730 +}
54731 diff -urNp linux-2.6.32.46/grsecurity/gracl_segv.c linux-2.6.32.46/grsecurity/gracl_segv.c
54732 --- linux-2.6.32.46/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
54733 +++ linux-2.6.32.46/grsecurity/gracl_segv.c 2011-04-17 15:56:46.000000000 -0400
54734 @@ -0,0 +1,284 @@
54735 +#include <linux/kernel.h>
54736 +#include <linux/mm.h>
54737 +#include <asm/uaccess.h>
54738 +#include <asm/errno.h>
54739 +#include <asm/mman.h>
54740 +#include <net/sock.h>
54741 +#include <linux/file.h>
54742 +#include <linux/fs.h>
54743 +#include <linux/net.h>
54744 +#include <linux/in.h>
54745 +#include <linux/smp_lock.h>
54746 +#include <linux/slab.h>
54747 +#include <linux/types.h>
54748 +#include <linux/sched.h>
54749 +#include <linux/timer.h>
54750 +#include <linux/gracl.h>
54751 +#include <linux/grsecurity.h>
54752 +#include <linux/grinternal.h>
54753 +
54754 +static struct crash_uid *uid_set;
54755 +static unsigned short uid_used;
54756 +static DEFINE_SPINLOCK(gr_uid_lock);
54757 +extern rwlock_t gr_inode_lock;
54758 +extern struct acl_subject_label *
54759 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
54760 + struct acl_role_label *role);
54761 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
54762 +
54763 +int
54764 +gr_init_uidset(void)
54765 +{
54766 + uid_set =
54767 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
54768 + uid_used = 0;
54769 +
54770 + return uid_set ? 1 : 0;
54771 +}
54772 +
54773 +void
54774 +gr_free_uidset(void)
54775 +{
54776 + if (uid_set)
54777 + kfree(uid_set);
54778 +
54779 + return;
54780 +}
54781 +
54782 +int
54783 +gr_find_uid(const uid_t uid)
54784 +{
54785 + struct crash_uid *tmp = uid_set;
54786 + uid_t buid;
54787 + int low = 0, high = uid_used - 1, mid;
54788 +
54789 + while (high >= low) {
54790 + mid = (low + high) >> 1;
54791 + buid = tmp[mid].uid;
54792 + if (buid == uid)
54793 + return mid;
54794 + if (buid > uid)
54795 + high = mid - 1;
54796 + if (buid < uid)
54797 + low = mid + 1;
54798 + }
54799 +
54800 + return -1;
54801 +}
54802 +
54803 +static __inline__ void
54804 +gr_insertsort(void)
54805 +{
54806 + unsigned short i, j;
54807 + struct crash_uid index;
54808 +
54809 + for (i = 1; i < uid_used; i++) {
54810 + index = uid_set[i];
54811 + j = i;
54812 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
54813 + uid_set[j] = uid_set[j - 1];
54814 + j--;
54815 + }
54816 + uid_set[j] = index;
54817 + }
54818 +
54819 + return;
54820 +}
54821 +
54822 +static __inline__ void
54823 +gr_insert_uid(const uid_t uid, const unsigned long expires)
54824 +{
54825 + int loc;
54826 +
54827 + if (uid_used == GR_UIDTABLE_MAX)
54828 + return;
54829 +
54830 + loc = gr_find_uid(uid);
54831 +
54832 + if (loc >= 0) {
54833 + uid_set[loc].expires = expires;
54834 + return;
54835 + }
54836 +
54837 + uid_set[uid_used].uid = uid;
54838 + uid_set[uid_used].expires = expires;
54839 + uid_used++;
54840 +
54841 + gr_insertsort();
54842 +
54843 + return;
54844 +}
54845 +
54846 +void
54847 +gr_remove_uid(const unsigned short loc)
54848 +{
54849 + unsigned short i;
54850 +
54851 + for (i = loc + 1; i < uid_used; i++)
54852 + uid_set[i - 1] = uid_set[i];
54853 +
54854 + uid_used--;
54855 +
54856 + return;
54857 +}
54858 +
54859 +int
54860 +gr_check_crash_uid(const uid_t uid)
54861 +{
54862 + int loc;
54863 + int ret = 0;
54864 +
54865 + if (unlikely(!gr_acl_is_enabled()))
54866 + return 0;
54867 +
54868 + spin_lock(&gr_uid_lock);
54869 + loc = gr_find_uid(uid);
54870 +
54871 + if (loc < 0)
54872 + goto out_unlock;
54873 +
54874 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
54875 + gr_remove_uid(loc);
54876 + else
54877 + ret = 1;
54878 +
54879 +out_unlock:
54880 + spin_unlock(&gr_uid_lock);
54881 + return ret;
54882 +}
54883 +
54884 +static __inline__ int
54885 +proc_is_setxid(const struct cred *cred)
54886 +{
54887 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
54888 + cred->uid != cred->fsuid)
54889 + return 1;
54890 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
54891 + cred->gid != cred->fsgid)
54892 + return 1;
54893 +
54894 + return 0;
54895 +}
54896 +
54897 +void
54898 +gr_handle_crash(struct task_struct *task, const int sig)
54899 +{
54900 + struct acl_subject_label *curr;
54901 + struct acl_subject_label *curr2;
54902 + struct task_struct *tsk, *tsk2;
54903 + const struct cred *cred;
54904 + const struct cred *cred2;
54905 +
54906 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
54907 + return;
54908 +
54909 + if (unlikely(!gr_acl_is_enabled()))
54910 + return;
54911 +
54912 + curr = task->acl;
54913 +
54914 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
54915 + return;
54916 +
54917 + if (time_before_eq(curr->expires, get_seconds())) {
54918 + curr->expires = 0;
54919 + curr->crashes = 0;
54920 + }
54921 +
54922 + curr->crashes++;
54923 +
54924 + if (!curr->expires)
54925 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
54926 +
54927 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
54928 + time_after(curr->expires, get_seconds())) {
54929 + rcu_read_lock();
54930 + cred = __task_cred(task);
54931 + if (cred->uid && proc_is_setxid(cred)) {
54932 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
54933 + spin_lock(&gr_uid_lock);
54934 + gr_insert_uid(cred->uid, curr->expires);
54935 + spin_unlock(&gr_uid_lock);
54936 + curr->expires = 0;
54937 + curr->crashes = 0;
54938 + read_lock(&tasklist_lock);
54939 + do_each_thread(tsk2, tsk) {
54940 + cred2 = __task_cred(tsk);
54941 + if (tsk != task && cred2->uid == cred->uid)
54942 + gr_fake_force_sig(SIGKILL, tsk);
54943 + } while_each_thread(tsk2, tsk);
54944 + read_unlock(&tasklist_lock);
54945 + } else {
54946 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
54947 + read_lock(&tasklist_lock);
54948 + do_each_thread(tsk2, tsk) {
54949 + if (likely(tsk != task)) {
54950 + curr2 = tsk->acl;
54951 +
54952 + if (curr2->device == curr->device &&
54953 + curr2->inode == curr->inode)
54954 + gr_fake_force_sig(SIGKILL, tsk);
54955 + }
54956 + } while_each_thread(tsk2, tsk);
54957 + read_unlock(&tasklist_lock);
54958 + }
54959 + rcu_read_unlock();
54960 + }
54961 +
54962 + return;
54963 +}
54964 +
54965 +int
54966 +gr_check_crash_exec(const struct file *filp)
54967 +{
54968 + struct acl_subject_label *curr;
54969 +
54970 + if (unlikely(!gr_acl_is_enabled()))
54971 + return 0;
54972 +
54973 + read_lock(&gr_inode_lock);
54974 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
54975 + filp->f_path.dentry->d_inode->i_sb->s_dev,
54976 + current->role);
54977 + read_unlock(&gr_inode_lock);
54978 +
54979 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
54980 + (!curr->crashes && !curr->expires))
54981 + return 0;
54982 +
54983 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
54984 + time_after(curr->expires, get_seconds()))
54985 + return 1;
54986 + else if (time_before_eq(curr->expires, get_seconds())) {
54987 + curr->crashes = 0;
54988 + curr->expires = 0;
54989 + }
54990 +
54991 + return 0;
54992 +}
54993 +
54994 +void
54995 +gr_handle_alertkill(struct task_struct *task)
54996 +{
54997 + struct acl_subject_label *curracl;
54998 + __u32 curr_ip;
54999 + struct task_struct *p, *p2;
55000 +
55001 + if (unlikely(!gr_acl_is_enabled()))
55002 + return;
55003 +
55004 + curracl = task->acl;
55005 + curr_ip = task->signal->curr_ip;
55006 +
55007 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
55008 + read_lock(&tasklist_lock);
55009 + do_each_thread(p2, p) {
55010 + if (p->signal->curr_ip == curr_ip)
55011 + gr_fake_force_sig(SIGKILL, p);
55012 + } while_each_thread(p2, p);
55013 + read_unlock(&tasklist_lock);
55014 + } else if (curracl->mode & GR_KILLPROC)
55015 + gr_fake_force_sig(SIGKILL, task);
55016 +
55017 + return;
55018 +}
55019 diff -urNp linux-2.6.32.46/grsecurity/gracl_shm.c linux-2.6.32.46/grsecurity/gracl_shm.c
55020 --- linux-2.6.32.46/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
55021 +++ linux-2.6.32.46/grsecurity/gracl_shm.c 2011-04-17 15:56:46.000000000 -0400
55022 @@ -0,0 +1,40 @@
55023 +#include <linux/kernel.h>
55024 +#include <linux/mm.h>
55025 +#include <linux/sched.h>
55026 +#include <linux/file.h>
55027 +#include <linux/ipc.h>
55028 +#include <linux/gracl.h>
55029 +#include <linux/grsecurity.h>
55030 +#include <linux/grinternal.h>
55031 +
55032 +int
55033 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
55034 + const time_t shm_createtime, const uid_t cuid, const int shmid)
55035 +{
55036 + struct task_struct *task;
55037 +
55038 + if (!gr_acl_is_enabled())
55039 + return 1;
55040 +
55041 + rcu_read_lock();
55042 + read_lock(&tasklist_lock);
55043 +
55044 + task = find_task_by_vpid(shm_cprid);
55045 +
55046 + if (unlikely(!task))
55047 + task = find_task_by_vpid(shm_lapid);
55048 +
55049 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
55050 + (task->pid == shm_lapid)) &&
55051 + (task->acl->mode & GR_PROTSHM) &&
55052 + (task->acl != current->acl))) {
55053 + read_unlock(&tasklist_lock);
55054 + rcu_read_unlock();
55055 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
55056 + return 0;
55057 + }
55058 + read_unlock(&tasklist_lock);
55059 + rcu_read_unlock();
55060 +
55061 + return 1;
55062 +}
55063 diff -urNp linux-2.6.32.46/grsecurity/grsec_chdir.c linux-2.6.32.46/grsecurity/grsec_chdir.c
55064 --- linux-2.6.32.46/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
55065 +++ linux-2.6.32.46/grsecurity/grsec_chdir.c 2011-04-17 15:56:46.000000000 -0400
55066 @@ -0,0 +1,19 @@
55067 +#include <linux/kernel.h>
55068 +#include <linux/sched.h>
55069 +#include <linux/fs.h>
55070 +#include <linux/file.h>
55071 +#include <linux/grsecurity.h>
55072 +#include <linux/grinternal.h>
55073 +
55074 +void
55075 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
55076 +{
55077 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
55078 + if ((grsec_enable_chdir && grsec_enable_group &&
55079 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
55080 + !grsec_enable_group)) {
55081 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
55082 + }
55083 +#endif
55084 + return;
55085 +}
55086 diff -urNp linux-2.6.32.46/grsecurity/grsec_chroot.c linux-2.6.32.46/grsecurity/grsec_chroot.c
55087 --- linux-2.6.32.46/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
55088 +++ linux-2.6.32.46/grsecurity/grsec_chroot.c 2011-07-18 17:14:10.000000000 -0400
55089 @@ -0,0 +1,384 @@
55090 +#include <linux/kernel.h>
55091 +#include <linux/module.h>
55092 +#include <linux/sched.h>
55093 +#include <linux/file.h>
55094 +#include <linux/fs.h>
55095 +#include <linux/mount.h>
55096 +#include <linux/types.h>
55097 +#include <linux/pid_namespace.h>
55098 +#include <linux/grsecurity.h>
55099 +#include <linux/grinternal.h>
55100 +
55101 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
55102 +{
55103 +#ifdef CONFIG_GRKERNSEC
55104 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
55105 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
55106 + task->gr_is_chrooted = 1;
55107 + else
55108 + task->gr_is_chrooted = 0;
55109 +
55110 + task->gr_chroot_dentry = path->dentry;
55111 +#endif
55112 + return;
55113 +}
55114 +
55115 +void gr_clear_chroot_entries(struct task_struct *task)
55116 +{
55117 +#ifdef CONFIG_GRKERNSEC
55118 + task->gr_is_chrooted = 0;
55119 + task->gr_chroot_dentry = NULL;
55120 +#endif
55121 + return;
55122 +}
55123 +
55124 +int
55125 +gr_handle_chroot_unix(const pid_t pid)
55126 +{
55127 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55128 + struct task_struct *p;
55129 +
55130 + if (unlikely(!grsec_enable_chroot_unix))
55131 + return 1;
55132 +
55133 + if (likely(!proc_is_chrooted(current)))
55134 + return 1;
55135 +
55136 + rcu_read_lock();
55137 + read_lock(&tasklist_lock);
55138 +
55139 + p = find_task_by_vpid_unrestricted(pid);
55140 + if (unlikely(p && !have_same_root(current, p))) {
55141 + read_unlock(&tasklist_lock);
55142 + rcu_read_unlock();
55143 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
55144 + return 0;
55145 + }
55146 + read_unlock(&tasklist_lock);
55147 + rcu_read_unlock();
55148 +#endif
55149 + return 1;
55150 +}
55151 +
55152 +int
55153 +gr_handle_chroot_nice(void)
55154 +{
55155 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55156 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
55157 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
55158 + return -EPERM;
55159 + }
55160 +#endif
55161 + return 0;
55162 +}
55163 +
55164 +int
55165 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
55166 +{
55167 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
55168 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
55169 + && proc_is_chrooted(current)) {
55170 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
55171 + return -EACCES;
55172 + }
55173 +#endif
55174 + return 0;
55175 +}
55176 +
55177 +int
55178 +gr_handle_chroot_rawio(const struct inode *inode)
55179 +{
55180 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55181 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
55182 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
55183 + return 1;
55184 +#endif
55185 + return 0;
55186 +}
55187 +
55188 +int
55189 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
55190 +{
55191 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55192 + struct task_struct *p;
55193 + int ret = 0;
55194 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
55195 + return ret;
55196 +
55197 + read_lock(&tasklist_lock);
55198 + do_each_pid_task(pid, type, p) {
55199 + if (!have_same_root(current, p)) {
55200 + ret = 1;
55201 + goto out;
55202 + }
55203 + } while_each_pid_task(pid, type, p);
55204 +out:
55205 + read_unlock(&tasklist_lock);
55206 + return ret;
55207 +#endif
55208 + return 0;
55209 +}
55210 +
55211 +int
55212 +gr_pid_is_chrooted(struct task_struct *p)
55213 +{
55214 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
55215 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
55216 + return 0;
55217 +
55218 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
55219 + !have_same_root(current, p)) {
55220 + return 1;
55221 + }
55222 +#endif
55223 + return 0;
55224 +}
55225 +
55226 +EXPORT_SYMBOL(gr_pid_is_chrooted);
55227 +
55228 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
55229 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
55230 +{
55231 + struct dentry *dentry = (struct dentry *)u_dentry;
55232 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
55233 + struct dentry *realroot;
55234 + struct vfsmount *realrootmnt;
55235 + struct dentry *currentroot;
55236 + struct vfsmount *currentmnt;
55237 + struct task_struct *reaper = &init_task;
55238 + int ret = 1;
55239 +
55240 + read_lock(&reaper->fs->lock);
55241 + realrootmnt = mntget(reaper->fs->root.mnt);
55242 + realroot = dget(reaper->fs->root.dentry);
55243 + read_unlock(&reaper->fs->lock);
55244 +
55245 + read_lock(&current->fs->lock);
55246 + currentmnt = mntget(current->fs->root.mnt);
55247 + currentroot = dget(current->fs->root.dentry);
55248 + read_unlock(&current->fs->lock);
55249 +
55250 + spin_lock(&dcache_lock);
55251 + for (;;) {
55252 + if (unlikely((dentry == realroot && mnt == realrootmnt)
55253 + || (dentry == currentroot && mnt == currentmnt)))
55254 + break;
55255 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
55256 + if (mnt->mnt_parent == mnt)
55257 + break;
55258 + dentry = mnt->mnt_mountpoint;
55259 + mnt = mnt->mnt_parent;
55260 + continue;
55261 + }
55262 + dentry = dentry->d_parent;
55263 + }
55264 + spin_unlock(&dcache_lock);
55265 +
55266 + dput(currentroot);
55267 + mntput(currentmnt);
55268 +
55269 + /* access is outside of chroot */
55270 + if (dentry == realroot && mnt == realrootmnt)
55271 + ret = 0;
55272 +
55273 + dput(realroot);
55274 + mntput(realrootmnt);
55275 + return ret;
55276 +}
55277 +#endif
55278 +
55279 +int
55280 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
55281 +{
55282 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
55283 + if (!grsec_enable_chroot_fchdir)
55284 + return 1;
55285 +
55286 + if (!proc_is_chrooted(current))
55287 + return 1;
55288 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
55289 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
55290 + return 0;
55291 + }
55292 +#endif
55293 + return 1;
55294 +}
55295 +
55296 +int
55297 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
55298 + const time_t shm_createtime)
55299 +{
55300 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
55301 + struct task_struct *p;
55302 + time_t starttime;
55303 +
55304 + if (unlikely(!grsec_enable_chroot_shmat))
55305 + return 1;
55306 +
55307 + if (likely(!proc_is_chrooted(current)))
55308 + return 1;
55309 +
55310 + rcu_read_lock();
55311 + read_lock(&tasklist_lock);
55312 +
55313 + if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
55314 + starttime = p->start_time.tv_sec;
55315 + if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
55316 + if (have_same_root(current, p)) {
55317 + goto allow;
55318 + } else {
55319 + read_unlock(&tasklist_lock);
55320 + rcu_read_unlock();
55321 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
55322 + return 0;
55323 + }
55324 + }
55325 + /* creator exited, pid reuse, fall through to next check */
55326 + }
55327 + if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
55328 + if (unlikely(!have_same_root(current, p))) {
55329 + read_unlock(&tasklist_lock);
55330 + rcu_read_unlock();
55331 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
55332 + return 0;
55333 + }
55334 + }
55335 +
55336 +allow:
55337 + read_unlock(&tasklist_lock);
55338 + rcu_read_unlock();
55339 +#endif
55340 + return 1;
55341 +}
55342 +
55343 +void
55344 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
55345 +{
55346 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
55347 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
55348 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
55349 +#endif
55350 + return;
55351 +}
55352 +
55353 +int
55354 +gr_handle_chroot_mknod(const struct dentry *dentry,
55355 + const struct vfsmount *mnt, const int mode)
55356 +{
55357 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
55358 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
55359 + proc_is_chrooted(current)) {
55360 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
55361 + return -EPERM;
55362 + }
55363 +#endif
55364 + return 0;
55365 +}
55366 +
55367 +int
55368 +gr_handle_chroot_mount(const struct dentry *dentry,
55369 + const struct vfsmount *mnt, const char *dev_name)
55370 +{
55371 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
55372 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
55373 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
55374 + return -EPERM;
55375 + }
55376 +#endif
55377 + return 0;
55378 +}
55379 +
55380 +int
55381 +gr_handle_chroot_pivot(void)
55382 +{
55383 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
55384 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
55385 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
55386 + return -EPERM;
55387 + }
55388 +#endif
55389 + return 0;
55390 +}
55391 +
55392 +int
55393 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
55394 +{
55395 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
55396 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
55397 + !gr_is_outside_chroot(dentry, mnt)) {
55398 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
55399 + return -EPERM;
55400 + }
55401 +#endif
55402 + return 0;
55403 +}
55404 +
55405 +int
55406 +gr_handle_chroot_caps(struct path *path)
55407 +{
55408 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
55409 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
55410 + (init_task.fs->root.dentry != path->dentry) &&
55411 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
55412 +
55413 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
55414 + const struct cred *old = current_cred();
55415 + struct cred *new = prepare_creds();
55416 + if (new == NULL)
55417 + return 1;
55418 +
55419 + new->cap_permitted = cap_drop(old->cap_permitted,
55420 + chroot_caps);
55421 + new->cap_inheritable = cap_drop(old->cap_inheritable,
55422 + chroot_caps);
55423 + new->cap_effective = cap_drop(old->cap_effective,
55424 + chroot_caps);
55425 +
55426 + commit_creds(new);
55427 +
55428 + return 0;
55429 + }
55430 +#endif
55431 + return 0;
55432 +}
55433 +
55434 +int
55435 +gr_handle_chroot_sysctl(const int op)
55436 +{
55437 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
55438 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
55439 + && (op & MAY_WRITE))
55440 + return -EACCES;
55441 +#endif
55442 + return 0;
55443 +}
55444 +
55445 +void
55446 +gr_handle_chroot_chdir(struct path *path)
55447 +{
55448 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
55449 + if (grsec_enable_chroot_chdir)
55450 + set_fs_pwd(current->fs, path);
55451 +#endif
55452 + return;
55453 +}
55454 +
55455 +int
55456 +gr_handle_chroot_chmod(const struct dentry *dentry,
55457 + const struct vfsmount *mnt, const int mode)
55458 +{
55459 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
55460 + /* allow chmod +s on directories, but not on files */
55461 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
55462 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
55463 + proc_is_chrooted(current)) {
55464 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
55465 + return -EPERM;
55466 + }
55467 +#endif
55468 + return 0;
55469 +}
55470 +
55471 +#ifdef CONFIG_SECURITY
55472 +EXPORT_SYMBOL(gr_handle_chroot_caps);
55473 +#endif
55474 diff -urNp linux-2.6.32.46/grsecurity/grsec_disabled.c linux-2.6.32.46/grsecurity/grsec_disabled.c
55475 --- linux-2.6.32.46/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
55476 +++ linux-2.6.32.46/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400
55477 @@ -0,0 +1,447 @@
55478 +#include <linux/kernel.h>
55479 +#include <linux/module.h>
55480 +#include <linux/sched.h>
55481 +#include <linux/file.h>
55482 +#include <linux/fs.h>
55483 +#include <linux/kdev_t.h>
55484 +#include <linux/net.h>
55485 +#include <linux/in.h>
55486 +#include <linux/ip.h>
55487 +#include <linux/skbuff.h>
55488 +#include <linux/sysctl.h>
55489 +
55490 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
55491 +void
55492 +pax_set_initial_flags(struct linux_binprm *bprm)
55493 +{
55494 + return;
55495 +}
55496 +#endif
55497 +
55498 +#ifdef CONFIG_SYSCTL
55499 +__u32
55500 +gr_handle_sysctl(const struct ctl_table * table, const int op)
55501 +{
55502 + return 0;
55503 +}
55504 +#endif
55505 +
55506 +#ifdef CONFIG_TASKSTATS
55507 +int gr_is_taskstats_denied(int pid)
55508 +{
55509 + return 0;
55510 +}
55511 +#endif
55512 +
55513 +int
55514 +gr_acl_is_enabled(void)
55515 +{
55516 + return 0;
55517 +}
55518 +
55519 +int
55520 +gr_handle_rawio(const struct inode *inode)
55521 +{
55522 + return 0;
55523 +}
55524 +
55525 +void
55526 +gr_acl_handle_psacct(struct task_struct *task, const long code)
55527 +{
55528 + return;
55529 +}
55530 +
55531 +int
55532 +gr_handle_ptrace(struct task_struct *task, const long request)
55533 +{
55534 + return 0;
55535 +}
55536 +
55537 +int
55538 +gr_handle_proc_ptrace(struct task_struct *task)
55539 +{
55540 + return 0;
55541 +}
55542 +
55543 +void
55544 +gr_learn_resource(const struct task_struct *task,
55545 + const int res, const unsigned long wanted, const int gt)
55546 +{
55547 + return;
55548 +}
55549 +
55550 +int
55551 +gr_set_acls(const int type)
55552 +{
55553 + return 0;
55554 +}
55555 +
55556 +int
55557 +gr_check_hidden_task(const struct task_struct *tsk)
55558 +{
55559 + return 0;
55560 +}
55561 +
55562 +int
55563 +gr_check_protected_task(const struct task_struct *task)
55564 +{
55565 + return 0;
55566 +}
55567 +
55568 +int
55569 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
55570 +{
55571 + return 0;
55572 +}
55573 +
55574 +void
55575 +gr_copy_label(struct task_struct *tsk)
55576 +{
55577 + return;
55578 +}
55579 +
55580 +void
55581 +gr_set_pax_flags(struct task_struct *task)
55582 +{
55583 + return;
55584 +}
55585 +
55586 +int
55587 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
55588 + const int unsafe_share)
55589 +{
55590 + return 0;
55591 +}
55592 +
55593 +void
55594 +gr_handle_delete(const ino_t ino, const dev_t dev)
55595 +{
55596 + return;
55597 +}
55598 +
55599 +void
55600 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
55601 +{
55602 + return;
55603 +}
55604 +
55605 +void
55606 +gr_handle_crash(struct task_struct *task, const int sig)
55607 +{
55608 + return;
55609 +}
55610 +
55611 +int
55612 +gr_check_crash_exec(const struct file *filp)
55613 +{
55614 + return 0;
55615 +}
55616 +
55617 +int
55618 +gr_check_crash_uid(const uid_t uid)
55619 +{
55620 + return 0;
55621 +}
55622 +
55623 +void
55624 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
55625 + struct dentry *old_dentry,
55626 + struct dentry *new_dentry,
55627 + struct vfsmount *mnt, const __u8 replace)
55628 +{
55629 + return;
55630 +}
55631 +
55632 +int
55633 +gr_search_socket(const int family, const int type, const int protocol)
55634 +{
55635 + return 1;
55636 +}
55637 +
55638 +int
55639 +gr_search_connectbind(const int mode, const struct socket *sock,
55640 + const struct sockaddr_in *addr)
55641 +{
55642 + return 0;
55643 +}
55644 +
55645 +int
55646 +gr_is_capable(const int cap)
55647 +{
55648 + return 1;
55649 +}
55650 +
55651 +int
55652 +gr_is_capable_nolog(const int cap)
55653 +{
55654 + return 1;
55655 +}
55656 +
55657 +void
55658 +gr_handle_alertkill(struct task_struct *task)
55659 +{
55660 + return;
55661 +}
55662 +
55663 +__u32
55664 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
55665 +{
55666 + return 1;
55667 +}
55668 +
55669 +__u32
55670 +gr_acl_handle_hidden_file(const struct dentry * dentry,
55671 + const struct vfsmount * mnt)
55672 +{
55673 + return 1;
55674 +}
55675 +
55676 +__u32
55677 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
55678 + const int fmode)
55679 +{
55680 + return 1;
55681 +}
55682 +
55683 +__u32
55684 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
55685 +{
55686 + return 1;
55687 +}
55688 +
55689 +__u32
55690 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
55691 +{
55692 + return 1;
55693 +}
55694 +
55695 +int
55696 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
55697 + unsigned int *vm_flags)
55698 +{
55699 + return 1;
55700 +}
55701 +
55702 +__u32
55703 +gr_acl_handle_truncate(const struct dentry * dentry,
55704 + const struct vfsmount * mnt)
55705 +{
55706 + return 1;
55707 +}
55708 +
55709 +__u32
55710 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
55711 +{
55712 + return 1;
55713 +}
55714 +
55715 +__u32
55716 +gr_acl_handle_access(const struct dentry * dentry,
55717 + const struct vfsmount * mnt, const int fmode)
55718 +{
55719 + return 1;
55720 +}
55721 +
55722 +__u32
55723 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
55724 + mode_t mode)
55725 +{
55726 + return 1;
55727 +}
55728 +
55729 +__u32
55730 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
55731 + mode_t mode)
55732 +{
55733 + return 1;
55734 +}
55735 +
55736 +__u32
55737 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
55738 +{
55739 + return 1;
55740 +}
55741 +
55742 +__u32
55743 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
55744 +{
55745 + return 1;
55746 +}
55747 +
55748 +void
55749 +grsecurity_init(void)
55750 +{
55751 + return;
55752 +}
55753 +
55754 +__u32
55755 +gr_acl_handle_mknod(const struct dentry * new_dentry,
55756 + const struct dentry * parent_dentry,
55757 + const struct vfsmount * parent_mnt,
55758 + const int mode)
55759 +{
55760 + return 1;
55761 +}
55762 +
55763 +__u32
55764 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
55765 + const struct dentry * parent_dentry,
55766 + const struct vfsmount * parent_mnt)
55767 +{
55768 + return 1;
55769 +}
55770 +
55771 +__u32
55772 +gr_acl_handle_symlink(const struct dentry * new_dentry,
55773 + const struct dentry * parent_dentry,
55774 + const struct vfsmount * parent_mnt, const char *from)
55775 +{
55776 + return 1;
55777 +}
55778 +
55779 +__u32
55780 +gr_acl_handle_link(const struct dentry * new_dentry,
55781 + const struct dentry * parent_dentry,
55782 + const struct vfsmount * parent_mnt,
55783 + const struct dentry * old_dentry,
55784 + const struct vfsmount * old_mnt, const char *to)
55785 +{
55786 + return 1;
55787 +}
55788 +
55789 +int
55790 +gr_acl_handle_rename(const struct dentry *new_dentry,
55791 + const struct dentry *parent_dentry,
55792 + const struct vfsmount *parent_mnt,
55793 + const struct dentry *old_dentry,
55794 + const struct inode *old_parent_inode,
55795 + const struct vfsmount *old_mnt, const char *newname)
55796 +{
55797 + return 0;
55798 +}
55799 +
55800 +int
55801 +gr_acl_handle_filldir(const struct file *file, const char *name,
55802 + const int namelen, const ino_t ino)
55803 +{
55804 + return 1;
55805 +}
55806 +
55807 +int
55808 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
55809 + const time_t shm_createtime, const uid_t cuid, const int shmid)
55810 +{
55811 + return 1;
55812 +}
55813 +
55814 +int
55815 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
55816 +{
55817 + return 0;
55818 +}
55819 +
55820 +int
55821 +gr_search_accept(const struct socket *sock)
55822 +{
55823 + return 0;
55824 +}
55825 +
55826 +int
55827 +gr_search_listen(const struct socket *sock)
55828 +{
55829 + return 0;
55830 +}
55831 +
55832 +int
55833 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
55834 +{
55835 + return 0;
55836 +}
55837 +
55838 +__u32
55839 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
55840 +{
55841 + return 1;
55842 +}
55843 +
55844 +__u32
55845 +gr_acl_handle_creat(const struct dentry * dentry,
55846 + const struct dentry * p_dentry,
55847 + const struct vfsmount * p_mnt, const int fmode,
55848 + const int imode)
55849 +{
55850 + return 1;
55851 +}
55852 +
55853 +void
55854 +gr_acl_handle_exit(void)
55855 +{
55856 + return;
55857 +}
55858 +
55859 +int
55860 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
55861 +{
55862 + return 1;
55863 +}
55864 +
55865 +void
55866 +gr_set_role_label(const uid_t uid, const gid_t gid)
55867 +{
55868 + return;
55869 +}
55870 +
55871 +int
55872 +gr_acl_handle_procpidmem(const struct task_struct *task)
55873 +{
55874 + return 0;
55875 +}
55876 +
55877 +int
55878 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
55879 +{
55880 + return 0;
55881 +}
55882 +
55883 +int
55884 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
55885 +{
55886 + return 0;
55887 +}
55888 +
55889 +void
55890 +gr_set_kernel_label(struct task_struct *task)
55891 +{
55892 + return;
55893 +}
55894 +
55895 +int
55896 +gr_check_user_change(int real, int effective, int fs)
55897 +{
55898 + return 0;
55899 +}
55900 +
55901 +int
55902 +gr_check_group_change(int real, int effective, int fs)
55903 +{
55904 + return 0;
55905 +}
55906 +
55907 +int gr_acl_enable_at_secure(void)
55908 +{
55909 + return 0;
55910 +}
55911 +
55912 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
55913 +{
55914 + return dentry->d_inode->i_sb->s_dev;
55915 +}
55916 +
55917 +EXPORT_SYMBOL(gr_is_capable);
55918 +EXPORT_SYMBOL(gr_is_capable_nolog);
55919 +EXPORT_SYMBOL(gr_learn_resource);
55920 +EXPORT_SYMBOL(gr_set_kernel_label);
55921 +#ifdef CONFIG_SECURITY
55922 +EXPORT_SYMBOL(gr_check_user_change);
55923 +EXPORT_SYMBOL(gr_check_group_change);
55924 +#endif
55925 diff -urNp linux-2.6.32.46/grsecurity/grsec_exec.c linux-2.6.32.46/grsecurity/grsec_exec.c
55926 --- linux-2.6.32.46/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
55927 +++ linux-2.6.32.46/grsecurity/grsec_exec.c 2011-08-11 19:57:19.000000000 -0400
55928 @@ -0,0 +1,132 @@
55929 +#include <linux/kernel.h>
55930 +#include <linux/sched.h>
55931 +#include <linux/file.h>
55932 +#include <linux/binfmts.h>
55933 +#include <linux/smp_lock.h>
55934 +#include <linux/fs.h>
55935 +#include <linux/types.h>
55936 +#include <linux/grdefs.h>
55937 +#include <linux/grinternal.h>
55938 +#include <linux/capability.h>
55939 +#include <linux/compat.h>
55940 +
55941 +#include <asm/uaccess.h>
55942 +
55943 +#ifdef CONFIG_GRKERNSEC_EXECLOG
55944 +static char gr_exec_arg_buf[132];
55945 +static DEFINE_MUTEX(gr_exec_arg_mutex);
55946 +#endif
55947 +
55948 +void
55949 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
55950 +{
55951 +#ifdef CONFIG_GRKERNSEC_EXECLOG
55952 + char *grarg = gr_exec_arg_buf;
55953 + unsigned int i, x, execlen = 0;
55954 + char c;
55955 +
55956 + if (!((grsec_enable_execlog && grsec_enable_group &&
55957 + in_group_p(grsec_audit_gid))
55958 + || (grsec_enable_execlog && !grsec_enable_group)))
55959 + return;
55960 +
55961 + mutex_lock(&gr_exec_arg_mutex);
55962 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
55963 +
55964 + if (unlikely(argv == NULL))
55965 + goto log;
55966 +
55967 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
55968 + const char __user *p;
55969 + unsigned int len;
55970 +
55971 + if (copy_from_user(&p, argv + i, sizeof(p)))
55972 + goto log;
55973 + if (!p)
55974 + goto log;
55975 + len = strnlen_user(p, 128 - execlen);
55976 + if (len > 128 - execlen)
55977 + len = 128 - execlen;
55978 + else if (len > 0)
55979 + len--;
55980 + if (copy_from_user(grarg + execlen, p, len))
55981 + goto log;
55982 +
55983 + /* rewrite unprintable characters */
55984 + for (x = 0; x < len; x++) {
55985 + c = *(grarg + execlen + x);
55986 + if (c < 32 || c > 126)
55987 + *(grarg + execlen + x) = ' ';
55988 + }
55989 +
55990 + execlen += len;
55991 + *(grarg + execlen) = ' ';
55992 + *(grarg + execlen + 1) = '\0';
55993 + execlen++;
55994 + }
55995 +
55996 + log:
55997 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
55998 + bprm->file->f_path.mnt, grarg);
55999 + mutex_unlock(&gr_exec_arg_mutex);
56000 +#endif
56001 + return;
56002 +}
56003 +
56004 +#ifdef CONFIG_COMPAT
56005 +void
56006 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
56007 +{
56008 +#ifdef CONFIG_GRKERNSEC_EXECLOG
56009 + char *grarg = gr_exec_arg_buf;
56010 + unsigned int i, x, execlen = 0;
56011 + char c;
56012 +
56013 + if (!((grsec_enable_execlog && grsec_enable_group &&
56014 + in_group_p(grsec_audit_gid))
56015 + || (grsec_enable_execlog && !grsec_enable_group)))
56016 + return;
56017 +
56018 + mutex_lock(&gr_exec_arg_mutex);
56019 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
56020 +
56021 + if (unlikely(argv == NULL))
56022 + goto log;
56023 +
56024 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
56025 + compat_uptr_t p;
56026 + unsigned int len;
56027 +
56028 + if (get_user(p, argv + i))
56029 + goto log;
56030 + len = strnlen_user(compat_ptr(p), 128 - execlen);
56031 + if (len > 128 - execlen)
56032 + len = 128 - execlen;
56033 + else if (len > 0)
56034 + len--;
56035 + else
56036 + goto log;
56037 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
56038 + goto log;
56039 +
56040 + /* rewrite unprintable characters */
56041 + for (x = 0; x < len; x++) {
56042 + c = *(grarg + execlen + x);
56043 + if (c < 32 || c > 126)
56044 + *(grarg + execlen + x) = ' ';
56045 + }
56046 +
56047 + execlen += len;
56048 + *(grarg + execlen) = ' ';
56049 + *(grarg + execlen + 1) = '\0';
56050 + execlen++;
56051 + }
56052 +
56053 + log:
56054 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
56055 + bprm->file->f_path.mnt, grarg);
56056 + mutex_unlock(&gr_exec_arg_mutex);
56057 +#endif
56058 + return;
56059 +}
56060 +#endif
56061 diff -urNp linux-2.6.32.46/grsecurity/grsec_fifo.c linux-2.6.32.46/grsecurity/grsec_fifo.c
56062 --- linux-2.6.32.46/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
56063 +++ linux-2.6.32.46/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
56064 @@ -0,0 +1,24 @@
56065 +#include <linux/kernel.h>
56066 +#include <linux/sched.h>
56067 +#include <linux/fs.h>
56068 +#include <linux/file.h>
56069 +#include <linux/grinternal.h>
56070 +
56071 +int
56072 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
56073 + const struct dentry *dir, const int flag, const int acc_mode)
56074 +{
56075 +#ifdef CONFIG_GRKERNSEC_FIFO
56076 + const struct cred *cred = current_cred();
56077 +
56078 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
56079 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
56080 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
56081 + (cred->fsuid != dentry->d_inode->i_uid)) {
56082 + if (!inode_permission(dentry->d_inode, acc_mode))
56083 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
56084 + return -EACCES;
56085 + }
56086 +#endif
56087 + return 0;
56088 +}
56089 diff -urNp linux-2.6.32.46/grsecurity/grsec_fork.c linux-2.6.32.46/grsecurity/grsec_fork.c
56090 --- linux-2.6.32.46/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
56091 +++ linux-2.6.32.46/grsecurity/grsec_fork.c 2011-04-17 15:56:46.000000000 -0400
56092 @@ -0,0 +1,23 @@
56093 +#include <linux/kernel.h>
56094 +#include <linux/sched.h>
56095 +#include <linux/grsecurity.h>
56096 +#include <linux/grinternal.h>
56097 +#include <linux/errno.h>
56098 +
56099 +void
56100 +gr_log_forkfail(const int retval)
56101 +{
56102 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
56103 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
56104 + switch (retval) {
56105 + case -EAGAIN:
56106 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
56107 + break;
56108 + case -ENOMEM:
56109 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
56110 + break;
56111 + }
56112 + }
56113 +#endif
56114 + return;
56115 +}
56116 diff -urNp linux-2.6.32.46/grsecurity/grsec_init.c linux-2.6.32.46/grsecurity/grsec_init.c
56117 --- linux-2.6.32.46/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
56118 +++ linux-2.6.32.46/grsecurity/grsec_init.c 2011-08-11 19:57:42.000000000 -0400
56119 @@ -0,0 +1,270 @@
56120 +#include <linux/kernel.h>
56121 +#include <linux/sched.h>
56122 +#include <linux/mm.h>
56123 +#include <linux/smp_lock.h>
56124 +#include <linux/gracl.h>
56125 +#include <linux/slab.h>
56126 +#include <linux/vmalloc.h>
56127 +#include <linux/percpu.h>
56128 +#include <linux/module.h>
56129 +
56130 +int grsec_enable_brute;
56131 +int grsec_enable_link;
56132 +int grsec_enable_dmesg;
56133 +int grsec_enable_harden_ptrace;
56134 +int grsec_enable_fifo;
56135 +int grsec_enable_execlog;
56136 +int grsec_enable_signal;
56137 +int grsec_enable_forkfail;
56138 +int grsec_enable_audit_ptrace;
56139 +int grsec_enable_time;
56140 +int grsec_enable_audit_textrel;
56141 +int grsec_enable_group;
56142 +int grsec_audit_gid;
56143 +int grsec_enable_chdir;
56144 +int grsec_enable_mount;
56145 +int grsec_enable_rofs;
56146 +int grsec_enable_chroot_findtask;
56147 +int grsec_enable_chroot_mount;
56148 +int grsec_enable_chroot_shmat;
56149 +int grsec_enable_chroot_fchdir;
56150 +int grsec_enable_chroot_double;
56151 +int grsec_enable_chroot_pivot;
56152 +int grsec_enable_chroot_chdir;
56153 +int grsec_enable_chroot_chmod;
56154 +int grsec_enable_chroot_mknod;
56155 +int grsec_enable_chroot_nice;
56156 +int grsec_enable_chroot_execlog;
56157 +int grsec_enable_chroot_caps;
56158 +int grsec_enable_chroot_sysctl;
56159 +int grsec_enable_chroot_unix;
56160 +int grsec_enable_tpe;
56161 +int grsec_tpe_gid;
56162 +int grsec_enable_blackhole;
56163 +#ifdef CONFIG_IPV6_MODULE
56164 +EXPORT_SYMBOL(grsec_enable_blackhole);
56165 +#endif
56166 +int grsec_lastack_retries;
56167 +int grsec_enable_tpe_all;
56168 +int grsec_enable_tpe_invert;
56169 +int grsec_enable_socket_all;
56170 +int grsec_socket_all_gid;
56171 +int grsec_enable_socket_client;
56172 +int grsec_socket_client_gid;
56173 +int grsec_enable_socket_server;
56174 +int grsec_socket_server_gid;
56175 +int grsec_resource_logging;
56176 +int grsec_disable_privio;
56177 +int grsec_enable_log_rwxmaps;
56178 +int grsec_lock;
56179 +
56180 +DEFINE_SPINLOCK(grsec_alert_lock);
56181 +unsigned long grsec_alert_wtime = 0;
56182 +unsigned long grsec_alert_fyet = 0;
56183 +
56184 +DEFINE_SPINLOCK(grsec_audit_lock);
56185 +
56186 +DEFINE_RWLOCK(grsec_exec_file_lock);
56187 +
56188 +char *gr_shared_page[4];
56189 +
56190 +char *gr_alert_log_fmt;
56191 +char *gr_audit_log_fmt;
56192 +char *gr_alert_log_buf;
56193 +char *gr_audit_log_buf;
56194 +
56195 +extern struct gr_arg *gr_usermode;
56196 +extern unsigned char *gr_system_salt;
56197 +extern unsigned char *gr_system_sum;
56198 +
56199 +void __init
56200 +grsecurity_init(void)
56201 +{
56202 + int j;
56203 + /* create the per-cpu shared pages */
56204 +
56205 +#ifdef CONFIG_X86
56206 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
56207 +#endif
56208 +
56209 + for (j = 0; j < 4; j++) {
56210 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
56211 + if (gr_shared_page[j] == NULL) {
56212 + panic("Unable to allocate grsecurity shared page");
56213 + return;
56214 + }
56215 + }
56216 +
56217 + /* allocate log buffers */
56218 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
56219 + if (!gr_alert_log_fmt) {
56220 + panic("Unable to allocate grsecurity alert log format buffer");
56221 + return;
56222 + }
56223 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
56224 + if (!gr_audit_log_fmt) {
56225 + panic("Unable to allocate grsecurity audit log format buffer");
56226 + return;
56227 + }
56228 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
56229 + if (!gr_alert_log_buf) {
56230 + panic("Unable to allocate grsecurity alert log buffer");
56231 + return;
56232 + }
56233 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
56234 + if (!gr_audit_log_buf) {
56235 + panic("Unable to allocate grsecurity audit log buffer");
56236 + return;
56237 + }
56238 +
56239 + /* allocate memory for authentication structure */
56240 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
56241 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
56242 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
56243 +
56244 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
56245 + panic("Unable to allocate grsecurity authentication structure");
56246 + return;
56247 + }
56248 +
56249 +
56250 +#ifdef CONFIG_GRKERNSEC_IO
56251 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
56252 + grsec_disable_privio = 1;
56253 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
56254 + grsec_disable_privio = 1;
56255 +#else
56256 + grsec_disable_privio = 0;
56257 +#endif
56258 +#endif
56259 +
56260 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
56261 + /* for backward compatibility, tpe_invert always defaults to on if
56262 + enabled in the kernel
56263 + */
56264 + grsec_enable_tpe_invert = 1;
56265 +#endif
56266 +
56267 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
56268 +#ifndef CONFIG_GRKERNSEC_SYSCTL
56269 + grsec_lock = 1;
56270 +#endif
56271 +
56272 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
56273 + grsec_enable_audit_textrel = 1;
56274 +#endif
56275 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
56276 + grsec_enable_log_rwxmaps = 1;
56277 +#endif
56278 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
56279 + grsec_enable_group = 1;
56280 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
56281 +#endif
56282 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
56283 + grsec_enable_chdir = 1;
56284 +#endif
56285 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56286 + grsec_enable_harden_ptrace = 1;
56287 +#endif
56288 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
56289 + grsec_enable_mount = 1;
56290 +#endif
56291 +#ifdef CONFIG_GRKERNSEC_LINK
56292 + grsec_enable_link = 1;
56293 +#endif
56294 +#ifdef CONFIG_GRKERNSEC_BRUTE
56295 + grsec_enable_brute = 1;
56296 +#endif
56297 +#ifdef CONFIG_GRKERNSEC_DMESG
56298 + grsec_enable_dmesg = 1;
56299 +#endif
56300 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56301 + grsec_enable_blackhole = 1;
56302 + grsec_lastack_retries = 4;
56303 +#endif
56304 +#ifdef CONFIG_GRKERNSEC_FIFO
56305 + grsec_enable_fifo = 1;
56306 +#endif
56307 +#ifdef CONFIG_GRKERNSEC_EXECLOG
56308 + grsec_enable_execlog = 1;
56309 +#endif
56310 +#ifdef CONFIG_GRKERNSEC_SIGNAL
56311 + grsec_enable_signal = 1;
56312 +#endif
56313 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
56314 + grsec_enable_forkfail = 1;
56315 +#endif
56316 +#ifdef CONFIG_GRKERNSEC_TIME
56317 + grsec_enable_time = 1;
56318 +#endif
56319 +#ifdef CONFIG_GRKERNSEC_RESLOG
56320 + grsec_resource_logging = 1;
56321 +#endif
56322 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
56323 + grsec_enable_chroot_findtask = 1;
56324 +#endif
56325 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
56326 + grsec_enable_chroot_unix = 1;
56327 +#endif
56328 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
56329 + grsec_enable_chroot_mount = 1;
56330 +#endif
56331 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
56332 + grsec_enable_chroot_fchdir = 1;
56333 +#endif
56334 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
56335 + grsec_enable_chroot_shmat = 1;
56336 +#endif
56337 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
56338 + grsec_enable_audit_ptrace = 1;
56339 +#endif
56340 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
56341 + grsec_enable_chroot_double = 1;
56342 +#endif
56343 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
56344 + grsec_enable_chroot_pivot = 1;
56345 +#endif
56346 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
56347 + grsec_enable_chroot_chdir = 1;
56348 +#endif
56349 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
56350 + grsec_enable_chroot_chmod = 1;
56351 +#endif
56352 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
56353 + grsec_enable_chroot_mknod = 1;
56354 +#endif
56355 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
56356 + grsec_enable_chroot_nice = 1;
56357 +#endif
56358 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
56359 + grsec_enable_chroot_execlog = 1;
56360 +#endif
56361 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
56362 + grsec_enable_chroot_caps = 1;
56363 +#endif
56364 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
56365 + grsec_enable_chroot_sysctl = 1;
56366 +#endif
56367 +#ifdef CONFIG_GRKERNSEC_TPE
56368 + grsec_enable_tpe = 1;
56369 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
56370 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
56371 + grsec_enable_tpe_all = 1;
56372 +#endif
56373 +#endif
56374 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
56375 + grsec_enable_socket_all = 1;
56376 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
56377 +#endif
56378 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
56379 + grsec_enable_socket_client = 1;
56380 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
56381 +#endif
56382 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
56383 + grsec_enable_socket_server = 1;
56384 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
56385 +#endif
56386 +#endif
56387 +
56388 + return;
56389 +}
56390 diff -urNp linux-2.6.32.46/grsecurity/grsec_link.c linux-2.6.32.46/grsecurity/grsec_link.c
56391 --- linux-2.6.32.46/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
56392 +++ linux-2.6.32.46/grsecurity/grsec_link.c 2011-04-17 15:56:46.000000000 -0400
56393 @@ -0,0 +1,43 @@
56394 +#include <linux/kernel.h>
56395 +#include <linux/sched.h>
56396 +#include <linux/fs.h>
56397 +#include <linux/file.h>
56398 +#include <linux/grinternal.h>
56399 +
56400 +int
56401 +gr_handle_follow_link(const struct inode *parent,
56402 + const struct inode *inode,
56403 + const struct dentry *dentry, const struct vfsmount *mnt)
56404 +{
56405 +#ifdef CONFIG_GRKERNSEC_LINK
56406 + const struct cred *cred = current_cred();
56407 +
56408 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
56409 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
56410 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
56411 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
56412 + return -EACCES;
56413 + }
56414 +#endif
56415 + return 0;
56416 +}
56417 +
56418 +int
56419 +gr_handle_hardlink(const struct dentry *dentry,
56420 + const struct vfsmount *mnt,
56421 + struct inode *inode, const int mode, const char *to)
56422 +{
56423 +#ifdef CONFIG_GRKERNSEC_LINK
56424 + const struct cred *cred = current_cred();
56425 +
56426 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
56427 + (!S_ISREG(mode) || (mode & S_ISUID) ||
56428 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
56429 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
56430 + !capable(CAP_FOWNER) && cred->uid) {
56431 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
56432 + return -EPERM;
56433 + }
56434 +#endif
56435 + return 0;
56436 +}
56437 diff -urNp linux-2.6.32.46/grsecurity/grsec_log.c linux-2.6.32.46/grsecurity/grsec_log.c
56438 --- linux-2.6.32.46/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
56439 +++ linux-2.6.32.46/grsecurity/grsec_log.c 2011-05-10 21:58:49.000000000 -0400
56440 @@ -0,0 +1,310 @@
56441 +#include <linux/kernel.h>
56442 +#include <linux/sched.h>
56443 +#include <linux/file.h>
56444 +#include <linux/tty.h>
56445 +#include <linux/fs.h>
56446 +#include <linux/grinternal.h>
56447 +
56448 +#ifdef CONFIG_TREE_PREEMPT_RCU
56449 +#define DISABLE_PREEMPT() preempt_disable()
56450 +#define ENABLE_PREEMPT() preempt_enable()
56451 +#else
56452 +#define DISABLE_PREEMPT()
56453 +#define ENABLE_PREEMPT()
56454 +#endif
56455 +
56456 +#define BEGIN_LOCKS(x) \
56457 + DISABLE_PREEMPT(); \
56458 + rcu_read_lock(); \
56459 + read_lock(&tasklist_lock); \
56460 + read_lock(&grsec_exec_file_lock); \
56461 + if (x != GR_DO_AUDIT) \
56462 + spin_lock(&grsec_alert_lock); \
56463 + else \
56464 + spin_lock(&grsec_audit_lock)
56465 +
56466 +#define END_LOCKS(x) \
56467 + if (x != GR_DO_AUDIT) \
56468 + spin_unlock(&grsec_alert_lock); \
56469 + else \
56470 + spin_unlock(&grsec_audit_lock); \
56471 + read_unlock(&grsec_exec_file_lock); \
56472 + read_unlock(&tasklist_lock); \
56473 + rcu_read_unlock(); \
56474 + ENABLE_PREEMPT(); \
56475 + if (x == GR_DONT_AUDIT) \
56476 + gr_handle_alertkill(current)
56477 +
56478 +enum {
56479 + FLOODING,
56480 + NO_FLOODING
56481 +};
56482 +
56483 +extern char *gr_alert_log_fmt;
56484 +extern char *gr_audit_log_fmt;
56485 +extern char *gr_alert_log_buf;
56486 +extern char *gr_audit_log_buf;
56487 +
56488 +static int gr_log_start(int audit)
56489 +{
56490 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
56491 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
56492 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
56493 +
56494 + if (audit == GR_DO_AUDIT)
56495 + goto set_fmt;
56496 +
56497 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
56498 + grsec_alert_wtime = jiffies;
56499 + grsec_alert_fyet = 0;
56500 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
56501 + grsec_alert_fyet++;
56502 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
56503 + grsec_alert_wtime = jiffies;
56504 + grsec_alert_fyet++;
56505 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
56506 + return FLOODING;
56507 + } else return FLOODING;
56508 +
56509 +set_fmt:
56510 + memset(buf, 0, PAGE_SIZE);
56511 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
56512 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
56513 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
56514 + } else if (current->signal->curr_ip) {
56515 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
56516 + snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
56517 + } else if (gr_acl_is_enabled()) {
56518 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
56519 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
56520 + } else {
56521 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
56522 + strcpy(buf, fmt);
56523 + }
56524 +
56525 + return NO_FLOODING;
56526 +}
56527 +
56528 +static void gr_log_middle(int audit, const char *msg, va_list ap)
56529 + __attribute__ ((format (printf, 2, 0)));
56530 +
56531 +static void gr_log_middle(int audit, const char *msg, va_list ap)
56532 +{
56533 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
56534 + unsigned int len = strlen(buf);
56535 +
56536 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
56537 +
56538 + return;
56539 +}
56540 +
56541 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
56542 + __attribute__ ((format (printf, 2, 3)));
56543 +
56544 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
56545 +{
56546 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
56547 + unsigned int len = strlen(buf);
56548 + va_list ap;
56549 +
56550 + va_start(ap, msg);
56551 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
56552 + va_end(ap);
56553 +
56554 + return;
56555 +}
56556 +
56557 +static void gr_log_end(int audit)
56558 +{
56559 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
56560 + unsigned int len = strlen(buf);
56561 +
56562 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
56563 + printk("%s\n", buf);
56564 +
56565 + return;
56566 +}
56567 +
56568 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
56569 +{
56570 + int logtype;
56571 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
56572 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
56573 + void *voidptr = NULL;
56574 + int num1 = 0, num2 = 0;
56575 + unsigned long ulong1 = 0, ulong2 = 0;
56576 + struct dentry *dentry = NULL;
56577 + struct vfsmount *mnt = NULL;
56578 + struct file *file = NULL;
56579 + struct task_struct *task = NULL;
56580 + const struct cred *cred, *pcred;
56581 + va_list ap;
56582 +
56583 + BEGIN_LOCKS(audit);
56584 + logtype = gr_log_start(audit);
56585 + if (logtype == FLOODING) {
56586 + END_LOCKS(audit);
56587 + return;
56588 + }
56589 + va_start(ap, argtypes);
56590 + switch (argtypes) {
56591 + case GR_TTYSNIFF:
56592 + task = va_arg(ap, struct task_struct *);
56593 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
56594 + break;
56595 + case GR_SYSCTL_HIDDEN:
56596 + str1 = va_arg(ap, char *);
56597 + gr_log_middle_varargs(audit, msg, result, str1);
56598 + break;
56599 + case GR_RBAC:
56600 + dentry = va_arg(ap, struct dentry *);
56601 + mnt = va_arg(ap, struct vfsmount *);
56602 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
56603 + break;
56604 + case GR_RBAC_STR:
56605 + dentry = va_arg(ap, struct dentry *);
56606 + mnt = va_arg(ap, struct vfsmount *);
56607 + str1 = va_arg(ap, char *);
56608 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
56609 + break;
56610 + case GR_STR_RBAC:
56611 + str1 = va_arg(ap, char *);
56612 + dentry = va_arg(ap, struct dentry *);
56613 + mnt = va_arg(ap, struct vfsmount *);
56614 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
56615 + break;
56616 + case GR_RBAC_MODE2:
56617 + dentry = va_arg(ap, struct dentry *);
56618 + mnt = va_arg(ap, struct vfsmount *);
56619 + str1 = va_arg(ap, char *);
56620 + str2 = va_arg(ap, char *);
56621 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
56622 + break;
56623 + case GR_RBAC_MODE3:
56624 + dentry = va_arg(ap, struct dentry *);
56625 + mnt = va_arg(ap, struct vfsmount *);
56626 + str1 = va_arg(ap, char *);
56627 + str2 = va_arg(ap, char *);
56628 + str3 = va_arg(ap, char *);
56629 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
56630 + break;
56631 + case GR_FILENAME:
56632 + dentry = va_arg(ap, struct dentry *);
56633 + mnt = va_arg(ap, struct vfsmount *);
56634 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
56635 + break;
56636 + case GR_STR_FILENAME:
56637 + str1 = va_arg(ap, char *);
56638 + dentry = va_arg(ap, struct dentry *);
56639 + mnt = va_arg(ap, struct vfsmount *);
56640 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
56641 + break;
56642 + case GR_FILENAME_STR:
56643 + dentry = va_arg(ap, struct dentry *);
56644 + mnt = va_arg(ap, struct vfsmount *);
56645 + str1 = va_arg(ap, char *);
56646 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
56647 + break;
56648 + case GR_FILENAME_TWO_INT:
56649 + dentry = va_arg(ap, struct dentry *);
56650 + mnt = va_arg(ap, struct vfsmount *);
56651 + num1 = va_arg(ap, int);
56652 + num2 = va_arg(ap, int);
56653 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
56654 + break;
56655 + case GR_FILENAME_TWO_INT_STR:
56656 + dentry = va_arg(ap, struct dentry *);
56657 + mnt = va_arg(ap, struct vfsmount *);
56658 + num1 = va_arg(ap, int);
56659 + num2 = va_arg(ap, int);
56660 + str1 = va_arg(ap, char *);
56661 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
56662 + break;
56663 + case GR_TEXTREL:
56664 + file = va_arg(ap, struct file *);
56665 + ulong1 = va_arg(ap, unsigned long);
56666 + ulong2 = va_arg(ap, unsigned long);
56667 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
56668 + break;
56669 + case GR_PTRACE:
56670 + task = va_arg(ap, struct task_struct *);
56671 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
56672 + break;
56673 + case GR_RESOURCE:
56674 + task = va_arg(ap, struct task_struct *);
56675 + cred = __task_cred(task);
56676 + pcred = __task_cred(task->real_parent);
56677 + ulong1 = va_arg(ap, unsigned long);
56678 + str1 = va_arg(ap, char *);
56679 + ulong2 = va_arg(ap, unsigned long);
56680 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
56681 + break;
56682 + case GR_CAP:
56683 + task = va_arg(ap, struct task_struct *);
56684 + cred = __task_cred(task);
56685 + pcred = __task_cred(task->real_parent);
56686 + str1 = va_arg(ap, char *);
56687 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
56688 + break;
56689 + case GR_SIG:
56690 + str1 = va_arg(ap, char *);
56691 + voidptr = va_arg(ap, void *);
56692 + gr_log_middle_varargs(audit, msg, str1, voidptr);
56693 + break;
56694 + case GR_SIG2:
56695 + task = va_arg(ap, struct task_struct *);
56696 + cred = __task_cred(task);
56697 + pcred = __task_cred(task->real_parent);
56698 + num1 = va_arg(ap, int);
56699 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
56700 + break;
56701 + case GR_CRASH1:
56702 + task = va_arg(ap, struct task_struct *);
56703 + cred = __task_cred(task);
56704 + pcred = __task_cred(task->real_parent);
56705 + ulong1 = va_arg(ap, unsigned long);
56706 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
56707 + break;
56708 + case GR_CRASH2:
56709 + task = va_arg(ap, struct task_struct *);
56710 + cred = __task_cred(task);
56711 + pcred = __task_cred(task->real_parent);
56712 + ulong1 = va_arg(ap, unsigned long);
56713 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
56714 + break;
56715 + case GR_RWXMAP:
56716 + file = va_arg(ap, struct file *);
56717 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
56718 + break;
56719 + case GR_PSACCT:
56720 + {
56721 + unsigned int wday, cday;
56722 + __u8 whr, chr;
56723 + __u8 wmin, cmin;
56724 + __u8 wsec, csec;
56725 + char cur_tty[64] = { 0 };
56726 + char parent_tty[64] = { 0 };
56727 +
56728 + task = va_arg(ap, struct task_struct *);
56729 + wday = va_arg(ap, unsigned int);
56730 + cday = va_arg(ap, unsigned int);
56731 + whr = va_arg(ap, int);
56732 + chr = va_arg(ap, int);
56733 + wmin = va_arg(ap, int);
56734 + cmin = va_arg(ap, int);
56735 + wsec = va_arg(ap, int);
56736 + csec = va_arg(ap, int);
56737 + ulong1 = va_arg(ap, unsigned long);
56738 + cred = __task_cred(task);
56739 + pcred = __task_cred(task->real_parent);
56740 +
56741 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
56742 + }
56743 + break;
56744 + default:
56745 + gr_log_middle(audit, msg, ap);
56746 + }
56747 + va_end(ap);
56748 + gr_log_end(audit);
56749 + END_LOCKS(audit);
56750 +}
56751 diff -urNp linux-2.6.32.46/grsecurity/grsec_mem.c linux-2.6.32.46/grsecurity/grsec_mem.c
56752 --- linux-2.6.32.46/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
56753 +++ linux-2.6.32.46/grsecurity/grsec_mem.c 2011-04-17 15:56:46.000000000 -0400
56754 @@ -0,0 +1,33 @@
56755 +#include <linux/kernel.h>
56756 +#include <linux/sched.h>
56757 +#include <linux/mm.h>
56758 +#include <linux/mman.h>
56759 +#include <linux/grinternal.h>
56760 +
56761 +void
56762 +gr_handle_ioperm(void)
56763 +{
56764 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
56765 + return;
56766 +}
56767 +
56768 +void
56769 +gr_handle_iopl(void)
56770 +{
56771 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
56772 + return;
56773 +}
56774 +
56775 +void
56776 +gr_handle_mem_readwrite(u64 from, u64 to)
56777 +{
56778 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
56779 + return;
56780 +}
56781 +
56782 +void
56783 +gr_handle_vm86(void)
56784 +{
56785 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
56786 + return;
56787 +}
56788 diff -urNp linux-2.6.32.46/grsecurity/grsec_mount.c linux-2.6.32.46/grsecurity/grsec_mount.c
56789 --- linux-2.6.32.46/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
56790 +++ linux-2.6.32.46/grsecurity/grsec_mount.c 2011-06-20 19:47:03.000000000 -0400
56791 @@ -0,0 +1,62 @@
56792 +#include <linux/kernel.h>
56793 +#include <linux/sched.h>
56794 +#include <linux/mount.h>
56795 +#include <linux/grsecurity.h>
56796 +#include <linux/grinternal.h>
56797 +
56798 +void
56799 +gr_log_remount(const char *devname, const int retval)
56800 +{
56801 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
56802 + if (grsec_enable_mount && (retval >= 0))
56803 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
56804 +#endif
56805 + return;
56806 +}
56807 +
56808 +void
56809 +gr_log_unmount(const char *devname, const int retval)
56810 +{
56811 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
56812 + if (grsec_enable_mount && (retval >= 0))
56813 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
56814 +#endif
56815 + return;
56816 +}
56817 +
56818 +void
56819 +gr_log_mount(const char *from, const char *to, const int retval)
56820 +{
56821 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
56822 + if (grsec_enable_mount && (retval >= 0))
56823 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
56824 +#endif
56825 + return;
56826 +}
56827 +
56828 +int
56829 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
56830 +{
56831 +#ifdef CONFIG_GRKERNSEC_ROFS
56832 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
56833 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
56834 + return -EPERM;
56835 + } else
56836 + return 0;
56837 +#endif
56838 + return 0;
56839 +}
56840 +
56841 +int
56842 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
56843 +{
56844 +#ifdef CONFIG_GRKERNSEC_ROFS
56845 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
56846 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
56847 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
56848 + return -EPERM;
56849 + } else
56850 + return 0;
56851 +#endif
56852 + return 0;
56853 +}
56854 diff -urNp linux-2.6.32.46/grsecurity/grsec_pax.c linux-2.6.32.46/grsecurity/grsec_pax.c
56855 --- linux-2.6.32.46/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
56856 +++ linux-2.6.32.46/grsecurity/grsec_pax.c 2011-04-17 15:56:46.000000000 -0400
56857 @@ -0,0 +1,36 @@
56858 +#include <linux/kernel.h>
56859 +#include <linux/sched.h>
56860 +#include <linux/mm.h>
56861 +#include <linux/file.h>
56862 +#include <linux/grinternal.h>
56863 +#include <linux/grsecurity.h>
56864 +
56865 +void
56866 +gr_log_textrel(struct vm_area_struct * vma)
56867 +{
56868 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
56869 + if (grsec_enable_audit_textrel)
56870 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
56871 +#endif
56872 + return;
56873 +}
56874 +
56875 +void
56876 +gr_log_rwxmmap(struct file *file)
56877 +{
56878 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
56879 + if (grsec_enable_log_rwxmaps)
56880 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
56881 +#endif
56882 + return;
56883 +}
56884 +
56885 +void
56886 +gr_log_rwxmprotect(struct file *file)
56887 +{
56888 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
56889 + if (grsec_enable_log_rwxmaps)
56890 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
56891 +#endif
56892 + return;
56893 +}
56894 diff -urNp linux-2.6.32.46/grsecurity/grsec_ptrace.c linux-2.6.32.46/grsecurity/grsec_ptrace.c
56895 --- linux-2.6.32.46/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
56896 +++ linux-2.6.32.46/grsecurity/grsec_ptrace.c 2011-04-17 15:56:46.000000000 -0400
56897 @@ -0,0 +1,14 @@
56898 +#include <linux/kernel.h>
56899 +#include <linux/sched.h>
56900 +#include <linux/grinternal.h>
56901 +#include <linux/grsecurity.h>
56902 +
56903 +void
56904 +gr_audit_ptrace(struct task_struct *task)
56905 +{
56906 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
56907 + if (grsec_enable_audit_ptrace)
56908 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
56909 +#endif
56910 + return;
56911 +}
56912 diff -urNp linux-2.6.32.46/grsecurity/grsec_sig.c linux-2.6.32.46/grsecurity/grsec_sig.c
56913 --- linux-2.6.32.46/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
56914 +++ linux-2.6.32.46/grsecurity/grsec_sig.c 2011-06-29 19:40:31.000000000 -0400
56915 @@ -0,0 +1,205 @@
56916 +#include <linux/kernel.h>
56917 +#include <linux/sched.h>
56918 +#include <linux/delay.h>
56919 +#include <linux/grsecurity.h>
56920 +#include <linux/grinternal.h>
56921 +#include <linux/hardirq.h>
56922 +
56923 +char *signames[] = {
56924 + [SIGSEGV] = "Segmentation fault",
56925 + [SIGILL] = "Illegal instruction",
56926 + [SIGABRT] = "Abort",
56927 + [SIGBUS] = "Invalid alignment/Bus error"
56928 +};
56929 +
56930 +void
56931 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
56932 +{
56933 +#ifdef CONFIG_GRKERNSEC_SIGNAL
56934 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
56935 + (sig == SIGABRT) || (sig == SIGBUS))) {
56936 + if (t->pid == current->pid) {
56937 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
56938 + } else {
56939 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
56940 + }
56941 + }
56942 +#endif
56943 + return;
56944 +}
56945 +
56946 +int
56947 +gr_handle_signal(const struct task_struct *p, const int sig)
56948 +{
56949 +#ifdef CONFIG_GRKERNSEC
56950 + if (current->pid > 1 && gr_check_protected_task(p)) {
56951 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
56952 + return -EPERM;
56953 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
56954 + return -EPERM;
56955 + }
56956 +#endif
56957 + return 0;
56958 +}
56959 +
56960 +#ifdef CONFIG_GRKERNSEC
56961 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
56962 +
56963 +int gr_fake_force_sig(int sig, struct task_struct *t)
56964 +{
56965 + unsigned long int flags;
56966 + int ret, blocked, ignored;
56967 + struct k_sigaction *action;
56968 +
56969 + spin_lock_irqsave(&t->sighand->siglock, flags);
56970 + action = &t->sighand->action[sig-1];
56971 + ignored = action->sa.sa_handler == SIG_IGN;
56972 + blocked = sigismember(&t->blocked, sig);
56973 + if (blocked || ignored) {
56974 + action->sa.sa_handler = SIG_DFL;
56975 + if (blocked) {
56976 + sigdelset(&t->blocked, sig);
56977 + recalc_sigpending_and_wake(t);
56978 + }
56979 + }
56980 + if (action->sa.sa_handler == SIG_DFL)
56981 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
56982 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
56983 +
56984 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
56985 +
56986 + return ret;
56987 +}
56988 +#endif
56989 +
56990 +#ifdef CONFIG_GRKERNSEC_BRUTE
56991 +#define GR_USER_BAN_TIME (15 * 60)
56992 +
56993 +static int __get_dumpable(unsigned long mm_flags)
56994 +{
56995 + int ret;
56996 +
56997 + ret = mm_flags & MMF_DUMPABLE_MASK;
56998 + return (ret >= 2) ? 2 : ret;
56999 +}
57000 +#endif
57001 +
57002 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
57003 +{
57004 +#ifdef CONFIG_GRKERNSEC_BRUTE
57005 + uid_t uid = 0;
57006 +
57007 + if (!grsec_enable_brute)
57008 + return;
57009 +
57010 + rcu_read_lock();
57011 + read_lock(&tasklist_lock);
57012 + read_lock(&grsec_exec_file_lock);
57013 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
57014 + p->real_parent->brute = 1;
57015 + else {
57016 + const struct cred *cred = __task_cred(p), *cred2;
57017 + struct task_struct *tsk, *tsk2;
57018 +
57019 + if (!__get_dumpable(mm_flags) && cred->uid) {
57020 + struct user_struct *user;
57021 +
57022 + uid = cred->uid;
57023 +
57024 + /* this is put upon execution past expiration */
57025 + user = find_user(uid);
57026 + if (user == NULL)
57027 + goto unlock;
57028 + user->banned = 1;
57029 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
57030 + if (user->ban_expires == ~0UL)
57031 + user->ban_expires--;
57032 +
57033 + do_each_thread(tsk2, tsk) {
57034 + cred2 = __task_cred(tsk);
57035 + if (tsk != p && cred2->uid == uid)
57036 + gr_fake_force_sig(SIGKILL, tsk);
57037 + } while_each_thread(tsk2, tsk);
57038 + }
57039 + }
57040 +unlock:
57041 + read_unlock(&grsec_exec_file_lock);
57042 + read_unlock(&tasklist_lock);
57043 + rcu_read_unlock();
57044 +
57045 + if (uid)
57046 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
57047 +#endif
57048 + return;
57049 +}
57050 +
57051 +void gr_handle_brute_check(void)
57052 +{
57053 +#ifdef CONFIG_GRKERNSEC_BRUTE
57054 + if (current->brute)
57055 + msleep(30 * 1000);
57056 +#endif
57057 + return;
57058 +}
57059 +
57060 +void gr_handle_kernel_exploit(void)
57061 +{
57062 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
57063 + const struct cred *cred;
57064 + struct task_struct *tsk, *tsk2;
57065 + struct user_struct *user;
57066 + uid_t uid;
57067 +
57068 + if (in_irq() || in_serving_softirq() || in_nmi())
57069 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
57070 +
57071 + uid = current_uid();
57072 +
57073 + if (uid == 0)
57074 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
57075 + else {
57076 + /* kill all the processes of this user, hold a reference
57077 + to their creds struct, and prevent them from creating
57078 + another process until system reset
57079 + */
57080 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
57081 + /* we intentionally leak this ref */
57082 + user = get_uid(current->cred->user);
57083 + if (user) {
57084 + user->banned = 1;
57085 + user->ban_expires = ~0UL;
57086 + }
57087 +
57088 + read_lock(&tasklist_lock);
57089 + do_each_thread(tsk2, tsk) {
57090 + cred = __task_cred(tsk);
57091 + if (cred->uid == uid)
57092 + gr_fake_force_sig(SIGKILL, tsk);
57093 + } while_each_thread(tsk2, tsk);
57094 + read_unlock(&tasklist_lock);
57095 + }
57096 +#endif
57097 +}
57098 +
57099 +int __gr_process_user_ban(struct user_struct *user)
57100 +{
57101 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
57102 + if (unlikely(user->banned)) {
57103 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
57104 + user->banned = 0;
57105 + user->ban_expires = 0;
57106 + free_uid(user);
57107 + } else
57108 + return -EPERM;
57109 + }
57110 +#endif
57111 + return 0;
57112 +}
57113 +
57114 +int gr_process_user_ban(void)
57115 +{
57116 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
57117 + return __gr_process_user_ban(current->cred->user);
57118 +#endif
57119 + return 0;
57120 +}
57121 diff -urNp linux-2.6.32.46/grsecurity/grsec_sock.c linux-2.6.32.46/grsecurity/grsec_sock.c
57122 --- linux-2.6.32.46/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
57123 +++ linux-2.6.32.46/grsecurity/grsec_sock.c 2011-04-17 15:56:46.000000000 -0400
57124 @@ -0,0 +1,275 @@
57125 +#include <linux/kernel.h>
57126 +#include <linux/module.h>
57127 +#include <linux/sched.h>
57128 +#include <linux/file.h>
57129 +#include <linux/net.h>
57130 +#include <linux/in.h>
57131 +#include <linux/ip.h>
57132 +#include <net/sock.h>
57133 +#include <net/inet_sock.h>
57134 +#include <linux/grsecurity.h>
57135 +#include <linux/grinternal.h>
57136 +#include <linux/gracl.h>
57137 +
57138 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
57139 +EXPORT_SYMBOL(gr_cap_rtnetlink);
57140 +
57141 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
57142 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
57143 +
57144 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
57145 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
57146 +
57147 +#ifdef CONFIG_UNIX_MODULE
57148 +EXPORT_SYMBOL(gr_acl_handle_unix);
57149 +EXPORT_SYMBOL(gr_acl_handle_mknod);
57150 +EXPORT_SYMBOL(gr_handle_chroot_unix);
57151 +EXPORT_SYMBOL(gr_handle_create);
57152 +#endif
57153 +
57154 +#ifdef CONFIG_GRKERNSEC
57155 +#define gr_conn_table_size 32749
57156 +struct conn_table_entry {
57157 + struct conn_table_entry *next;
57158 + struct signal_struct *sig;
57159 +};
57160 +
57161 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
57162 +DEFINE_SPINLOCK(gr_conn_table_lock);
57163 +
57164 +extern const char * gr_socktype_to_name(unsigned char type);
57165 +extern const char * gr_proto_to_name(unsigned char proto);
57166 +extern const char * gr_sockfamily_to_name(unsigned char family);
57167 +
57168 +static __inline__ int
57169 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
57170 +{
57171 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
57172 +}
57173 +
57174 +static __inline__ int
57175 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
57176 + __u16 sport, __u16 dport)
57177 +{
57178 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
57179 + sig->gr_sport == sport && sig->gr_dport == dport))
57180 + return 1;
57181 + else
57182 + return 0;
57183 +}
57184 +
57185 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
57186 +{
57187 + struct conn_table_entry **match;
57188 + unsigned int index;
57189 +
57190 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
57191 + sig->gr_sport, sig->gr_dport,
57192 + gr_conn_table_size);
57193 +
57194 + newent->sig = sig;
57195 +
57196 + match = &gr_conn_table[index];
57197 + newent->next = *match;
57198 + *match = newent;
57199 +
57200 + return;
57201 +}
57202 +
57203 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
57204 +{
57205 + struct conn_table_entry *match, *last = NULL;
57206 + unsigned int index;
57207 +
57208 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
57209 + sig->gr_sport, sig->gr_dport,
57210 + gr_conn_table_size);
57211 +
57212 + match = gr_conn_table[index];
57213 + while (match && !conn_match(match->sig,
57214 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
57215 + sig->gr_dport)) {
57216 + last = match;
57217 + match = match->next;
57218 + }
57219 +
57220 + if (match) {
57221 + if (last)
57222 + last->next = match->next;
57223 + else
57224 + gr_conn_table[index] = NULL;
57225 + kfree(match);
57226 + }
57227 +
57228 + return;
57229 +}
57230 +
57231 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
57232 + __u16 sport, __u16 dport)
57233 +{
57234 + struct conn_table_entry *match;
57235 + unsigned int index;
57236 +
57237 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
57238 +
57239 + match = gr_conn_table[index];
57240 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
57241 + match = match->next;
57242 +
57243 + if (match)
57244 + return match->sig;
57245 + else
57246 + return NULL;
57247 +}
57248 +
57249 +#endif
57250 +
57251 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
57252 +{
57253 +#ifdef CONFIG_GRKERNSEC
57254 + struct signal_struct *sig = task->signal;
57255 + struct conn_table_entry *newent;
57256 +
57257 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
57258 + if (newent == NULL)
57259 + return;
57260 + /* no bh lock needed since we are called with bh disabled */
57261 + spin_lock(&gr_conn_table_lock);
57262 + gr_del_task_from_ip_table_nolock(sig);
57263 + sig->gr_saddr = inet->rcv_saddr;
57264 + sig->gr_daddr = inet->daddr;
57265 + sig->gr_sport = inet->sport;
57266 + sig->gr_dport = inet->dport;
57267 + gr_add_to_task_ip_table_nolock(sig, newent);
57268 + spin_unlock(&gr_conn_table_lock);
57269 +#endif
57270 + return;
57271 +}
57272 +
57273 +void gr_del_task_from_ip_table(struct task_struct *task)
57274 +{
57275 +#ifdef CONFIG_GRKERNSEC
57276 + spin_lock_bh(&gr_conn_table_lock);
57277 + gr_del_task_from_ip_table_nolock(task->signal);
57278 + spin_unlock_bh(&gr_conn_table_lock);
57279 +#endif
57280 + return;
57281 +}
57282 +
57283 +void
57284 +gr_attach_curr_ip(const struct sock *sk)
57285 +{
57286 +#ifdef CONFIG_GRKERNSEC
57287 + struct signal_struct *p, *set;
57288 + const struct inet_sock *inet = inet_sk(sk);
57289 +
57290 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
57291 + return;
57292 +
57293 + set = current->signal;
57294 +
57295 + spin_lock_bh(&gr_conn_table_lock);
57296 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
57297 + inet->dport, inet->sport);
57298 + if (unlikely(p != NULL)) {
57299 + set->curr_ip = p->curr_ip;
57300 + set->used_accept = 1;
57301 + gr_del_task_from_ip_table_nolock(p);
57302 + spin_unlock_bh(&gr_conn_table_lock);
57303 + return;
57304 + }
57305 + spin_unlock_bh(&gr_conn_table_lock);
57306 +
57307 + set->curr_ip = inet->daddr;
57308 + set->used_accept = 1;
57309 +#endif
57310 + return;
57311 +}
57312 +
57313 +int
57314 +gr_handle_sock_all(const int family, const int type, const int protocol)
57315 +{
57316 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
57317 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
57318 + (family != AF_UNIX)) {
57319 + if (family == AF_INET)
57320 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
57321 + else
57322 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
57323 + return -EACCES;
57324 + }
57325 +#endif
57326 + return 0;
57327 +}
57328 +
57329 +int
57330 +gr_handle_sock_server(const struct sockaddr *sck)
57331 +{
57332 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
57333 + if (grsec_enable_socket_server &&
57334 + in_group_p(grsec_socket_server_gid) &&
57335 + sck && (sck->sa_family != AF_UNIX) &&
57336 + (sck->sa_family != AF_LOCAL)) {
57337 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
57338 + return -EACCES;
57339 + }
57340 +#endif
57341 + return 0;
57342 +}
57343 +
57344 +int
57345 +gr_handle_sock_server_other(const struct sock *sck)
57346 +{
57347 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
57348 + if (grsec_enable_socket_server &&
57349 + in_group_p(grsec_socket_server_gid) &&
57350 + sck && (sck->sk_family != AF_UNIX) &&
57351 + (sck->sk_family != AF_LOCAL)) {
57352 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
57353 + return -EACCES;
57354 + }
57355 +#endif
57356 + return 0;
57357 +}
57358 +
57359 +int
57360 +gr_handle_sock_client(const struct sockaddr *sck)
57361 +{
57362 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
57363 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
57364 + sck && (sck->sa_family != AF_UNIX) &&
57365 + (sck->sa_family != AF_LOCAL)) {
57366 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
57367 + return -EACCES;
57368 + }
57369 +#endif
57370 + return 0;
57371 +}
57372 +
57373 +kernel_cap_t
57374 +gr_cap_rtnetlink(struct sock *sock)
57375 +{
57376 +#ifdef CONFIG_GRKERNSEC
57377 + if (!gr_acl_is_enabled())
57378 + return current_cap();
57379 + else if (sock->sk_protocol == NETLINK_ISCSI &&
57380 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
57381 + gr_is_capable(CAP_SYS_ADMIN))
57382 + return current_cap();
57383 + else if (sock->sk_protocol == NETLINK_AUDIT &&
57384 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
57385 + gr_is_capable(CAP_AUDIT_WRITE) &&
57386 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
57387 + gr_is_capable(CAP_AUDIT_CONTROL))
57388 + return current_cap();
57389 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
57390 + ((sock->sk_protocol == NETLINK_ROUTE) ?
57391 + gr_is_capable_nolog(CAP_NET_ADMIN) :
57392 + gr_is_capable(CAP_NET_ADMIN)))
57393 + return current_cap();
57394 + else
57395 + return __cap_empty_set;
57396 +#else
57397 + return current_cap();
57398 +#endif
57399 +}
57400 diff -urNp linux-2.6.32.46/grsecurity/grsec_sysctl.c linux-2.6.32.46/grsecurity/grsec_sysctl.c
57401 --- linux-2.6.32.46/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
57402 +++ linux-2.6.32.46/grsecurity/grsec_sysctl.c 2011-08-11 19:57:54.000000000 -0400
57403 @@ -0,0 +1,479 @@
57404 +#include <linux/kernel.h>
57405 +#include <linux/sched.h>
57406 +#include <linux/sysctl.h>
57407 +#include <linux/grsecurity.h>
57408 +#include <linux/grinternal.h>
57409 +
57410 +int
57411 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
57412 +{
57413 +#ifdef CONFIG_GRKERNSEC_SYSCTL
57414 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
57415 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
57416 + return -EACCES;
57417 + }
57418 +#endif
57419 + return 0;
57420 +}
57421 +
57422 +#ifdef CONFIG_GRKERNSEC_ROFS
57423 +static int __maybe_unused one = 1;
57424 +#endif
57425 +
57426 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
57427 +ctl_table grsecurity_table[] = {
57428 +#ifdef CONFIG_GRKERNSEC_SYSCTL
57429 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
57430 +#ifdef CONFIG_GRKERNSEC_IO
57431 + {
57432 + .ctl_name = CTL_UNNUMBERED,
57433 + .procname = "disable_priv_io",
57434 + .data = &grsec_disable_privio,
57435 + .maxlen = sizeof(int),
57436 + .mode = 0600,
57437 + .proc_handler = &proc_dointvec,
57438 + },
57439 +#endif
57440 +#endif
57441 +#ifdef CONFIG_GRKERNSEC_LINK
57442 + {
57443 + .ctl_name = CTL_UNNUMBERED,
57444 + .procname = "linking_restrictions",
57445 + .data = &grsec_enable_link,
57446 + .maxlen = sizeof(int),
57447 + .mode = 0600,
57448 + .proc_handler = &proc_dointvec,
57449 + },
57450 +#endif
57451 +#ifdef CONFIG_GRKERNSEC_BRUTE
57452 + {
57453 + .ctl_name = CTL_UNNUMBERED,
57454 + .procname = "deter_bruteforce",
57455 + .data = &grsec_enable_brute,
57456 + .maxlen = sizeof(int),
57457 + .mode = 0600,
57458 + .proc_handler = &proc_dointvec,
57459 + },
57460 +#endif
57461 +#ifdef CONFIG_GRKERNSEC_FIFO
57462 + {
57463 + .ctl_name = CTL_UNNUMBERED,
57464 + .procname = "fifo_restrictions",
57465 + .data = &grsec_enable_fifo,
57466 + .maxlen = sizeof(int),
57467 + .mode = 0600,
57468 + .proc_handler = &proc_dointvec,
57469 + },
57470 +#endif
57471 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
57472 + {
57473 + .ctl_name = CTL_UNNUMBERED,
57474 + .procname = "ip_blackhole",
57475 + .data = &grsec_enable_blackhole,
57476 + .maxlen = sizeof(int),
57477 + .mode = 0600,
57478 + .proc_handler = &proc_dointvec,
57479 + },
57480 + {
57481 + .ctl_name = CTL_UNNUMBERED,
57482 + .procname = "lastack_retries",
57483 + .data = &grsec_lastack_retries,
57484 + .maxlen = sizeof(int),
57485 + .mode = 0600,
57486 + .proc_handler = &proc_dointvec,
57487 + },
57488 +#endif
57489 +#ifdef CONFIG_GRKERNSEC_EXECLOG
57490 + {
57491 + .ctl_name = CTL_UNNUMBERED,
57492 + .procname = "exec_logging",
57493 + .data = &grsec_enable_execlog,
57494 + .maxlen = sizeof(int),
57495 + .mode = 0600,
57496 + .proc_handler = &proc_dointvec,
57497 + },
57498 +#endif
57499 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
57500 + {
57501 + .ctl_name = CTL_UNNUMBERED,
57502 + .procname = "rwxmap_logging",
57503 + .data = &grsec_enable_log_rwxmaps,
57504 + .maxlen = sizeof(int),
57505 + .mode = 0600,
57506 + .proc_handler = &proc_dointvec,
57507 + },
57508 +#endif
57509 +#ifdef CONFIG_GRKERNSEC_SIGNAL
57510 + {
57511 + .ctl_name = CTL_UNNUMBERED,
57512 + .procname = "signal_logging",
57513 + .data = &grsec_enable_signal,
57514 + .maxlen = sizeof(int),
57515 + .mode = 0600,
57516 + .proc_handler = &proc_dointvec,
57517 + },
57518 +#endif
57519 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
57520 + {
57521 + .ctl_name = CTL_UNNUMBERED,
57522 + .procname = "forkfail_logging",
57523 + .data = &grsec_enable_forkfail,
57524 + .maxlen = sizeof(int),
57525 + .mode = 0600,
57526 + .proc_handler = &proc_dointvec,
57527 + },
57528 +#endif
57529 +#ifdef CONFIG_GRKERNSEC_TIME
57530 + {
57531 + .ctl_name = CTL_UNNUMBERED,
57532 + .procname = "timechange_logging",
57533 + .data = &grsec_enable_time,
57534 + .maxlen = sizeof(int),
57535 + .mode = 0600,
57536 + .proc_handler = &proc_dointvec,
57537 + },
57538 +#endif
57539 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
57540 + {
57541 + .ctl_name = CTL_UNNUMBERED,
57542 + .procname = "chroot_deny_shmat",
57543 + .data = &grsec_enable_chroot_shmat,
57544 + .maxlen = sizeof(int),
57545 + .mode = 0600,
57546 + .proc_handler = &proc_dointvec,
57547 + },
57548 +#endif
57549 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57550 + {
57551 + .ctl_name = CTL_UNNUMBERED,
57552 + .procname = "chroot_deny_unix",
57553 + .data = &grsec_enable_chroot_unix,
57554 + .maxlen = sizeof(int),
57555 + .mode = 0600,
57556 + .proc_handler = &proc_dointvec,
57557 + },
57558 +#endif
57559 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
57560 + {
57561 + .ctl_name = CTL_UNNUMBERED,
57562 + .procname = "chroot_deny_mount",
57563 + .data = &grsec_enable_chroot_mount,
57564 + .maxlen = sizeof(int),
57565 + .mode = 0600,
57566 + .proc_handler = &proc_dointvec,
57567 + },
57568 +#endif
57569 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
57570 + {
57571 + .ctl_name = CTL_UNNUMBERED,
57572 + .procname = "chroot_deny_fchdir",
57573 + .data = &grsec_enable_chroot_fchdir,
57574 + .maxlen = sizeof(int),
57575 + .mode = 0600,
57576 + .proc_handler = &proc_dointvec,
57577 + },
57578 +#endif
57579 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
57580 + {
57581 + .ctl_name = CTL_UNNUMBERED,
57582 + .procname = "chroot_deny_chroot",
57583 + .data = &grsec_enable_chroot_double,
57584 + .maxlen = sizeof(int),
57585 + .mode = 0600,
57586 + .proc_handler = &proc_dointvec,
57587 + },
57588 +#endif
57589 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
57590 + {
57591 + .ctl_name = CTL_UNNUMBERED,
57592 + .procname = "chroot_deny_pivot",
57593 + .data = &grsec_enable_chroot_pivot,
57594 + .maxlen = sizeof(int),
57595 + .mode = 0600,
57596 + .proc_handler = &proc_dointvec,
57597 + },
57598 +#endif
57599 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
57600 + {
57601 + .ctl_name = CTL_UNNUMBERED,
57602 + .procname = "chroot_enforce_chdir",
57603 + .data = &grsec_enable_chroot_chdir,
57604 + .maxlen = sizeof(int),
57605 + .mode = 0600,
57606 + .proc_handler = &proc_dointvec,
57607 + },
57608 +#endif
57609 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
57610 + {
57611 + .ctl_name = CTL_UNNUMBERED,
57612 + .procname = "chroot_deny_chmod",
57613 + .data = &grsec_enable_chroot_chmod,
57614 + .maxlen = sizeof(int),
57615 + .mode = 0600,
57616 + .proc_handler = &proc_dointvec,
57617 + },
57618 +#endif
57619 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
57620 + {
57621 + .ctl_name = CTL_UNNUMBERED,
57622 + .procname = "chroot_deny_mknod",
57623 + .data = &grsec_enable_chroot_mknod,
57624 + .maxlen = sizeof(int),
57625 + .mode = 0600,
57626 + .proc_handler = &proc_dointvec,
57627 + },
57628 +#endif
57629 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
57630 + {
57631 + .ctl_name = CTL_UNNUMBERED,
57632 + .procname = "chroot_restrict_nice",
57633 + .data = &grsec_enable_chroot_nice,
57634 + .maxlen = sizeof(int),
57635 + .mode = 0600,
57636 + .proc_handler = &proc_dointvec,
57637 + },
57638 +#endif
57639 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
57640 + {
57641 + .ctl_name = CTL_UNNUMBERED,
57642 + .procname = "chroot_execlog",
57643 + .data = &grsec_enable_chroot_execlog,
57644 + .maxlen = sizeof(int),
57645 + .mode = 0600,
57646 + .proc_handler = &proc_dointvec,
57647 + },
57648 +#endif
57649 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
57650 + {
57651 + .ctl_name = CTL_UNNUMBERED,
57652 + .procname = "chroot_caps",
57653 + .data = &grsec_enable_chroot_caps,
57654 + .maxlen = sizeof(int),
57655 + .mode = 0600,
57656 + .proc_handler = &proc_dointvec,
57657 + },
57658 +#endif
57659 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
57660 + {
57661 + .ctl_name = CTL_UNNUMBERED,
57662 + .procname = "chroot_deny_sysctl",
57663 + .data = &grsec_enable_chroot_sysctl,
57664 + .maxlen = sizeof(int),
57665 + .mode = 0600,
57666 + .proc_handler = &proc_dointvec,
57667 + },
57668 +#endif
57669 +#ifdef CONFIG_GRKERNSEC_TPE
57670 + {
57671 + .ctl_name = CTL_UNNUMBERED,
57672 + .procname = "tpe",
57673 + .data = &grsec_enable_tpe,
57674 + .maxlen = sizeof(int),
57675 + .mode = 0600,
57676 + .proc_handler = &proc_dointvec,
57677 + },
57678 + {
57679 + .ctl_name = CTL_UNNUMBERED,
57680 + .procname = "tpe_gid",
57681 + .data = &grsec_tpe_gid,
57682 + .maxlen = sizeof(int),
57683 + .mode = 0600,
57684 + .proc_handler = &proc_dointvec,
57685 + },
57686 +#endif
57687 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
57688 + {
57689 + .ctl_name = CTL_UNNUMBERED,
57690 + .procname = "tpe_invert",
57691 + .data = &grsec_enable_tpe_invert,
57692 + .maxlen = sizeof(int),
57693 + .mode = 0600,
57694 + .proc_handler = &proc_dointvec,
57695 + },
57696 +#endif
57697 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
57698 + {
57699 + .ctl_name = CTL_UNNUMBERED,
57700 + .procname = "tpe_restrict_all",
57701 + .data = &grsec_enable_tpe_all,
57702 + .maxlen = sizeof(int),
57703 + .mode = 0600,
57704 + .proc_handler = &proc_dointvec,
57705 + },
57706 +#endif
57707 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
57708 + {
57709 + .ctl_name = CTL_UNNUMBERED,
57710 + .procname = "socket_all",
57711 + .data = &grsec_enable_socket_all,
57712 + .maxlen = sizeof(int),
57713 + .mode = 0600,
57714 + .proc_handler = &proc_dointvec,
57715 + },
57716 + {
57717 + .ctl_name = CTL_UNNUMBERED,
57718 + .procname = "socket_all_gid",
57719 + .data = &grsec_socket_all_gid,
57720 + .maxlen = sizeof(int),
57721 + .mode = 0600,
57722 + .proc_handler = &proc_dointvec,
57723 + },
57724 +#endif
57725 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
57726 + {
57727 + .ctl_name = CTL_UNNUMBERED,
57728 + .procname = "socket_client",
57729 + .data = &grsec_enable_socket_client,
57730 + .maxlen = sizeof(int),
57731 + .mode = 0600,
57732 + .proc_handler = &proc_dointvec,
57733 + },
57734 + {
57735 + .ctl_name = CTL_UNNUMBERED,
57736 + .procname = "socket_client_gid",
57737 + .data = &grsec_socket_client_gid,
57738 + .maxlen = sizeof(int),
57739 + .mode = 0600,
57740 + .proc_handler = &proc_dointvec,
57741 + },
57742 +#endif
57743 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
57744 + {
57745 + .ctl_name = CTL_UNNUMBERED,
57746 + .procname = "socket_server",
57747 + .data = &grsec_enable_socket_server,
57748 + .maxlen = sizeof(int),
57749 + .mode = 0600,
57750 + .proc_handler = &proc_dointvec,
57751 + },
57752 + {
57753 + .ctl_name = CTL_UNNUMBERED,
57754 + .procname = "socket_server_gid",
57755 + .data = &grsec_socket_server_gid,
57756 + .maxlen = sizeof(int),
57757 + .mode = 0600,
57758 + .proc_handler = &proc_dointvec,
57759 + },
57760 +#endif
57761 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
57762 + {
57763 + .ctl_name = CTL_UNNUMBERED,
57764 + .procname = "audit_group",
57765 + .data = &grsec_enable_group,
57766 + .maxlen = sizeof(int),
57767 + .mode = 0600,
57768 + .proc_handler = &proc_dointvec,
57769 + },
57770 + {
57771 + .ctl_name = CTL_UNNUMBERED,
57772 + .procname = "audit_gid",
57773 + .data = &grsec_audit_gid,
57774 + .maxlen = sizeof(int),
57775 + .mode = 0600,
57776 + .proc_handler = &proc_dointvec,
57777 + },
57778 +#endif
57779 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
57780 + {
57781 + .ctl_name = CTL_UNNUMBERED,
57782 + .procname = "audit_chdir",
57783 + .data = &grsec_enable_chdir,
57784 + .maxlen = sizeof(int),
57785 + .mode = 0600,
57786 + .proc_handler = &proc_dointvec,
57787 + },
57788 +#endif
57789 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
57790 + {
57791 + .ctl_name = CTL_UNNUMBERED,
57792 + .procname = "audit_mount",
57793 + .data = &grsec_enable_mount,
57794 + .maxlen = sizeof(int),
57795 + .mode = 0600,
57796 + .proc_handler = &proc_dointvec,
57797 + },
57798 +#endif
57799 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
57800 + {
57801 + .ctl_name = CTL_UNNUMBERED,
57802 + .procname = "audit_textrel",
57803 + .data = &grsec_enable_audit_textrel,
57804 + .maxlen = sizeof(int),
57805 + .mode = 0600,
57806 + .proc_handler = &proc_dointvec,
57807 + },
57808 +#endif
57809 +#ifdef CONFIG_GRKERNSEC_DMESG
57810 + {
57811 + .ctl_name = CTL_UNNUMBERED,
57812 + .procname = "dmesg",
57813 + .data = &grsec_enable_dmesg,
57814 + .maxlen = sizeof(int),
57815 + .mode = 0600,
57816 + .proc_handler = &proc_dointvec,
57817 + },
57818 +#endif
57819 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
57820 + {
57821 + .ctl_name = CTL_UNNUMBERED,
57822 + .procname = "chroot_findtask",
57823 + .data = &grsec_enable_chroot_findtask,
57824 + .maxlen = sizeof(int),
57825 + .mode = 0600,
57826 + .proc_handler = &proc_dointvec,
57827 + },
57828 +#endif
57829 +#ifdef CONFIG_GRKERNSEC_RESLOG
57830 + {
57831 + .ctl_name = CTL_UNNUMBERED,
57832 + .procname = "resource_logging",
57833 + .data = &grsec_resource_logging,
57834 + .maxlen = sizeof(int),
57835 + .mode = 0600,
57836 + .proc_handler = &proc_dointvec,
57837 + },
57838 +#endif
57839 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
57840 + {
57841 + .ctl_name = CTL_UNNUMBERED,
57842 + .procname = "audit_ptrace",
57843 + .data = &grsec_enable_audit_ptrace,
57844 + .maxlen = sizeof(int),
57845 + .mode = 0600,
57846 + .proc_handler = &proc_dointvec,
57847 + },
57848 +#endif
57849 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
57850 + {
57851 + .ctl_name = CTL_UNNUMBERED,
57852 + .procname = "harden_ptrace",
57853 + .data = &grsec_enable_harden_ptrace,
57854 + .maxlen = sizeof(int),
57855 + .mode = 0600,
57856 + .proc_handler = &proc_dointvec,
57857 + },
57858 +#endif
57859 + {
57860 + .ctl_name = CTL_UNNUMBERED,
57861 + .procname = "grsec_lock",
57862 + .data = &grsec_lock,
57863 + .maxlen = sizeof(int),
57864 + .mode = 0600,
57865 + .proc_handler = &proc_dointvec,
57866 + },
57867 +#endif
57868 +#ifdef CONFIG_GRKERNSEC_ROFS
57869 + {
57870 + .ctl_name = CTL_UNNUMBERED,
57871 + .procname = "romount_protect",
57872 + .data = &grsec_enable_rofs,
57873 + .maxlen = sizeof(int),
57874 + .mode = 0600,
57875 + .proc_handler = &proc_dointvec_minmax,
57876 + .extra1 = &one,
57877 + .extra2 = &one,
57878 + },
57879 +#endif
57880 + { .ctl_name = 0 }
57881 +};
57882 +#endif
57883 diff -urNp linux-2.6.32.46/grsecurity/grsec_time.c linux-2.6.32.46/grsecurity/grsec_time.c
57884 --- linux-2.6.32.46/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
57885 +++ linux-2.6.32.46/grsecurity/grsec_time.c 2011-04-17 15:56:46.000000000 -0400
57886 @@ -0,0 +1,16 @@
57887 +#include <linux/kernel.h>
57888 +#include <linux/sched.h>
57889 +#include <linux/grinternal.h>
57890 +#include <linux/module.h>
57891 +
57892 +void
57893 +gr_log_timechange(void)
57894 +{
57895 +#ifdef CONFIG_GRKERNSEC_TIME
57896 + if (grsec_enable_time)
57897 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
57898 +#endif
57899 + return;
57900 +}
57901 +
57902 +EXPORT_SYMBOL(gr_log_timechange);
57903 diff -urNp linux-2.6.32.46/grsecurity/grsec_tpe.c linux-2.6.32.46/grsecurity/grsec_tpe.c
57904 --- linux-2.6.32.46/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
57905 +++ linux-2.6.32.46/grsecurity/grsec_tpe.c 2011-04-17 15:56:46.000000000 -0400
57906 @@ -0,0 +1,39 @@
57907 +#include <linux/kernel.h>
57908 +#include <linux/sched.h>
57909 +#include <linux/file.h>
57910 +#include <linux/fs.h>
57911 +#include <linux/grinternal.h>
57912 +
57913 +extern int gr_acl_tpe_check(void);
57914 +
57915 +int
57916 +gr_tpe_allow(const struct file *file)
57917 +{
57918 +#ifdef CONFIG_GRKERNSEC
57919 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
57920 + const struct cred *cred = current_cred();
57921 +
57922 + if (cred->uid && ((grsec_enable_tpe &&
57923 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
57924 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
57925 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
57926 +#else
57927 + in_group_p(grsec_tpe_gid)
57928 +#endif
57929 + ) || gr_acl_tpe_check()) &&
57930 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
57931 + (inode->i_mode & S_IWOTH))))) {
57932 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
57933 + return 0;
57934 + }
57935 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
57936 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
57937 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
57938 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
57939 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
57940 + return 0;
57941 + }
57942 +#endif
57943 +#endif
57944 + return 1;
57945 +}
57946 diff -urNp linux-2.6.32.46/grsecurity/grsum.c linux-2.6.32.46/grsecurity/grsum.c
57947 --- linux-2.6.32.46/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
57948 +++ linux-2.6.32.46/grsecurity/grsum.c 2011-04-17 15:56:46.000000000 -0400
57949 @@ -0,0 +1,61 @@
57950 +#include <linux/err.h>
57951 +#include <linux/kernel.h>
57952 +#include <linux/sched.h>
57953 +#include <linux/mm.h>
57954 +#include <linux/scatterlist.h>
57955 +#include <linux/crypto.h>
57956 +#include <linux/gracl.h>
57957 +
57958 +
57959 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
57960 +#error "crypto and sha256 must be built into the kernel"
57961 +#endif
57962 +
57963 +int
57964 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
57965 +{
57966 + char *p;
57967 + struct crypto_hash *tfm;
57968 + struct hash_desc desc;
57969 + struct scatterlist sg;
57970 + unsigned char temp_sum[GR_SHA_LEN];
57971 + volatile int retval = 0;
57972 + volatile int dummy = 0;
57973 + unsigned int i;
57974 +
57975 + sg_init_table(&sg, 1);
57976 +
57977 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
57978 + if (IS_ERR(tfm)) {
57979 + /* should never happen, since sha256 should be built in */
57980 + return 1;
57981 + }
57982 +
57983 + desc.tfm = tfm;
57984 + desc.flags = 0;
57985 +
57986 + crypto_hash_init(&desc);
57987 +
57988 + p = salt;
57989 + sg_set_buf(&sg, p, GR_SALT_LEN);
57990 + crypto_hash_update(&desc, &sg, sg.length);
57991 +
57992 + p = entry->pw;
57993 + sg_set_buf(&sg, p, strlen(p));
57994 +
57995 + crypto_hash_update(&desc, &sg, sg.length);
57996 +
57997 + crypto_hash_final(&desc, temp_sum);
57998 +
57999 + memset(entry->pw, 0, GR_PW_LEN);
58000 +
58001 + for (i = 0; i < GR_SHA_LEN; i++)
58002 + if (sum[i] != temp_sum[i])
58003 + retval = 1;
58004 + else
58005 + dummy = 1; // waste a cycle
58006 +
58007 + crypto_free_hash(tfm);
58008 +
58009 + return retval;
58010 +}
58011 diff -urNp linux-2.6.32.46/grsecurity/Kconfig linux-2.6.32.46/grsecurity/Kconfig
58012 --- linux-2.6.32.46/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
58013 +++ linux-2.6.32.46/grsecurity/Kconfig 2011-08-17 19:04:25.000000000 -0400
58014 @@ -0,0 +1,1037 @@
58015 +#
58016 +# grecurity configuration
58017 +#
58018 +
58019 +menu "Grsecurity"
58020 +
58021 +config GRKERNSEC
58022 + bool "Grsecurity"
58023 + select CRYPTO
58024 + select CRYPTO_SHA256
58025 + help
58026 + If you say Y here, you will be able to configure many features
58027 + that will enhance the security of your system. It is highly
58028 + recommended that you say Y here and read through the help
58029 + for each option so that you fully understand the features and
58030 + can evaluate their usefulness for your machine.
58031 +
58032 +choice
58033 + prompt "Security Level"
58034 + depends on GRKERNSEC
58035 + default GRKERNSEC_CUSTOM
58036 +
58037 +config GRKERNSEC_LOW
58038 + bool "Low"
58039 + select GRKERNSEC_LINK
58040 + select GRKERNSEC_FIFO
58041 + select GRKERNSEC_RANDNET
58042 + select GRKERNSEC_DMESG
58043 + select GRKERNSEC_CHROOT
58044 + select GRKERNSEC_CHROOT_CHDIR
58045 +
58046 + help
58047 + If you choose this option, several of the grsecurity options will
58048 + be enabled that will give you greater protection against a number
58049 + of attacks, while assuring that none of your software will have any
58050 + conflicts with the additional security measures. If you run a lot
58051 + of unusual software, or you are having problems with the higher
58052 + security levels, you should say Y here. With this option, the
58053 + following features are enabled:
58054 +
58055 + - Linking restrictions
58056 + - FIFO restrictions
58057 + - Restricted dmesg
58058 + - Enforced chdir("/") on chroot
58059 + - Runtime module disabling
58060 +
58061 +config GRKERNSEC_MEDIUM
58062 + bool "Medium"
58063 + select PAX
58064 + select PAX_EI_PAX
58065 + select PAX_PT_PAX_FLAGS
58066 + select PAX_HAVE_ACL_FLAGS
58067 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
58068 + select GRKERNSEC_CHROOT
58069 + select GRKERNSEC_CHROOT_SYSCTL
58070 + select GRKERNSEC_LINK
58071 + select GRKERNSEC_FIFO
58072 + select GRKERNSEC_DMESG
58073 + select GRKERNSEC_RANDNET
58074 + select GRKERNSEC_FORKFAIL
58075 + select GRKERNSEC_TIME
58076 + select GRKERNSEC_SIGNAL
58077 + select GRKERNSEC_CHROOT
58078 + select GRKERNSEC_CHROOT_UNIX
58079 + select GRKERNSEC_CHROOT_MOUNT
58080 + select GRKERNSEC_CHROOT_PIVOT
58081 + select GRKERNSEC_CHROOT_DOUBLE
58082 + select GRKERNSEC_CHROOT_CHDIR
58083 + select GRKERNSEC_CHROOT_MKNOD
58084 + select GRKERNSEC_PROC
58085 + select GRKERNSEC_PROC_USERGROUP
58086 + select PAX_RANDUSTACK
58087 + select PAX_ASLR
58088 + select PAX_RANDMMAP
58089 + select PAX_REFCOUNT if (X86 || SPARC64)
58090 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
58091 +
58092 + help
58093 + If you say Y here, several features in addition to those included
58094 + in the low additional security level will be enabled. These
58095 + features provide even more security to your system, though in rare
58096 + cases they may be incompatible with very old or poorly written
58097 + software. If you enable this option, make sure that your auth
58098 + service (identd) is running as gid 1001. With this option,
58099 + the following features (in addition to those provided in the
58100 + low additional security level) will be enabled:
58101 +
58102 + - Failed fork logging
58103 + - Time change logging
58104 + - Signal logging
58105 + - Deny mounts in chroot
58106 + - Deny double chrooting
58107 + - Deny sysctl writes in chroot
58108 + - Deny mknod in chroot
58109 + - Deny access to abstract AF_UNIX sockets out of chroot
58110 + - Deny pivot_root in chroot
58111 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
58112 + - /proc restrictions with special GID set to 10 (usually wheel)
58113 + - Address Space Layout Randomization (ASLR)
58114 + - Prevent exploitation of most refcount overflows
58115 + - Bounds checking of copying between the kernel and userland
58116 +
58117 +config GRKERNSEC_HIGH
58118 + bool "High"
58119 + select GRKERNSEC_LINK
58120 + select GRKERNSEC_FIFO
58121 + select GRKERNSEC_DMESG
58122 + select GRKERNSEC_FORKFAIL
58123 + select GRKERNSEC_TIME
58124 + select GRKERNSEC_SIGNAL
58125 + select GRKERNSEC_CHROOT
58126 + select GRKERNSEC_CHROOT_SHMAT
58127 + select GRKERNSEC_CHROOT_UNIX
58128 + select GRKERNSEC_CHROOT_MOUNT
58129 + select GRKERNSEC_CHROOT_FCHDIR
58130 + select GRKERNSEC_CHROOT_PIVOT
58131 + select GRKERNSEC_CHROOT_DOUBLE
58132 + select GRKERNSEC_CHROOT_CHDIR
58133 + select GRKERNSEC_CHROOT_MKNOD
58134 + select GRKERNSEC_CHROOT_CAPS
58135 + select GRKERNSEC_CHROOT_SYSCTL
58136 + select GRKERNSEC_CHROOT_FINDTASK
58137 + select GRKERNSEC_SYSFS_RESTRICT
58138 + select GRKERNSEC_PROC
58139 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
58140 + select GRKERNSEC_HIDESYM
58141 + select GRKERNSEC_BRUTE
58142 + select GRKERNSEC_PROC_USERGROUP
58143 + select GRKERNSEC_KMEM
58144 + select GRKERNSEC_RESLOG
58145 + select GRKERNSEC_RANDNET
58146 + select GRKERNSEC_PROC_ADD
58147 + select GRKERNSEC_CHROOT_CHMOD
58148 + select GRKERNSEC_CHROOT_NICE
58149 + select GRKERNSEC_AUDIT_MOUNT
58150 + select GRKERNSEC_MODHARDEN if (MODULES)
58151 + select GRKERNSEC_HARDEN_PTRACE
58152 + select GRKERNSEC_VM86 if (X86_32)
58153 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
58154 + select PAX
58155 + select PAX_RANDUSTACK
58156 + select PAX_ASLR
58157 + select PAX_RANDMMAP
58158 + select PAX_NOEXEC
58159 + select PAX_MPROTECT
58160 + select PAX_EI_PAX
58161 + select PAX_PT_PAX_FLAGS
58162 + select PAX_HAVE_ACL_FLAGS
58163 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
58164 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
58165 + select PAX_RANDKSTACK if (X86_TSC && X86)
58166 + select PAX_SEGMEXEC if (X86_32)
58167 + select PAX_PAGEEXEC
58168 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
58169 + select PAX_EMUTRAMP if (PARISC)
58170 + select PAX_EMUSIGRT if (PARISC)
58171 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
58172 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
58173 + select PAX_REFCOUNT if (X86 || SPARC64)
58174 + select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
58175 + help
58176 + If you say Y here, many of the features of grsecurity will be
58177 + enabled, which will protect you against many kinds of attacks
58178 + against your system. The heightened security comes at a cost
58179 + of an increased chance of incompatibilities with rare software
58180 + on your machine. Since this security level enables PaX, you should
58181 + view <http://pax.grsecurity.net> and read about the PaX
58182 + project. While you are there, download chpax and run it on
58183 + binaries that cause problems with PaX. Also remember that
58184 + since the /proc restrictions are enabled, you must run your
58185 + identd as gid 1001. This security level enables the following
58186 + features in addition to those listed in the low and medium
58187 + security levels:
58188 +
58189 + - Additional /proc restrictions
58190 + - Chmod restrictions in chroot
58191 + - No signals, ptrace, or viewing of processes outside of chroot
58192 + - Capability restrictions in chroot
58193 + - Deny fchdir out of chroot
58194 + - Priority restrictions in chroot
58195 + - Segmentation-based implementation of PaX
58196 + - Mprotect restrictions
58197 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
58198 + - Kernel stack randomization
58199 + - Mount/unmount/remount logging
58200 + - Kernel symbol hiding
58201 + - Prevention of memory exhaustion-based exploits
58202 + - Hardening of module auto-loading
58203 + - Ptrace restrictions
58204 + - Restricted vm86 mode
58205 + - Restricted sysfs/debugfs
58206 + - Active kernel exploit response
58207 +
58208 +config GRKERNSEC_CUSTOM
58209 + bool "Custom"
58210 + help
58211 + If you say Y here, you will be able to configure every grsecurity
58212 + option, which allows you to enable many more features that aren't
58213 + covered in the basic security levels. These additional features
58214 + include TPE, socket restrictions, and the sysctl system for
58215 + grsecurity. It is advised that you read through the help for
58216 + each option to determine its usefulness in your situation.
58217 +
58218 +endchoice
58219 +
58220 +menu "Address Space Protection"
58221 +depends on GRKERNSEC
58222 +
58223 +config GRKERNSEC_KMEM
58224 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
58225 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
58226 + help
58227 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
58228 + be written to via mmap or otherwise to modify the running kernel.
58229 + /dev/port will also not be allowed to be opened. If you have module
58230 + support disabled, enabling this will close up four ways that are
58231 + currently used to insert malicious code into the running kernel.
58232 + Even with all these features enabled, we still highly recommend that
58233 + you use the RBAC system, as it is still possible for an attacker to
58234 + modify the running kernel through privileged I/O granted by ioperm/iopl.
58235 + If you are not using XFree86, you may be able to stop this additional
58236 + case by enabling the 'Disable privileged I/O' option. Though nothing
58237 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
58238 + but only to video memory, which is the only writing we allow in this
58239 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
58240 + not be allowed to mprotect it with PROT_WRITE later.
58241 + It is highly recommended that you say Y here if you meet all the
58242 + conditions above.
58243 +
58244 +config GRKERNSEC_VM86
58245 + bool "Restrict VM86 mode"
58246 + depends on X86_32
58247 +
58248 + help
58249 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
58250 + make use of a special execution mode on 32bit x86 processors called
58251 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
58252 + video cards and will still work with this option enabled. The purpose
58253 + of the option is to prevent exploitation of emulation errors in
58254 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
58255 + Nearly all users should be able to enable this option.
58256 +
58257 +config GRKERNSEC_IO
58258 + bool "Disable privileged I/O"
58259 + depends on X86
58260 + select RTC_CLASS
58261 + select RTC_INTF_DEV
58262 + select RTC_DRV_CMOS
58263 +
58264 + help
58265 + If you say Y here, all ioperm and iopl calls will return an error.
58266 + Ioperm and iopl can be used to modify the running kernel.
58267 + Unfortunately, some programs need this access to operate properly,
58268 + the most notable of which are XFree86 and hwclock. hwclock can be
58269 + remedied by having RTC support in the kernel, so real-time
58270 + clock support is enabled if this option is enabled, to ensure
58271 + that hwclock operates correctly. XFree86 still will not
58272 + operate correctly with this option enabled, so DO NOT CHOOSE Y
58273 + IF YOU USE XFree86. If you use XFree86 and you still want to
58274 + protect your kernel against modification, use the RBAC system.
58275 +
58276 +config GRKERNSEC_PROC_MEMMAP
58277 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
58278 + default y if (PAX_NOEXEC || PAX_ASLR)
58279 + depends on PAX_NOEXEC || PAX_ASLR
58280 + help
58281 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
58282 + give no information about the addresses of its mappings if
58283 + PaX features that rely on random addresses are enabled on the task.
58284 + If you use PaX it is greatly recommended that you say Y here as it
58285 + closes up a hole that makes the full ASLR useless for suid
58286 + binaries.
58287 +
58288 +config GRKERNSEC_BRUTE
58289 + bool "Deter exploit bruteforcing"
58290 + help
58291 + If you say Y here, attempts to bruteforce exploits against forking
58292 + daemons such as apache or sshd, as well as against suid/sgid binaries
58293 + will be deterred. When a child of a forking daemon is killed by PaX
58294 + or crashes due to an illegal instruction or other suspicious signal,
58295 + the parent process will be delayed 30 seconds upon every subsequent
58296 + fork until the administrator is able to assess the situation and
58297 + restart the daemon.
58298 + In the suid/sgid case, the attempt is logged, the user has all their
58299 + processes terminated, and they are prevented from executing any further
58300 + processes for 15 minutes.
58301 + It is recommended that you also enable signal logging in the auditing
58302 + section so that logs are generated when a process triggers a suspicious
58303 + signal.
58304 + If the sysctl option is enabled, a sysctl option with name
58305 + "deter_bruteforce" is created.
58306 +
58307 +config GRKERNSEC_MODHARDEN
58308 + bool "Harden module auto-loading"
58309 + depends on MODULES
58310 + help
58311 + If you say Y here, module auto-loading in response to use of some
58312 + feature implemented by an unloaded module will be restricted to
58313 + root users. Enabling this option helps defend against attacks
58314 + by unprivileged users who abuse the auto-loading behavior to
58315 + cause a vulnerable module to load that is then exploited.
58316 +
58317 + If this option prevents a legitimate use of auto-loading for a
58318 + non-root user, the administrator can execute modprobe manually
58319 + with the exact name of the module mentioned in the alert log.
58320 + Alternatively, the administrator can add the module to the list
58321 + of modules loaded at boot by modifying init scripts.
58322 +
58323 + Modification of init scripts will most likely be needed on
58324 + Ubuntu servers with encrypted home directory support enabled,
58325 + as the first non-root user logging in will cause the ecb(aes),
58326 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
58327 +
58328 +config GRKERNSEC_HIDESYM
58329 + bool "Hide kernel symbols"
58330 + help
58331 + If you say Y here, getting information on loaded modules, and
58332 + displaying all kernel symbols through a syscall will be restricted
58333 + to users with CAP_SYS_MODULE. For software compatibility reasons,
58334 + /proc/kallsyms will be restricted to the root user. The RBAC
58335 + system can hide that entry even from root.
58336 +
58337 + This option also prevents leaking of kernel addresses through
58338 + several /proc entries.
58339 +
58340 + Note that this option is only effective provided the following
58341 + conditions are met:
58342 + 1) The kernel using grsecurity is not precompiled by some distribution
58343 + 2) You have also enabled GRKERNSEC_DMESG
58344 + 3) You are using the RBAC system and hiding other files such as your
58345 + kernel image and System.map. Alternatively, enabling this option
58346 + causes the permissions on /boot, /lib/modules, and the kernel
58347 + source directory to change at compile time to prevent
58348 + reading by non-root users.
58349 + If the above conditions are met, this option will aid in providing a
58350 + useful protection against local kernel exploitation of overflows
58351 + and arbitrary read/write vulnerabilities.
58352 +
58353 +config GRKERNSEC_KERN_LOCKOUT
58354 + bool "Active kernel exploit response"
58355 + depends on X86 || ARM || PPC || SPARC
58356 + help
58357 + If you say Y here, when a PaX alert is triggered due to suspicious
58358 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
58359 + or an OOPs occurs due to bad memory accesses, instead of just
58360 + terminating the offending process (and potentially allowing
58361 + a subsequent exploit from the same user), we will take one of two
58362 + actions:
58363 + If the user was root, we will panic the system
58364 + If the user was non-root, we will log the attempt, terminate
58365 + all processes owned by the user, then prevent them from creating
58366 + any new processes until the system is restarted
58367 + This deters repeated kernel exploitation/bruteforcing attempts
58368 + and is useful for later forensics.
58369 +
58370 +endmenu
58371 +menu "Role Based Access Control Options"
58372 +depends on GRKERNSEC
58373 +
58374 +config GRKERNSEC_RBAC_DEBUG
58375 + bool
58376 +
58377 +config GRKERNSEC_NO_RBAC
58378 + bool "Disable RBAC system"
58379 + help
58380 + If you say Y here, the /dev/grsec device will be removed from the kernel,
58381 + preventing the RBAC system from being enabled. You should only say Y
58382 + here if you have no intention of using the RBAC system, so as to prevent
58383 + an attacker with root access from misusing the RBAC system to hide files
58384 + and processes when loadable module support and /dev/[k]mem have been
58385 + locked down.
58386 +
58387 +config GRKERNSEC_ACL_HIDEKERN
58388 + bool "Hide kernel processes"
58389 + help
58390 + If you say Y here, all kernel threads will be hidden to all
58391 + processes but those whose subject has the "view hidden processes"
58392 + flag.
58393 +
58394 +config GRKERNSEC_ACL_MAXTRIES
58395 + int "Maximum tries before password lockout"
58396 + default 3
58397 + help
58398 + This option enforces the maximum number of times a user can attempt
58399 + to authorize themselves with the grsecurity RBAC system before being
58400 + denied the ability to attempt authorization again for a specified time.
58401 + The lower the number, the harder it will be to brute-force a password.
58402 +
58403 +config GRKERNSEC_ACL_TIMEOUT
58404 + int "Time to wait after max password tries, in seconds"
58405 + default 30
58406 + help
58407 + This option specifies the time the user must wait after attempting to
58408 + authorize to the RBAC system with the maximum number of invalid
58409 + passwords. The higher the number, the harder it will be to brute-force
58410 + a password.
58411 +
58412 +endmenu
58413 +menu "Filesystem Protections"
58414 +depends on GRKERNSEC
58415 +
58416 +config GRKERNSEC_PROC
58417 + bool "Proc restrictions"
58418 + help
58419 + If you say Y here, the permissions of the /proc filesystem
58420 + will be altered to enhance system security and privacy. You MUST
58421 + choose either a user only restriction or a user and group restriction.
58422 + Depending upon the option you choose, you can either restrict users to
58423 + see only the processes they themselves run, or choose a group that can
58424 + view all processes and files normally restricted to root if you choose
58425 + the "restrict to user only" option. NOTE: If you're running identd as
58426 + a non-root user, you will have to run it as the group you specify here.
58427 +
58428 +config GRKERNSEC_PROC_USER
58429 + bool "Restrict /proc to user only"
58430 + depends on GRKERNSEC_PROC
58431 + help
58432 + If you say Y here, non-root users will only be able to view their own
58433 + processes, and restricts them from viewing network-related information,
58434 + and viewing kernel symbol and module information.
58435 +
58436 +config GRKERNSEC_PROC_USERGROUP
58437 + bool "Allow special group"
58438 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
58439 + help
58440 + If you say Y here, you will be able to select a group that will be
58441 + able to view all processes and network-related information. If you've
58442 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
58443 + remain hidden. This option is useful if you want to run identd as
58444 + a non-root user.
58445 +
58446 +config GRKERNSEC_PROC_GID
58447 + int "GID for special group"
58448 + depends on GRKERNSEC_PROC_USERGROUP
58449 + default 1001
58450 +
58451 +config GRKERNSEC_PROC_ADD
58452 + bool "Additional restrictions"
58453 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
58454 + help
58455 + If you say Y here, additional restrictions will be placed on
58456 + /proc that keep normal users from viewing device information and
58457 + slabinfo information that could be useful for exploits.
58458 +
58459 +config GRKERNSEC_LINK
58460 + bool "Linking restrictions"
58461 + help
58462 + If you say Y here, /tmp race exploits will be prevented, since users
58463 + will no longer be able to follow symlinks owned by other users in
58464 + world-writable +t directories (e.g. /tmp), unless the owner of the
58465 + symlink is the owner of the directory. users will also not be
58466 + able to hardlink to files they do not own. If the sysctl option is
58467 + enabled, a sysctl option with name "linking_restrictions" is created.
58468 +
58469 +config GRKERNSEC_FIFO
58470 + bool "FIFO restrictions"
58471 + help
58472 + If you say Y here, users will not be able to write to FIFOs they don't
58473 + own in world-writable +t directories (e.g. /tmp), unless the owner of
58474 + the FIFO is the same owner of the directory it's held in. If the sysctl
58475 + option is enabled, a sysctl option with name "fifo_restrictions" is
58476 + created.
58477 +
58478 +config GRKERNSEC_SYSFS_RESTRICT
58479 + bool "Sysfs/debugfs restriction"
58480 + depends on SYSFS
58481 + help
58482 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
58483 + any filesystem normally mounted under it (e.g. debugfs) will only
58484 + be accessible by root. These filesystems generally provide access
58485 + to hardware and debug information that isn't appropriate for unprivileged
58486 + users of the system. Sysfs and debugfs have also become a large source
58487 + of new vulnerabilities, ranging from infoleaks to local compromise.
58488 + There has been very little oversight with an eye toward security involved
58489 + in adding new exporters of information to these filesystems, so their
58490 + use is discouraged.
58491 + This option is equivalent to a chmod 0700 of the mount paths.
58492 +
58493 +config GRKERNSEC_ROFS
58494 + bool "Runtime read-only mount protection"
58495 + help
58496 + If you say Y here, a sysctl option with name "romount_protect" will
58497 + be created. By setting this option to 1 at runtime, filesystems
58498 + will be protected in the following ways:
58499 + * No new writable mounts will be allowed
58500 + * Existing read-only mounts won't be able to be remounted read/write
58501 + * Write operations will be denied on all block devices
58502 + This option acts independently of grsec_lock: once it is set to 1,
58503 + it cannot be turned off. Therefore, please be mindful of the resulting
58504 + behavior if this option is enabled in an init script on a read-only
58505 + filesystem. This feature is mainly intended for secure embedded systems.
58506 +
58507 +config GRKERNSEC_CHROOT
58508 + bool "Chroot jail restrictions"
58509 + help
58510 + If you say Y here, you will be able to choose several options that will
58511 + make breaking out of a chrooted jail much more difficult. If you
58512 + encounter no software incompatibilities with the following options, it
58513 + is recommended that you enable each one.
58514 +
58515 +config GRKERNSEC_CHROOT_MOUNT
58516 + bool "Deny mounts"
58517 + depends on GRKERNSEC_CHROOT
58518 + help
58519 + If you say Y here, processes inside a chroot will not be able to
58520 + mount or remount filesystems. If the sysctl option is enabled, a
58521 + sysctl option with name "chroot_deny_mount" is created.
58522 +
58523 +config GRKERNSEC_CHROOT_DOUBLE
58524 + bool "Deny double-chroots"
58525 + depends on GRKERNSEC_CHROOT
58526 + help
58527 + If you say Y here, processes inside a chroot will not be able to chroot
58528 + again outside the chroot. This is a widely used method of breaking
58529 + out of a chroot jail and should not be allowed. If the sysctl
58530 + option is enabled, a sysctl option with name
58531 + "chroot_deny_chroot" is created.
58532 +
58533 +config GRKERNSEC_CHROOT_PIVOT
58534 + bool "Deny pivot_root in chroot"
58535 + depends on GRKERNSEC_CHROOT
58536 + help
58537 + If you say Y here, processes inside a chroot will not be able to use
58538 + a function called pivot_root() that was introduced in Linux 2.3.41. It
58539 + works similar to chroot in that it changes the root filesystem. This
58540 + function could be misused in a chrooted process to attempt to break out
58541 + of the chroot, and therefore should not be allowed. If the sysctl
58542 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
58543 + created.
58544 +
58545 +config GRKERNSEC_CHROOT_CHDIR
58546 + bool "Enforce chdir(\"/\") on all chroots"
58547 + depends on GRKERNSEC_CHROOT
58548 + help
58549 + If you say Y here, the current working directory of all newly-chrooted
58550 + applications will be set to the the root directory of the chroot.
58551 + The man page on chroot(2) states:
58552 + Note that this call does not change the current working
58553 + directory, so that `.' can be outside the tree rooted at
58554 + `/'. In particular, the super-user can escape from a
58555 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
58556 +
58557 + It is recommended that you say Y here, since it's not known to break
58558 + any software. If the sysctl option is enabled, a sysctl option with
58559 + name "chroot_enforce_chdir" is created.
58560 +
58561 +config GRKERNSEC_CHROOT_CHMOD
58562 + bool "Deny (f)chmod +s"
58563 + depends on GRKERNSEC_CHROOT
58564 + help
58565 + If you say Y here, processes inside a chroot will not be able to chmod
58566 + or fchmod files to make them have suid or sgid bits. This protects
58567 + against another published method of breaking a chroot. If the sysctl
58568 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
58569 + created.
58570 +
58571 +config GRKERNSEC_CHROOT_FCHDIR
58572 + bool "Deny fchdir out of chroot"
58573 + depends on GRKERNSEC_CHROOT
58574 + help
58575 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
58576 + to a file descriptor of the chrooting process that points to a directory
58577 + outside the filesystem will be stopped. If the sysctl option
58578 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
58579 +
58580 +config GRKERNSEC_CHROOT_MKNOD
58581 + bool "Deny mknod"
58582 + depends on GRKERNSEC_CHROOT
58583 + help
58584 + If you say Y here, processes inside a chroot will not be allowed to
58585 + mknod. The problem with using mknod inside a chroot is that it
58586 + would allow an attacker to create a device entry that is the same
58587 + as one on the physical root of your system, which could range from
58588 + anything from the console device to a device for your harddrive (which
58589 + they could then use to wipe the drive or steal data). It is recommended
58590 + that you say Y here, unless you run into software incompatibilities.
58591 + If the sysctl option is enabled, a sysctl option with name
58592 + "chroot_deny_mknod" is created.
58593 +
58594 +config GRKERNSEC_CHROOT_SHMAT
58595 + bool "Deny shmat() out of chroot"
58596 + depends on GRKERNSEC_CHROOT
58597 + help
58598 + If you say Y here, processes inside a chroot will not be able to attach
58599 + to shared memory segments that were created outside of the chroot jail.
58600 + It is recommended that you say Y here. If the sysctl option is enabled,
58601 + a sysctl option with name "chroot_deny_shmat" is created.
58602 +
58603 +config GRKERNSEC_CHROOT_UNIX
58604 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
58605 + depends on GRKERNSEC_CHROOT
58606 + help
58607 + If you say Y here, processes inside a chroot will not be able to
58608 + connect to abstract (meaning not belonging to a filesystem) Unix
58609 + domain sockets that were bound outside of a chroot. It is recommended
58610 + that you say Y here. If the sysctl option is enabled, a sysctl option
58611 + with name "chroot_deny_unix" is created.
58612 +
58613 +config GRKERNSEC_CHROOT_FINDTASK
58614 + bool "Protect outside processes"
58615 + depends on GRKERNSEC_CHROOT
58616 + help
58617 + If you say Y here, processes inside a chroot will not be able to
58618 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
58619 + getsid, or view any process outside of the chroot. If the sysctl
58620 + option is enabled, a sysctl option with name "chroot_findtask" is
58621 + created.
58622 +
58623 +config GRKERNSEC_CHROOT_NICE
58624 + bool "Restrict priority changes"
58625 + depends on GRKERNSEC_CHROOT
58626 + help
58627 + If you say Y here, processes inside a chroot will not be able to raise
58628 + the priority of processes in the chroot, or alter the priority of
58629 + processes outside the chroot. This provides more security than simply
58630 + removing CAP_SYS_NICE from the process' capability set. If the
58631 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
58632 + is created.
58633 +
58634 +config GRKERNSEC_CHROOT_SYSCTL
58635 + bool "Deny sysctl writes"
58636 + depends on GRKERNSEC_CHROOT
58637 + help
58638 + If you say Y here, an attacker in a chroot will not be able to
58639 + write to sysctl entries, either by sysctl(2) or through a /proc
58640 + interface. It is strongly recommended that you say Y here. If the
58641 + sysctl option is enabled, a sysctl option with name
58642 + "chroot_deny_sysctl" is created.
58643 +
58644 +config GRKERNSEC_CHROOT_CAPS
58645 + bool "Capability restrictions"
58646 + depends on GRKERNSEC_CHROOT
58647 + help
58648 + If you say Y here, the capabilities on all root processes within a
58649 + chroot jail will be lowered to stop module insertion, raw i/o,
58650 + system and net admin tasks, rebooting the system, modifying immutable
58651 + files, modifying IPC owned by another, and changing the system time.
58652 + This is left an option because it can break some apps. Disable this
58653 + if your chrooted apps are having problems performing those kinds of
58654 + tasks. If the sysctl option is enabled, a sysctl option with
58655 + name "chroot_caps" is created.
58656 +
58657 +endmenu
58658 +menu "Kernel Auditing"
58659 +depends on GRKERNSEC
58660 +
58661 +config GRKERNSEC_AUDIT_GROUP
58662 + bool "Single group for auditing"
58663 + help
58664 + If you say Y here, the exec, chdir, and (un)mount logging features
58665 + will only operate on a group you specify. This option is recommended
58666 + if you only want to watch certain users instead of having a large
58667 + amount of logs from the entire system. If the sysctl option is enabled,
58668 + a sysctl option with name "audit_group" is created.
58669 +
58670 +config GRKERNSEC_AUDIT_GID
58671 + int "GID for auditing"
58672 + depends on GRKERNSEC_AUDIT_GROUP
58673 + default 1007
58674 +
58675 +config GRKERNSEC_EXECLOG
58676 + bool "Exec logging"
58677 + help
58678 + If you say Y here, all execve() calls will be logged (since the
58679 + other exec*() calls are frontends to execve(), all execution
58680 + will be logged). Useful for shell-servers that like to keep track
58681 + of their users. If the sysctl option is enabled, a sysctl option with
58682 + name "exec_logging" is created.
58683 + WARNING: This option when enabled will produce a LOT of logs, especially
58684 + on an active system.
58685 +
58686 +config GRKERNSEC_RESLOG
58687 + bool "Resource logging"
58688 + help
58689 + If you say Y here, all attempts to overstep resource limits will
58690 + be logged with the resource name, the requested size, and the current
58691 + limit. It is highly recommended that you say Y here. If the sysctl
58692 + option is enabled, a sysctl option with name "resource_logging" is
58693 + created. If the RBAC system is enabled, the sysctl value is ignored.
58694 +
58695 +config GRKERNSEC_CHROOT_EXECLOG
58696 + bool "Log execs within chroot"
58697 + help
58698 + If you say Y here, all executions inside a chroot jail will be logged
58699 + to syslog. This can cause a large amount of logs if certain
58700 + applications (eg. djb's daemontools) are installed on the system, and
58701 + is therefore left as an option. If the sysctl option is enabled, a
58702 + sysctl option with name "chroot_execlog" is created.
58703 +
58704 +config GRKERNSEC_AUDIT_PTRACE
58705 + bool "Ptrace logging"
58706 + help
58707 + If you say Y here, all attempts to attach to a process via ptrace
58708 + will be logged. If the sysctl option is enabled, a sysctl option
58709 + with name "audit_ptrace" is created.
58710 +
58711 +config GRKERNSEC_AUDIT_CHDIR
58712 + bool "Chdir logging"
58713 + help
58714 + If you say Y here, all chdir() calls will be logged. If the sysctl
58715 + option is enabled, a sysctl option with name "audit_chdir" is created.
58716 +
58717 +config GRKERNSEC_AUDIT_MOUNT
58718 + bool "(Un)Mount logging"
58719 + help
58720 + If you say Y here, all mounts and unmounts will be logged. If the
58721 + sysctl option is enabled, a sysctl option with name "audit_mount" is
58722 + created.
58723 +
58724 +config GRKERNSEC_SIGNAL
58725 + bool "Signal logging"
58726 + help
58727 + If you say Y here, certain important signals will be logged, such as
58728 + SIGSEGV, which will as a result inform you of when a error in a program
58729 + occurred, which in some cases could mean a possible exploit attempt.
58730 + If the sysctl option is enabled, a sysctl option with name
58731 + "signal_logging" is created.
58732 +
58733 +config GRKERNSEC_FORKFAIL
58734 + bool "Fork failure logging"
58735 + help
58736 + If you say Y here, all failed fork() attempts will be logged.
58737 + This could suggest a fork bomb, or someone attempting to overstep
58738 + their process limit. If the sysctl option is enabled, a sysctl option
58739 + with name "forkfail_logging" is created.
58740 +
58741 +config GRKERNSEC_TIME
58742 + bool "Time change logging"
58743 + help
58744 + If you say Y here, any changes of the system clock will be logged.
58745 + If the sysctl option is enabled, a sysctl option with name
58746 + "timechange_logging" is created.
58747 +
58748 +config GRKERNSEC_PROC_IPADDR
58749 + bool "/proc/<pid>/ipaddr support"
58750 + help
58751 + If you say Y here, a new entry will be added to each /proc/<pid>
58752 + directory that contains the IP address of the person using the task.
58753 + The IP is carried across local TCP and AF_UNIX stream sockets.
58754 + This information can be useful for IDS/IPSes to perform remote response
58755 + to a local attack. The entry is readable by only the owner of the
58756 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
58757 + the RBAC system), and thus does not create privacy concerns.
58758 +
58759 +config GRKERNSEC_RWXMAP_LOG
58760 + bool 'Denied RWX mmap/mprotect logging'
58761 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
58762 + help
58763 + If you say Y here, calls to mmap() and mprotect() with explicit
58764 + usage of PROT_WRITE and PROT_EXEC together will be logged when
58765 + denied by the PAX_MPROTECT feature. If the sysctl option is
58766 + enabled, a sysctl option with name "rwxmap_logging" is created.
58767 +
58768 +config GRKERNSEC_AUDIT_TEXTREL
58769 + bool 'ELF text relocations logging (READ HELP)'
58770 + depends on PAX_MPROTECT
58771 + help
58772 + If you say Y here, text relocations will be logged with the filename
58773 + of the offending library or binary. The purpose of the feature is
58774 + to help Linux distribution developers get rid of libraries and
58775 + binaries that need text relocations which hinder the future progress
58776 + of PaX. Only Linux distribution developers should say Y here, and
58777 + never on a production machine, as this option creates an information
58778 + leak that could aid an attacker in defeating the randomization of
58779 + a single memory region. If the sysctl option is enabled, a sysctl
58780 + option with name "audit_textrel" is created.
58781 +
58782 +endmenu
58783 +
58784 +menu "Executable Protections"
58785 +depends on GRKERNSEC
58786 +
58787 +config GRKERNSEC_DMESG
58788 + bool "Dmesg(8) restriction"
58789 + help
58790 + If you say Y here, non-root users will not be able to use dmesg(8)
58791 + to view up to the last 4kb of messages in the kernel's log buffer.
58792 + The kernel's log buffer often contains kernel addresses and other
58793 + identifying information useful to an attacker in fingerprinting a
58794 + system for a targeted exploit.
58795 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
58796 + created.
58797 +
58798 +config GRKERNSEC_HARDEN_PTRACE
58799 + bool "Deter ptrace-based process snooping"
58800 + help
58801 + If you say Y here, TTY sniffers and other malicious monitoring
58802 + programs implemented through ptrace will be defeated. If you
58803 + have been using the RBAC system, this option has already been
58804 + enabled for several years for all users, with the ability to make
58805 + fine-grained exceptions.
58806 +
58807 + This option only affects the ability of non-root users to ptrace
58808 + processes that are not a descendent of the ptracing process.
58809 + This means that strace ./binary and gdb ./binary will still work,
58810 + but attaching to arbitrary processes will not. If the sysctl
58811 + option is enabled, a sysctl option with name "harden_ptrace" is
58812 + created.
58813 +
58814 +config GRKERNSEC_TPE
58815 + bool "Trusted Path Execution (TPE)"
58816 + help
58817 + If you say Y here, you will be able to choose a gid to add to the
58818 + supplementary groups of users you want to mark as "untrusted."
58819 + These users will not be able to execute any files that are not in
58820 + root-owned directories writable only by root. If the sysctl option
58821 + is enabled, a sysctl option with name "tpe" is created.
58822 +
58823 +config GRKERNSEC_TPE_ALL
58824 + bool "Partially restrict all non-root users"
58825 + depends on GRKERNSEC_TPE
58826 + help
58827 + If you say Y here, all non-root users will be covered under
58828 + a weaker TPE restriction. This is separate from, and in addition to,
58829 + the main TPE options that you have selected elsewhere. Thus, if a
58830 + "trusted" GID is chosen, this restriction applies to even that GID.
58831 + Under this restriction, all non-root users will only be allowed to
58832 + execute files in directories they own that are not group or
58833 + world-writable, or in directories owned by root and writable only by
58834 + root. If the sysctl option is enabled, a sysctl option with name
58835 + "tpe_restrict_all" is created.
58836 +
58837 +config GRKERNSEC_TPE_INVERT
58838 + bool "Invert GID option"
58839 + depends on GRKERNSEC_TPE
58840 + help
58841 + If you say Y here, the group you specify in the TPE configuration will
58842 + decide what group TPE restrictions will be *disabled* for. This
58843 + option is useful if you want TPE restrictions to be applied to most
58844 + users on the system. If the sysctl option is enabled, a sysctl option
58845 + with name "tpe_invert" is created. Unlike other sysctl options, this
58846 + entry will default to on for backward-compatibility.
58847 +
58848 +config GRKERNSEC_TPE_GID
58849 + int "GID for untrusted users"
58850 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
58851 + default 1005
58852 + help
58853 + Setting this GID determines what group TPE restrictions will be
58854 + *enabled* for. If the sysctl option is enabled, a sysctl option
58855 + with name "tpe_gid" is created.
58856 +
58857 +config GRKERNSEC_TPE_GID
58858 + int "GID for trusted users"
58859 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
58860 + default 1005
58861 + help
58862 + Setting this GID determines what group TPE restrictions will be
58863 + *disabled* for. If the sysctl option is enabled, a sysctl option
58864 + with name "tpe_gid" is created.
58865 +
58866 +endmenu
58867 +menu "Network Protections"
58868 +depends on GRKERNSEC
58869 +
58870 +config GRKERNSEC_RANDNET
58871 + bool "Larger entropy pools"
58872 + help
58873 + If you say Y here, the entropy pools used for many features of Linux
58874 + and grsecurity will be doubled in size. Since several grsecurity
58875 + features use additional randomness, it is recommended that you say Y
58876 + here. Saying Y here has a similar effect as modifying
58877 + /proc/sys/kernel/random/poolsize.
58878 +
58879 +config GRKERNSEC_BLACKHOLE
58880 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
58881 + depends on NET
58882 + help
58883 + If you say Y here, neither TCP resets nor ICMP
58884 + destination-unreachable packets will be sent in response to packets
58885 + sent to ports for which no associated listening process exists.
58886 + This feature supports both IPV4 and IPV6 and exempts the
58887 + loopback interface from blackholing. Enabling this feature
58888 + makes a host more resilient to DoS attacks and reduces network
58889 + visibility against scanners.
58890 +
58891 + The blackhole feature as-implemented is equivalent to the FreeBSD
58892 + blackhole feature, as it prevents RST responses to all packets, not
58893 + just SYNs. Under most application behavior this causes no
58894 + problems, but applications (like haproxy) may not close certain
58895 + connections in a way that cleanly terminates them on the remote
58896 + end, leaving the remote host in LAST_ACK state. Because of this
58897 + side-effect and to prevent intentional LAST_ACK DoSes, this
58898 + feature also adds automatic mitigation against such attacks.
58899 + The mitigation drastically reduces the amount of time a socket
58900 + can spend in LAST_ACK state. If you're using haproxy and not
58901 + all servers it connects to have this option enabled, consider
58902 + disabling this feature on the haproxy host.
58903 +
58904 + If the sysctl option is enabled, two sysctl options with names
58905 + "ip_blackhole" and "lastack_retries" will be created.
58906 + While "ip_blackhole" takes the standard zero/non-zero on/off
58907 + toggle, "lastack_retries" uses the same kinds of values as
58908 + "tcp_retries1" and "tcp_retries2". The default value of 4
58909 + prevents a socket from lasting more than 45 seconds in LAST_ACK
58910 + state.
58911 +
58912 +config GRKERNSEC_SOCKET
58913 + bool "Socket restrictions"
58914 + depends on NET
58915 + help
58916 + If you say Y here, you will be able to choose from several options.
58917 + If you assign a GID on your system and add it to the supplementary
58918 + groups of users you want to restrict socket access to, this patch
58919 + will perform up to three things, based on the option(s) you choose.
58920 +
58921 +config GRKERNSEC_SOCKET_ALL
58922 + bool "Deny any sockets to group"
58923 + depends on GRKERNSEC_SOCKET
58924 + help
58925 + If you say Y here, you will be able to choose a GID of whose users will
58926 + be unable to connect to other hosts from your machine or run server
58927 + applications from your machine. If the sysctl option is enabled, a
58928 + sysctl option with name "socket_all" is created.
58929 +
58930 +config GRKERNSEC_SOCKET_ALL_GID
58931 + int "GID to deny all sockets for"
58932 + depends on GRKERNSEC_SOCKET_ALL
58933 + default 1004
58934 + help
58935 + Here you can choose the GID to disable socket access for. Remember to
58936 + add the users you want socket access disabled for to the GID
58937 + specified here. If the sysctl option is enabled, a sysctl option
58938 + with name "socket_all_gid" is created.
58939 +
58940 +config GRKERNSEC_SOCKET_CLIENT
58941 + bool "Deny client sockets to group"
58942 + depends on GRKERNSEC_SOCKET
58943 + help
58944 + If you say Y here, you will be able to choose a GID of whose users will
58945 + be unable to connect to other hosts from your machine, but will be
58946 + able to run servers. If this option is enabled, all users in the group
58947 + you specify will have to use passive mode when initiating ftp transfers
58948 + from the shell on your machine. If the sysctl option is enabled, a
58949 + sysctl option with name "socket_client" is created.
58950 +
58951 +config GRKERNSEC_SOCKET_CLIENT_GID
58952 + int "GID to deny client sockets for"
58953 + depends on GRKERNSEC_SOCKET_CLIENT
58954 + default 1003
58955 + help
58956 + Here you can choose the GID to disable client socket access for.
58957 + Remember to add the users you want client socket access disabled for to
58958 + the GID specified here. If the sysctl option is enabled, a sysctl
58959 + option with name "socket_client_gid" is created.
58960 +
58961 +config GRKERNSEC_SOCKET_SERVER
58962 + bool "Deny server sockets to group"
58963 + depends on GRKERNSEC_SOCKET
58964 + help
58965 + If you say Y here, you will be able to choose a GID of whose users will
58966 + be unable to run server applications from your machine. If the sysctl
58967 + option is enabled, a sysctl option with name "socket_server" is created.
58968 +
58969 +config GRKERNSEC_SOCKET_SERVER_GID
58970 + int "GID to deny server sockets for"
58971 + depends on GRKERNSEC_SOCKET_SERVER
58972 + default 1002
58973 + help
58974 + Here you can choose the GID to disable server socket access for.
58975 + Remember to add the users you want server socket access disabled for to
58976 + the GID specified here. If the sysctl option is enabled, a sysctl
58977 + option with name "socket_server_gid" is created.
58978 +
58979 +endmenu
58980 +menu "Sysctl support"
58981 +depends on GRKERNSEC && SYSCTL
58982 +
58983 +config GRKERNSEC_SYSCTL
58984 + bool "Sysctl support"
58985 + help
58986 + If you say Y here, you will be able to change the options that
58987 + grsecurity runs with at bootup, without having to recompile your
58988 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
58989 + to enable (1) or disable (0) various features. All the sysctl entries
58990 + are mutable until the "grsec_lock" entry is set to a non-zero value.
58991 + All features enabled in the kernel configuration are disabled at boot
58992 + if you do not say Y to the "Turn on features by default" option.
58993 + All options should be set at startup, and the grsec_lock entry should
58994 + be set to a non-zero value after all the options are set.
58995 + *THIS IS EXTREMELY IMPORTANT*
58996 +
58997 +config GRKERNSEC_SYSCTL_DISTRO
58998 + bool "Extra sysctl support for distro makers (READ HELP)"
58999 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
59000 + help
59001 + If you say Y here, additional sysctl options will be created
59002 + for features that affect processes running as root. Therefore,
59003 + it is critical when using this option that the grsec_lock entry be
59004 + enabled after boot. Only distros with prebuilt kernel packages
59005 + with this option enabled that can ensure grsec_lock is enabled
59006 + after boot should use this option.
59007 + *Failure to set grsec_lock after boot makes all grsec features
59008 + this option covers useless*
59009 +
59010 + Currently this option creates the following sysctl entries:
59011 + "Disable Privileged I/O": "disable_priv_io"
59012 +
59013 +config GRKERNSEC_SYSCTL_ON
59014 + bool "Turn on features by default"
59015 + depends on GRKERNSEC_SYSCTL
59016 + help
59017 + If you say Y here, instead of having all features enabled in the
59018 + kernel configuration disabled at boot time, the features will be
59019 + enabled at boot time. It is recommended you say Y here unless
59020 + there is some reason you would want all sysctl-tunable features to
59021 + be disabled by default. As mentioned elsewhere, it is important
59022 + to enable the grsec_lock entry once you have finished modifying
59023 + the sysctl entries.
59024 +
59025 +endmenu
59026 +menu "Logging Options"
59027 +depends on GRKERNSEC
59028 +
59029 +config GRKERNSEC_FLOODTIME
59030 + int "Seconds in between log messages (minimum)"
59031 + default 10
59032 + help
59033 + This option allows you to enforce the number of seconds between
59034 + grsecurity log messages. The default should be suitable for most
59035 + people, however, if you choose to change it, choose a value small enough
59036 + to allow informative logs to be produced, but large enough to
59037 + prevent flooding.
59038 +
59039 +config GRKERNSEC_FLOODBURST
59040 + int "Number of messages in a burst (maximum)"
59041 + default 4
59042 + help
59043 + This option allows you to choose the maximum number of messages allowed
59044 + within the flood time interval you chose in a separate option. The
59045 + default should be suitable for most people, however if you find that
59046 + many of your logs are being interpreted as flooding, you may want to
59047 + raise this value.
59048 +
59049 +endmenu
59050 +
59051 +endmenu
59052 diff -urNp linux-2.6.32.46/grsecurity/Makefile linux-2.6.32.46/grsecurity/Makefile
59053 --- linux-2.6.32.46/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
59054 +++ linux-2.6.32.46/grsecurity/Makefile 2011-08-21 18:54:34.000000000 -0400
59055 @@ -0,0 +1,34 @@
59056 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
59057 +# during 2001-2009 it has been completely redesigned by Brad Spengler
59058 +# into an RBAC system
59059 +#
59060 +# All code in this directory and various hooks inserted throughout the kernel
59061 +# are copyright Brad Spengler - Open Source Security, Inc., and released
59062 +# under the GPL v2 or higher
59063 +
59064 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
59065 + grsec_mount.o grsec_sig.o grsec_sysctl.o \
59066 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
59067 +
59068 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
59069 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
59070 + gracl_learn.o grsec_log.o
59071 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
59072 +
59073 +ifdef CONFIG_NET
59074 +obj-y += grsec_sock.o
59075 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
59076 +endif
59077 +
59078 +ifndef CONFIG_GRKERNSEC
59079 +obj-y += grsec_disabled.o
59080 +endif
59081 +
59082 +ifdef CONFIG_GRKERNSEC_HIDESYM
59083 +extra-y := grsec_hidesym.o
59084 +$(obj)/grsec_hidesym.o:
59085 + @-chmod -f 500 /boot
59086 + @-chmod -f 500 /lib/modules
59087 + @-chmod -f 700 .
59088 + @echo ' grsec: protected kernel image paths'
59089 +endif
59090 diff -urNp linux-2.6.32.46/include/acpi/acpi_bus.h linux-2.6.32.46/include/acpi/acpi_bus.h
59091 --- linux-2.6.32.46/include/acpi/acpi_bus.h 2011-03-27 14:31:47.000000000 -0400
59092 +++ linux-2.6.32.46/include/acpi/acpi_bus.h 2011-08-05 20:33:55.000000000 -0400
59093 @@ -107,7 +107,7 @@ struct acpi_device_ops {
59094 acpi_op_bind bind;
59095 acpi_op_unbind unbind;
59096 acpi_op_notify notify;
59097 -};
59098 +} __no_const;
59099
59100 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
59101
59102 diff -urNp linux-2.6.32.46/include/acpi/acpi_drivers.h linux-2.6.32.46/include/acpi/acpi_drivers.h
59103 --- linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-03-27 14:31:47.000000000 -0400
59104 +++ linux-2.6.32.46/include/acpi/acpi_drivers.h 2011-04-17 15:56:46.000000000 -0400
59105 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
59106 Dock Station
59107 -------------------------------------------------------------------------- */
59108 struct acpi_dock_ops {
59109 - acpi_notify_handler handler;
59110 - acpi_notify_handler uevent;
59111 + const acpi_notify_handler handler;
59112 + const acpi_notify_handler uevent;
59113 };
59114
59115 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
59116 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
59117 extern int register_dock_notifier(struct notifier_block *nb);
59118 extern void unregister_dock_notifier(struct notifier_block *nb);
59119 extern int register_hotplug_dock_device(acpi_handle handle,
59120 - struct acpi_dock_ops *ops,
59121 + const struct acpi_dock_ops *ops,
59122 void *context);
59123 extern void unregister_hotplug_dock_device(acpi_handle handle);
59124 #else
59125 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
59126 {
59127 }
59128 static inline int register_hotplug_dock_device(acpi_handle handle,
59129 - struct acpi_dock_ops *ops,
59130 + const struct acpi_dock_ops *ops,
59131 void *context)
59132 {
59133 return -ENODEV;
59134 diff -urNp linux-2.6.32.46/include/asm-generic/atomic-long.h linux-2.6.32.46/include/asm-generic/atomic-long.h
59135 --- linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-03-27 14:31:47.000000000 -0400
59136 +++ linux-2.6.32.46/include/asm-generic/atomic-long.h 2011-07-13 22:21:25.000000000 -0400
59137 @@ -22,6 +22,12 @@
59138
59139 typedef atomic64_t atomic_long_t;
59140
59141 +#ifdef CONFIG_PAX_REFCOUNT
59142 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
59143 +#else
59144 +typedef atomic64_t atomic_long_unchecked_t;
59145 +#endif
59146 +
59147 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
59148
59149 static inline long atomic_long_read(atomic_long_t *l)
59150 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
59151 return (long)atomic64_read(v);
59152 }
59153
59154 +#ifdef CONFIG_PAX_REFCOUNT
59155 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
59156 +{
59157 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59158 +
59159 + return (long)atomic64_read_unchecked(v);
59160 +}
59161 +#endif
59162 +
59163 static inline void atomic_long_set(atomic_long_t *l, long i)
59164 {
59165 atomic64_t *v = (atomic64_t *)l;
59166 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
59167 atomic64_set(v, i);
59168 }
59169
59170 +#ifdef CONFIG_PAX_REFCOUNT
59171 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
59172 +{
59173 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59174 +
59175 + atomic64_set_unchecked(v, i);
59176 +}
59177 +#endif
59178 +
59179 static inline void atomic_long_inc(atomic_long_t *l)
59180 {
59181 atomic64_t *v = (atomic64_t *)l;
59182 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
59183 atomic64_inc(v);
59184 }
59185
59186 +#ifdef CONFIG_PAX_REFCOUNT
59187 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
59188 +{
59189 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59190 +
59191 + atomic64_inc_unchecked(v);
59192 +}
59193 +#endif
59194 +
59195 static inline void atomic_long_dec(atomic_long_t *l)
59196 {
59197 atomic64_t *v = (atomic64_t *)l;
59198 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
59199 atomic64_dec(v);
59200 }
59201
59202 +#ifdef CONFIG_PAX_REFCOUNT
59203 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
59204 +{
59205 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59206 +
59207 + atomic64_dec_unchecked(v);
59208 +}
59209 +#endif
59210 +
59211 static inline void atomic_long_add(long i, atomic_long_t *l)
59212 {
59213 atomic64_t *v = (atomic64_t *)l;
59214 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
59215 atomic64_add(i, v);
59216 }
59217
59218 +#ifdef CONFIG_PAX_REFCOUNT
59219 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
59220 +{
59221 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59222 +
59223 + atomic64_add_unchecked(i, v);
59224 +}
59225 +#endif
59226 +
59227 static inline void atomic_long_sub(long i, atomic_long_t *l)
59228 {
59229 atomic64_t *v = (atomic64_t *)l;
59230 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
59231 return (long)atomic64_inc_return(v);
59232 }
59233
59234 +#ifdef CONFIG_PAX_REFCOUNT
59235 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
59236 +{
59237 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
59238 +
59239 + return (long)atomic64_inc_return_unchecked(v);
59240 +}
59241 +#endif
59242 +
59243 static inline long atomic_long_dec_return(atomic_long_t *l)
59244 {
59245 atomic64_t *v = (atomic64_t *)l;
59246 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
59247
59248 typedef atomic_t atomic_long_t;
59249
59250 +#ifdef CONFIG_PAX_REFCOUNT
59251 +typedef atomic_unchecked_t atomic_long_unchecked_t;
59252 +#else
59253 +typedef atomic_t atomic_long_unchecked_t;
59254 +#endif
59255 +
59256 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
59257 static inline long atomic_long_read(atomic_long_t *l)
59258 {
59259 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
59260 return (long)atomic_read(v);
59261 }
59262
59263 +#ifdef CONFIG_PAX_REFCOUNT
59264 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
59265 +{
59266 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59267 +
59268 + return (long)atomic_read_unchecked(v);
59269 +}
59270 +#endif
59271 +
59272 static inline void atomic_long_set(atomic_long_t *l, long i)
59273 {
59274 atomic_t *v = (atomic_t *)l;
59275 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
59276 atomic_set(v, i);
59277 }
59278
59279 +#ifdef CONFIG_PAX_REFCOUNT
59280 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
59281 +{
59282 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59283 +
59284 + atomic_set_unchecked(v, i);
59285 +}
59286 +#endif
59287 +
59288 static inline void atomic_long_inc(atomic_long_t *l)
59289 {
59290 atomic_t *v = (atomic_t *)l;
59291 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
59292 atomic_inc(v);
59293 }
59294
59295 +#ifdef CONFIG_PAX_REFCOUNT
59296 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
59297 +{
59298 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59299 +
59300 + atomic_inc_unchecked(v);
59301 +}
59302 +#endif
59303 +
59304 static inline void atomic_long_dec(atomic_long_t *l)
59305 {
59306 atomic_t *v = (atomic_t *)l;
59307 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
59308 atomic_dec(v);
59309 }
59310
59311 +#ifdef CONFIG_PAX_REFCOUNT
59312 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
59313 +{
59314 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59315 +
59316 + atomic_dec_unchecked(v);
59317 +}
59318 +#endif
59319 +
59320 static inline void atomic_long_add(long i, atomic_long_t *l)
59321 {
59322 atomic_t *v = (atomic_t *)l;
59323 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
59324 atomic_add(i, v);
59325 }
59326
59327 +#ifdef CONFIG_PAX_REFCOUNT
59328 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
59329 +{
59330 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59331 +
59332 + atomic_add_unchecked(i, v);
59333 +}
59334 +#endif
59335 +
59336 static inline void atomic_long_sub(long i, atomic_long_t *l)
59337 {
59338 atomic_t *v = (atomic_t *)l;
59339 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
59340 return (long)atomic_inc_return(v);
59341 }
59342
59343 +#ifdef CONFIG_PAX_REFCOUNT
59344 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
59345 +{
59346 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
59347 +
59348 + return (long)atomic_inc_return_unchecked(v);
59349 +}
59350 +#endif
59351 +
59352 static inline long atomic_long_dec_return(atomic_long_t *l)
59353 {
59354 atomic_t *v = (atomic_t *)l;
59355 @@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
59356
59357 #endif /* BITS_PER_LONG == 64 */
59358
59359 +#ifdef CONFIG_PAX_REFCOUNT
59360 +static inline void pax_refcount_needs_these_functions(void)
59361 +{
59362 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
59363 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
59364 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
59365 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
59366 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
59367 + (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
59368 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
59369 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
59370 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
59371 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
59372 + (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
59373 +
59374 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
59375 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
59376 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
59377 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
59378 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
59379 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
59380 +}
59381 +#else
59382 +#define atomic_read_unchecked(v) atomic_read(v)
59383 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
59384 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
59385 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
59386 +#define atomic_inc_unchecked(v) atomic_inc(v)
59387 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
59388 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
59389 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
59390 +#define atomic_dec_unchecked(v) atomic_dec(v)
59391 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
59392 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
59393 +
59394 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
59395 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
59396 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
59397 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
59398 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
59399 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
59400 +#endif
59401 +
59402 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
59403 diff -urNp linux-2.6.32.46/include/asm-generic/bug.h linux-2.6.32.46/include/asm-generic/bug.h
59404 --- linux-2.6.32.46/include/asm-generic/bug.h 2011-07-13 17:23:04.000000000 -0400
59405 +++ linux-2.6.32.46/include/asm-generic/bug.h 2011-08-21 17:56:07.000000000 -0400
59406 @@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
59407
59408 #else /* !CONFIG_BUG */
59409 #ifndef HAVE_ARCH_BUG
59410 -#define BUG() do {} while(0)
59411 +#define BUG() do { for (;;) ; } while(0)
59412 #endif
59413
59414 #ifndef HAVE_ARCH_BUG_ON
59415 -#define BUG_ON(condition) do { if (condition) ; } while(0)
59416 +#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
59417 #endif
59418
59419 #ifndef HAVE_ARCH_WARN_ON
59420 diff -urNp linux-2.6.32.46/include/asm-generic/cache.h linux-2.6.32.46/include/asm-generic/cache.h
59421 --- linux-2.6.32.46/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400
59422 +++ linux-2.6.32.46/include/asm-generic/cache.h 2011-07-06 19:53:33.000000000 -0400
59423 @@ -6,7 +6,7 @@
59424 * cache lines need to provide their own cache.h.
59425 */
59426
59427 -#define L1_CACHE_SHIFT 5
59428 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
59429 +#define L1_CACHE_SHIFT 5UL
59430 +#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
59431
59432 #endif /* __ASM_GENERIC_CACHE_H */
59433 diff -urNp linux-2.6.32.46/include/asm-generic/dma-mapping-common.h linux-2.6.32.46/include/asm-generic/dma-mapping-common.h
59434 --- linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-03-27 14:31:47.000000000 -0400
59435 +++ linux-2.6.32.46/include/asm-generic/dma-mapping-common.h 2011-04-17 15:56:46.000000000 -0400
59436 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
59437 enum dma_data_direction dir,
59438 struct dma_attrs *attrs)
59439 {
59440 - struct dma_map_ops *ops = get_dma_ops(dev);
59441 + const struct dma_map_ops *ops = get_dma_ops(dev);
59442 dma_addr_t addr;
59443
59444 kmemcheck_mark_initialized(ptr, size);
59445 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
59446 enum dma_data_direction dir,
59447 struct dma_attrs *attrs)
59448 {
59449 - struct dma_map_ops *ops = get_dma_ops(dev);
59450 + const struct dma_map_ops *ops = get_dma_ops(dev);
59451
59452 BUG_ON(!valid_dma_direction(dir));
59453 if (ops->unmap_page)
59454 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
59455 int nents, enum dma_data_direction dir,
59456 struct dma_attrs *attrs)
59457 {
59458 - struct dma_map_ops *ops = get_dma_ops(dev);
59459 + const struct dma_map_ops *ops = get_dma_ops(dev);
59460 int i, ents;
59461 struct scatterlist *s;
59462
59463 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
59464 int nents, enum dma_data_direction dir,
59465 struct dma_attrs *attrs)
59466 {
59467 - struct dma_map_ops *ops = get_dma_ops(dev);
59468 + const struct dma_map_ops *ops = get_dma_ops(dev);
59469
59470 BUG_ON(!valid_dma_direction(dir));
59471 debug_dma_unmap_sg(dev, sg, nents, dir);
59472 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
59473 size_t offset, size_t size,
59474 enum dma_data_direction dir)
59475 {
59476 - struct dma_map_ops *ops = get_dma_ops(dev);
59477 + const struct dma_map_ops *ops = get_dma_ops(dev);
59478 dma_addr_t addr;
59479
59480 kmemcheck_mark_initialized(page_address(page) + offset, size);
59481 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
59482 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
59483 size_t size, enum dma_data_direction dir)
59484 {
59485 - struct dma_map_ops *ops = get_dma_ops(dev);
59486 + const struct dma_map_ops *ops = get_dma_ops(dev);
59487
59488 BUG_ON(!valid_dma_direction(dir));
59489 if (ops->unmap_page)
59490 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
59491 size_t size,
59492 enum dma_data_direction dir)
59493 {
59494 - struct dma_map_ops *ops = get_dma_ops(dev);
59495 + const struct dma_map_ops *ops = get_dma_ops(dev);
59496
59497 BUG_ON(!valid_dma_direction(dir));
59498 if (ops->sync_single_for_cpu)
59499 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
59500 dma_addr_t addr, size_t size,
59501 enum dma_data_direction dir)
59502 {
59503 - struct dma_map_ops *ops = get_dma_ops(dev);
59504 + const struct dma_map_ops *ops = get_dma_ops(dev);
59505
59506 BUG_ON(!valid_dma_direction(dir));
59507 if (ops->sync_single_for_device)
59508 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
59509 size_t size,
59510 enum dma_data_direction dir)
59511 {
59512 - struct dma_map_ops *ops = get_dma_ops(dev);
59513 + const struct dma_map_ops *ops = get_dma_ops(dev);
59514
59515 BUG_ON(!valid_dma_direction(dir));
59516 if (ops->sync_single_range_for_cpu) {
59517 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
59518 size_t size,
59519 enum dma_data_direction dir)
59520 {
59521 - struct dma_map_ops *ops = get_dma_ops(dev);
59522 + const struct dma_map_ops *ops = get_dma_ops(dev);
59523
59524 BUG_ON(!valid_dma_direction(dir));
59525 if (ops->sync_single_range_for_device) {
59526 @@ -155,7 +155,7 @@ static inline void
59527 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
59528 int nelems, enum dma_data_direction dir)
59529 {
59530 - struct dma_map_ops *ops = get_dma_ops(dev);
59531 + const struct dma_map_ops *ops = get_dma_ops(dev);
59532
59533 BUG_ON(!valid_dma_direction(dir));
59534 if (ops->sync_sg_for_cpu)
59535 @@ -167,7 +167,7 @@ static inline void
59536 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
59537 int nelems, enum dma_data_direction dir)
59538 {
59539 - struct dma_map_ops *ops = get_dma_ops(dev);
59540 + const struct dma_map_ops *ops = get_dma_ops(dev);
59541
59542 BUG_ON(!valid_dma_direction(dir));
59543 if (ops->sync_sg_for_device)
59544 diff -urNp linux-2.6.32.46/include/asm-generic/emergency-restart.h linux-2.6.32.46/include/asm-generic/emergency-restart.h
59545 --- linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
59546 +++ linux-2.6.32.46/include/asm-generic/emergency-restart.h 2011-08-21 19:17:17.000000000 -0400
59547 @@ -1,7 +1,7 @@
59548 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
59549 #define _ASM_GENERIC_EMERGENCY_RESTART_H
59550
59551 -static inline void machine_emergency_restart(void)
59552 +static inline __noreturn void machine_emergency_restart(void)
59553 {
59554 machine_restart(NULL);
59555 }
59556 diff -urNp linux-2.6.32.46/include/asm-generic/futex.h linux-2.6.32.46/include/asm-generic/futex.h
59557 --- linux-2.6.32.46/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400
59558 +++ linux-2.6.32.46/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400
59559 @@ -6,7 +6,7 @@
59560 #include <asm/errno.h>
59561
59562 static inline int
59563 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
59564 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
59565 {
59566 int op = (encoded_op >> 28) & 7;
59567 int cmp = (encoded_op >> 24) & 15;
59568 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
59569 }
59570
59571 static inline int
59572 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
59573 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
59574 {
59575 return -ENOSYS;
59576 }
59577 diff -urNp linux-2.6.32.46/include/asm-generic/int-l64.h linux-2.6.32.46/include/asm-generic/int-l64.h
59578 --- linux-2.6.32.46/include/asm-generic/int-l64.h 2011-03-27 14:31:47.000000000 -0400
59579 +++ linux-2.6.32.46/include/asm-generic/int-l64.h 2011-04-17 15:56:46.000000000 -0400
59580 @@ -46,6 +46,8 @@ typedef unsigned int u32;
59581 typedef signed long s64;
59582 typedef unsigned long u64;
59583
59584 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
59585 +
59586 #define S8_C(x) x
59587 #define U8_C(x) x ## U
59588 #define S16_C(x) x
59589 diff -urNp linux-2.6.32.46/include/asm-generic/int-ll64.h linux-2.6.32.46/include/asm-generic/int-ll64.h
59590 --- linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-03-27 14:31:47.000000000 -0400
59591 +++ linux-2.6.32.46/include/asm-generic/int-ll64.h 2011-04-17 15:56:46.000000000 -0400
59592 @@ -51,6 +51,8 @@ typedef unsigned int u32;
59593 typedef signed long long s64;
59594 typedef unsigned long long u64;
59595
59596 +typedef unsigned long long intoverflow_t;
59597 +
59598 #define S8_C(x) x
59599 #define U8_C(x) x ## U
59600 #define S16_C(x) x
59601 diff -urNp linux-2.6.32.46/include/asm-generic/kmap_types.h linux-2.6.32.46/include/asm-generic/kmap_types.h
59602 --- linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
59603 +++ linux-2.6.32.46/include/asm-generic/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
59604 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
59605 KMAP_D(16) KM_IRQ_PTE,
59606 KMAP_D(17) KM_NMI,
59607 KMAP_D(18) KM_NMI_PTE,
59608 -KMAP_D(19) KM_TYPE_NR
59609 +KMAP_D(19) KM_CLEARPAGE,
59610 +KMAP_D(20) KM_TYPE_NR
59611 };
59612
59613 #undef KMAP_D
59614 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable.h linux-2.6.32.46/include/asm-generic/pgtable.h
59615 --- linux-2.6.32.46/include/asm-generic/pgtable.h 2011-03-27 14:31:47.000000000 -0400
59616 +++ linux-2.6.32.46/include/asm-generic/pgtable.h 2011-04-17 15:56:46.000000000 -0400
59617 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
59618 unsigned long size);
59619 #endif
59620
59621 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
59622 +static inline unsigned long pax_open_kernel(void) { return 0; }
59623 +#endif
59624 +
59625 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
59626 +static inline unsigned long pax_close_kernel(void) { return 0; }
59627 +#endif
59628 +
59629 #endif /* !__ASSEMBLY__ */
59630
59631 #endif /* _ASM_GENERIC_PGTABLE_H */
59632 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h
59633 --- linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-03-27 14:31:47.000000000 -0400
59634 +++ linux-2.6.32.46/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:56:46.000000000 -0400
59635 @@ -1,14 +1,19 @@
59636 #ifndef _PGTABLE_NOPMD_H
59637 #define _PGTABLE_NOPMD_H
59638
59639 -#ifndef __ASSEMBLY__
59640 -
59641 #include <asm-generic/pgtable-nopud.h>
59642
59643 -struct mm_struct;
59644 -
59645 #define __PAGETABLE_PMD_FOLDED
59646
59647 +#define PMD_SHIFT PUD_SHIFT
59648 +#define PTRS_PER_PMD 1
59649 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
59650 +#define PMD_MASK (~(PMD_SIZE-1))
59651 +
59652 +#ifndef __ASSEMBLY__
59653 +
59654 +struct mm_struct;
59655 +
59656 /*
59657 * Having the pmd type consist of a pud gets the size right, and allows
59658 * us to conceptually access the pud entry that this pmd is folded into
59659 @@ -16,11 +21,6 @@ struct mm_struct;
59660 */
59661 typedef struct { pud_t pud; } pmd_t;
59662
59663 -#define PMD_SHIFT PUD_SHIFT
59664 -#define PTRS_PER_PMD 1
59665 -#define PMD_SIZE (1UL << PMD_SHIFT)
59666 -#define PMD_MASK (~(PMD_SIZE-1))
59667 -
59668 /*
59669 * The "pud_xxx()" functions here are trivial for a folded two-level
59670 * setup: the pmd is never bad, and a pmd always exists (as it's folded
59671 diff -urNp linux-2.6.32.46/include/asm-generic/pgtable-nopud.h linux-2.6.32.46/include/asm-generic/pgtable-nopud.h
59672 --- linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-03-27 14:31:47.000000000 -0400
59673 +++ linux-2.6.32.46/include/asm-generic/pgtable-nopud.h 2011-04-17 15:56:46.000000000 -0400
59674 @@ -1,10 +1,15 @@
59675 #ifndef _PGTABLE_NOPUD_H
59676 #define _PGTABLE_NOPUD_H
59677
59678 -#ifndef __ASSEMBLY__
59679 -
59680 #define __PAGETABLE_PUD_FOLDED
59681
59682 +#define PUD_SHIFT PGDIR_SHIFT
59683 +#define PTRS_PER_PUD 1
59684 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
59685 +#define PUD_MASK (~(PUD_SIZE-1))
59686 +
59687 +#ifndef __ASSEMBLY__
59688 +
59689 /*
59690 * Having the pud type consist of a pgd gets the size right, and allows
59691 * us to conceptually access the pgd entry that this pud is folded into
59692 @@ -12,11 +17,6 @@
59693 */
59694 typedef struct { pgd_t pgd; } pud_t;
59695
59696 -#define PUD_SHIFT PGDIR_SHIFT
59697 -#define PTRS_PER_PUD 1
59698 -#define PUD_SIZE (1UL << PUD_SHIFT)
59699 -#define PUD_MASK (~(PUD_SIZE-1))
59700 -
59701 /*
59702 * The "pgd_xxx()" functions here are trivial for a folded two-level
59703 * setup: the pud is never bad, and a pud always exists (as it's folded
59704 diff -urNp linux-2.6.32.46/include/asm-generic/vmlinux.lds.h linux-2.6.32.46/include/asm-generic/vmlinux.lds.h
59705 --- linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-03-27 14:31:47.000000000 -0400
59706 +++ linux-2.6.32.46/include/asm-generic/vmlinux.lds.h 2011-04-17 15:56:46.000000000 -0400
59707 @@ -199,6 +199,7 @@
59708 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
59709 VMLINUX_SYMBOL(__start_rodata) = .; \
59710 *(.rodata) *(.rodata.*) \
59711 + *(.data.read_only) \
59712 *(__vermagic) /* Kernel version magic */ \
59713 *(__markers_strings) /* Markers: strings */ \
59714 *(__tracepoints_strings)/* Tracepoints: strings */ \
59715 @@ -656,22 +657,24 @@
59716 * section in the linker script will go there too. @phdr should have
59717 * a leading colon.
59718 *
59719 - * Note that this macros defines __per_cpu_load as an absolute symbol.
59720 + * Note that this macros defines per_cpu_load as an absolute symbol.
59721 * If there is no need to put the percpu section at a predetermined
59722 * address, use PERCPU().
59723 */
59724 #define PERCPU_VADDR(vaddr, phdr) \
59725 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
59726 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
59727 + per_cpu_load = .; \
59728 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
59729 - LOAD_OFFSET) { \
59730 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
59731 VMLINUX_SYMBOL(__per_cpu_start) = .; \
59732 *(.data.percpu.first) \
59733 - *(.data.percpu.page_aligned) \
59734 *(.data.percpu) \
59735 + . = ALIGN(PAGE_SIZE); \
59736 + *(.data.percpu.page_aligned) \
59737 *(.data.percpu.shared_aligned) \
59738 VMLINUX_SYMBOL(__per_cpu_end) = .; \
59739 } phdr \
59740 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
59741 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
59742
59743 /**
59744 * PERCPU - define output section for percpu area, simple version
59745 diff -urNp linux-2.6.32.46/include/drm/drm_crtc_helper.h linux-2.6.32.46/include/drm/drm_crtc_helper.h
59746 --- linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-03-27 14:31:47.000000000 -0400
59747 +++ linux-2.6.32.46/include/drm/drm_crtc_helper.h 2011-08-05 20:33:55.000000000 -0400
59748 @@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
59749
59750 /* reload the current crtc LUT */
59751 void (*load_lut)(struct drm_crtc *crtc);
59752 -};
59753 +} __no_const;
59754
59755 struct drm_encoder_helper_funcs {
59756 void (*dpms)(struct drm_encoder *encoder, int mode);
59757 @@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
59758 struct drm_connector *connector);
59759 /* disable encoder when not in use - more explicit than dpms off */
59760 void (*disable)(struct drm_encoder *encoder);
59761 -};
59762 +} __no_const;
59763
59764 struct drm_connector_helper_funcs {
59765 int (*get_modes)(struct drm_connector *connector);
59766 diff -urNp linux-2.6.32.46/include/drm/drmP.h linux-2.6.32.46/include/drm/drmP.h
59767 --- linux-2.6.32.46/include/drm/drmP.h 2011-03-27 14:31:47.000000000 -0400
59768 +++ linux-2.6.32.46/include/drm/drmP.h 2011-04-17 15:56:46.000000000 -0400
59769 @@ -71,6 +71,7 @@
59770 #include <linux/workqueue.h>
59771 #include <linux/poll.h>
59772 #include <asm/pgalloc.h>
59773 +#include <asm/local.h>
59774 #include "drm.h"
59775
59776 #include <linux/idr.h>
59777 @@ -814,7 +815,7 @@ struct drm_driver {
59778 void (*vgaarb_irq)(struct drm_device *dev, bool state);
59779
59780 /* Driver private ops for this object */
59781 - struct vm_operations_struct *gem_vm_ops;
59782 + const struct vm_operations_struct *gem_vm_ops;
59783
59784 int major;
59785 int minor;
59786 @@ -917,7 +918,7 @@ struct drm_device {
59787
59788 /** \name Usage Counters */
59789 /*@{ */
59790 - int open_count; /**< Outstanding files open */
59791 + local_t open_count; /**< Outstanding files open */
59792 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
59793 atomic_t vma_count; /**< Outstanding vma areas open */
59794 int buf_use; /**< Buffers in use -- cannot alloc */
59795 @@ -928,7 +929,7 @@ struct drm_device {
59796 /*@{ */
59797 unsigned long counters;
59798 enum drm_stat_type types[15];
59799 - atomic_t counts[15];
59800 + atomic_unchecked_t counts[15];
59801 /*@} */
59802
59803 struct list_head filelist;
59804 @@ -1016,7 +1017,7 @@ struct drm_device {
59805 struct pci_controller *hose;
59806 #endif
59807 struct drm_sg_mem *sg; /**< Scatter gather memory */
59808 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
59809 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
59810 void *dev_private; /**< device private data */
59811 void *mm_private;
59812 struct address_space *dev_mapping;
59813 @@ -1042,11 +1043,11 @@ struct drm_device {
59814 spinlock_t object_name_lock;
59815 struct idr object_name_idr;
59816 atomic_t object_count;
59817 - atomic_t object_memory;
59818 + atomic_unchecked_t object_memory;
59819 atomic_t pin_count;
59820 - atomic_t pin_memory;
59821 + atomic_unchecked_t pin_memory;
59822 atomic_t gtt_count;
59823 - atomic_t gtt_memory;
59824 + atomic_unchecked_t gtt_memory;
59825 uint32_t gtt_total;
59826 uint32_t invalidate_domains; /* domains pending invalidation */
59827 uint32_t flush_domains; /* domains pending flush */
59828 diff -urNp linux-2.6.32.46/include/drm/ttm/ttm_memory.h linux-2.6.32.46/include/drm/ttm/ttm_memory.h
59829 --- linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-03-27 14:31:47.000000000 -0400
59830 +++ linux-2.6.32.46/include/drm/ttm/ttm_memory.h 2011-08-05 20:33:55.000000000 -0400
59831 @@ -47,7 +47,7 @@
59832
59833 struct ttm_mem_shrink {
59834 int (*do_shrink) (struct ttm_mem_shrink *);
59835 -};
59836 +} __no_const;
59837
59838 /**
59839 * struct ttm_mem_global - Global memory accounting structure.
59840 diff -urNp linux-2.6.32.46/include/linux/a.out.h linux-2.6.32.46/include/linux/a.out.h
59841 --- linux-2.6.32.46/include/linux/a.out.h 2011-03-27 14:31:47.000000000 -0400
59842 +++ linux-2.6.32.46/include/linux/a.out.h 2011-04-17 15:56:46.000000000 -0400
59843 @@ -39,6 +39,14 @@ enum machine_type {
59844 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
59845 };
59846
59847 +/* Constants for the N_FLAGS field */
59848 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
59849 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
59850 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
59851 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
59852 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
59853 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
59854 +
59855 #if !defined (N_MAGIC)
59856 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
59857 #endif
59858 diff -urNp linux-2.6.32.46/include/linux/atmdev.h linux-2.6.32.46/include/linux/atmdev.h
59859 --- linux-2.6.32.46/include/linux/atmdev.h 2011-03-27 14:31:47.000000000 -0400
59860 +++ linux-2.6.32.46/include/linux/atmdev.h 2011-04-17 15:56:46.000000000 -0400
59861 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
59862 #endif
59863
59864 struct k_atm_aal_stats {
59865 -#define __HANDLE_ITEM(i) atomic_t i
59866 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
59867 __AAL_STAT_ITEMS
59868 #undef __HANDLE_ITEM
59869 };
59870 diff -urNp linux-2.6.32.46/include/linux/backlight.h linux-2.6.32.46/include/linux/backlight.h
59871 --- linux-2.6.32.46/include/linux/backlight.h 2011-03-27 14:31:47.000000000 -0400
59872 +++ linux-2.6.32.46/include/linux/backlight.h 2011-04-17 15:56:46.000000000 -0400
59873 @@ -36,18 +36,18 @@ struct backlight_device;
59874 struct fb_info;
59875
59876 struct backlight_ops {
59877 - unsigned int options;
59878 + const unsigned int options;
59879
59880 #define BL_CORE_SUSPENDRESUME (1 << 0)
59881
59882 /* Notify the backlight driver some property has changed */
59883 - int (*update_status)(struct backlight_device *);
59884 + int (* const update_status)(struct backlight_device *);
59885 /* Return the current backlight brightness (accounting for power,
59886 fb_blank etc.) */
59887 - int (*get_brightness)(struct backlight_device *);
59888 + int (* const get_brightness)(struct backlight_device *);
59889 /* Check if given framebuffer device is the one bound to this backlight;
59890 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
59891 - int (*check_fb)(struct fb_info *);
59892 + int (* const check_fb)(struct fb_info *);
59893 };
59894
59895 /* This structure defines all the properties of a backlight */
59896 @@ -86,7 +86,7 @@ struct backlight_device {
59897 registered this device has been unloaded, and if class_get_devdata()
59898 points to something in the body of that driver, it is also invalid. */
59899 struct mutex ops_lock;
59900 - struct backlight_ops *ops;
59901 + const struct backlight_ops *ops;
59902
59903 /* The framebuffer notifier block */
59904 struct notifier_block fb_notif;
59905 @@ -103,7 +103,7 @@ static inline void backlight_update_stat
59906 }
59907
59908 extern struct backlight_device *backlight_device_register(const char *name,
59909 - struct device *dev, void *devdata, struct backlight_ops *ops);
59910 + struct device *dev, void *devdata, const struct backlight_ops *ops);
59911 extern void backlight_device_unregister(struct backlight_device *bd);
59912 extern void backlight_force_update(struct backlight_device *bd,
59913 enum backlight_update_reason reason);
59914 diff -urNp linux-2.6.32.46/include/linux/binfmts.h linux-2.6.32.46/include/linux/binfmts.h
59915 --- linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 17:00:52.000000000 -0400
59916 +++ linux-2.6.32.46/include/linux/binfmts.h 2011-04-17 15:56:46.000000000 -0400
59917 @@ -83,6 +83,7 @@ struct linux_binfmt {
59918 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
59919 int (*load_shlib)(struct file *);
59920 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
59921 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
59922 unsigned long min_coredump; /* minimal dump size */
59923 int hasvdso;
59924 };
59925 diff -urNp linux-2.6.32.46/include/linux/blkdev.h linux-2.6.32.46/include/linux/blkdev.h
59926 --- linux-2.6.32.46/include/linux/blkdev.h 2011-03-27 14:31:47.000000000 -0400
59927 +++ linux-2.6.32.46/include/linux/blkdev.h 2011-08-26 20:27:21.000000000 -0400
59928 @@ -1278,7 +1278,7 @@ struct block_device_operations {
59929 int (*revalidate_disk) (struct gendisk *);
59930 int (*getgeo)(struct block_device *, struct hd_geometry *);
59931 struct module *owner;
59932 -};
59933 +} __do_const;
59934
59935 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
59936 unsigned long);
59937 diff -urNp linux-2.6.32.46/include/linux/blktrace_api.h linux-2.6.32.46/include/linux/blktrace_api.h
59938 --- linux-2.6.32.46/include/linux/blktrace_api.h 2011-03-27 14:31:47.000000000 -0400
59939 +++ linux-2.6.32.46/include/linux/blktrace_api.h 2011-05-04 17:56:28.000000000 -0400
59940 @@ -160,7 +160,7 @@ struct blk_trace {
59941 struct dentry *dir;
59942 struct dentry *dropped_file;
59943 struct dentry *msg_file;
59944 - atomic_t dropped;
59945 + atomic_unchecked_t dropped;
59946 };
59947
59948 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
59949 diff -urNp linux-2.6.32.46/include/linux/byteorder/little_endian.h linux-2.6.32.46/include/linux/byteorder/little_endian.h
59950 --- linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-03-27 14:31:47.000000000 -0400
59951 +++ linux-2.6.32.46/include/linux/byteorder/little_endian.h 2011-04-17 15:56:46.000000000 -0400
59952 @@ -42,51 +42,51 @@
59953
59954 static inline __le64 __cpu_to_le64p(const __u64 *p)
59955 {
59956 - return (__force __le64)*p;
59957 + return (__force const __le64)*p;
59958 }
59959 static inline __u64 __le64_to_cpup(const __le64 *p)
59960 {
59961 - return (__force __u64)*p;
59962 + return (__force const __u64)*p;
59963 }
59964 static inline __le32 __cpu_to_le32p(const __u32 *p)
59965 {
59966 - return (__force __le32)*p;
59967 + return (__force const __le32)*p;
59968 }
59969 static inline __u32 __le32_to_cpup(const __le32 *p)
59970 {
59971 - return (__force __u32)*p;
59972 + return (__force const __u32)*p;
59973 }
59974 static inline __le16 __cpu_to_le16p(const __u16 *p)
59975 {
59976 - return (__force __le16)*p;
59977 + return (__force const __le16)*p;
59978 }
59979 static inline __u16 __le16_to_cpup(const __le16 *p)
59980 {
59981 - return (__force __u16)*p;
59982 + return (__force const __u16)*p;
59983 }
59984 static inline __be64 __cpu_to_be64p(const __u64 *p)
59985 {
59986 - return (__force __be64)__swab64p(p);
59987 + return (__force const __be64)__swab64p(p);
59988 }
59989 static inline __u64 __be64_to_cpup(const __be64 *p)
59990 {
59991 - return __swab64p((__u64 *)p);
59992 + return __swab64p((const __u64 *)p);
59993 }
59994 static inline __be32 __cpu_to_be32p(const __u32 *p)
59995 {
59996 - return (__force __be32)__swab32p(p);
59997 + return (__force const __be32)__swab32p(p);
59998 }
59999 static inline __u32 __be32_to_cpup(const __be32 *p)
60000 {
60001 - return __swab32p((__u32 *)p);
60002 + return __swab32p((const __u32 *)p);
60003 }
60004 static inline __be16 __cpu_to_be16p(const __u16 *p)
60005 {
60006 - return (__force __be16)__swab16p(p);
60007 + return (__force const __be16)__swab16p(p);
60008 }
60009 static inline __u16 __be16_to_cpup(const __be16 *p)
60010 {
60011 - return __swab16p((__u16 *)p);
60012 + return __swab16p((const __u16 *)p);
60013 }
60014 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
60015 #define __le64_to_cpus(x) do { (void)(x); } while (0)
60016 diff -urNp linux-2.6.32.46/include/linux/cache.h linux-2.6.32.46/include/linux/cache.h
60017 --- linux-2.6.32.46/include/linux/cache.h 2011-03-27 14:31:47.000000000 -0400
60018 +++ linux-2.6.32.46/include/linux/cache.h 2011-04-17 15:56:46.000000000 -0400
60019 @@ -16,6 +16,10 @@
60020 #define __read_mostly
60021 #endif
60022
60023 +#ifndef __read_only
60024 +#define __read_only __read_mostly
60025 +#endif
60026 +
60027 #ifndef ____cacheline_aligned
60028 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
60029 #endif
60030 diff -urNp linux-2.6.32.46/include/linux/capability.h linux-2.6.32.46/include/linux/capability.h
60031 --- linux-2.6.32.46/include/linux/capability.h 2011-03-27 14:31:47.000000000 -0400
60032 +++ linux-2.6.32.46/include/linux/capability.h 2011-04-17 15:56:46.000000000 -0400
60033 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
60034 (security_real_capable_noaudit((t), (cap)) == 0)
60035
60036 extern int capable(int cap);
60037 +int capable_nolog(int cap);
60038
60039 /* audit system wants to get cap info from files as well */
60040 struct dentry;
60041 diff -urNp linux-2.6.32.46/include/linux/compiler-gcc4.h linux-2.6.32.46/include/linux/compiler-gcc4.h
60042 --- linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-03-27 14:31:47.000000000 -0400
60043 +++ linux-2.6.32.46/include/linux/compiler-gcc4.h 2011-08-26 20:19:09.000000000 -0400
60044 @@ -36,4 +36,16 @@
60045 the kernel context */
60046 #define __cold __attribute__((__cold__))
60047
60048 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
60049 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
60050 +#define __bos0(ptr) __bos((ptr), 0)
60051 +#define __bos1(ptr) __bos((ptr), 1)
60052 +
60053 +#if __GNUC_MINOR__ >= 5
60054 +#ifdef CONSTIFY_PLUGIN
60055 +#define __no_const __attribute__((no_const))
60056 +#define __do_const __attribute__((do_const))
60057 +#endif
60058 +#endif
60059 +
60060 #endif
60061 diff -urNp linux-2.6.32.46/include/linux/compiler.h linux-2.6.32.46/include/linux/compiler.h
60062 --- linux-2.6.32.46/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400
60063 +++ linux-2.6.32.46/include/linux/compiler.h 2011-08-26 20:19:09.000000000 -0400
60064 @@ -247,6 +247,14 @@ void ftrace_likely_update(struct ftrace_
60065 # define __attribute_const__ /* unimplemented */
60066 #endif
60067
60068 +#ifndef __no_const
60069 +# define __no_const
60070 +#endif
60071 +
60072 +#ifndef __do_const
60073 +# define __do_const
60074 +#endif
60075 +
60076 /*
60077 * Tell gcc if a function is cold. The compiler will assume any path
60078 * directly leading to the call is unlikely.
60079 @@ -256,6 +264,22 @@ void ftrace_likely_update(struct ftrace_
60080 #define __cold
60081 #endif
60082
60083 +#ifndef __alloc_size
60084 +#define __alloc_size(...)
60085 +#endif
60086 +
60087 +#ifndef __bos
60088 +#define __bos(ptr, arg)
60089 +#endif
60090 +
60091 +#ifndef __bos0
60092 +#define __bos0(ptr)
60093 +#endif
60094 +
60095 +#ifndef __bos1
60096 +#define __bos1(ptr)
60097 +#endif
60098 +
60099 /* Simple shorthand for a section definition */
60100 #ifndef __section
60101 # define __section(S) __attribute__ ((__section__(#S)))
60102 @@ -278,6 +302,7 @@ void ftrace_likely_update(struct ftrace_
60103 * use is to mediate communication between process-level code and irq/NMI
60104 * handlers, all running on the same CPU.
60105 */
60106 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
60107 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
60108 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
60109
60110 #endif /* __LINUX_COMPILER_H */
60111 diff -urNp linux-2.6.32.46/include/linux/crypto.h linux-2.6.32.46/include/linux/crypto.h
60112 --- linux-2.6.32.46/include/linux/crypto.h 2011-03-27 14:31:47.000000000 -0400
60113 +++ linux-2.6.32.46/include/linux/crypto.h 2011-08-05 20:33:55.000000000 -0400
60114 @@ -394,7 +394,7 @@ struct cipher_tfm {
60115 const u8 *key, unsigned int keylen);
60116 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
60117 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
60118 -};
60119 +} __no_const;
60120
60121 struct hash_tfm {
60122 int (*init)(struct hash_desc *desc);
60123 @@ -415,13 +415,13 @@ struct compress_tfm {
60124 int (*cot_decompress)(struct crypto_tfm *tfm,
60125 const u8 *src, unsigned int slen,
60126 u8 *dst, unsigned int *dlen);
60127 -};
60128 +} __no_const;
60129
60130 struct rng_tfm {
60131 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
60132 unsigned int dlen);
60133 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
60134 -};
60135 +} __no_const;
60136
60137 #define crt_ablkcipher crt_u.ablkcipher
60138 #define crt_aead crt_u.aead
60139 diff -urNp linux-2.6.32.46/include/linux/dcache.h linux-2.6.32.46/include/linux/dcache.h
60140 --- linux-2.6.32.46/include/linux/dcache.h 2011-03-27 14:31:47.000000000 -0400
60141 +++ linux-2.6.32.46/include/linux/dcache.h 2011-04-23 13:34:46.000000000 -0400
60142 @@ -119,6 +119,8 @@ struct dentry {
60143 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
60144 };
60145
60146 +#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
60147 +
60148 /*
60149 * dentry->d_lock spinlock nesting subclasses:
60150 *
60151 diff -urNp linux-2.6.32.46/include/linux/decompress/mm.h linux-2.6.32.46/include/linux/decompress/mm.h
60152 --- linux-2.6.32.46/include/linux/decompress/mm.h 2011-03-27 14:31:47.000000000 -0400
60153 +++ linux-2.6.32.46/include/linux/decompress/mm.h 2011-04-17 15:56:46.000000000 -0400
60154 @@ -78,7 +78,7 @@ static void free(void *where)
60155 * warnings when not needed (indeed large_malloc / large_free are not
60156 * needed by inflate */
60157
60158 -#define malloc(a) kmalloc(a, GFP_KERNEL)
60159 +#define malloc(a) kmalloc((a), GFP_KERNEL)
60160 #define free(a) kfree(a)
60161
60162 #define large_malloc(a) vmalloc(a)
60163 diff -urNp linux-2.6.32.46/include/linux/dma-mapping.h linux-2.6.32.46/include/linux/dma-mapping.h
60164 --- linux-2.6.32.46/include/linux/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
60165 +++ linux-2.6.32.46/include/linux/dma-mapping.h 2011-08-26 20:19:09.000000000 -0400
60166 @@ -16,51 +16,51 @@ enum dma_data_direction {
60167 };
60168
60169 struct dma_map_ops {
60170 - void* (*alloc_coherent)(struct device *dev, size_t size,
60171 + void* (* const alloc_coherent)(struct device *dev, size_t size,
60172 dma_addr_t *dma_handle, gfp_t gfp);
60173 - void (*free_coherent)(struct device *dev, size_t size,
60174 + void (* const free_coherent)(struct device *dev, size_t size,
60175 void *vaddr, dma_addr_t dma_handle);
60176 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
60177 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
60178 unsigned long offset, size_t size,
60179 enum dma_data_direction dir,
60180 struct dma_attrs *attrs);
60181 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
60182 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
60183 size_t size, enum dma_data_direction dir,
60184 struct dma_attrs *attrs);
60185 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
60186 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
60187 int nents, enum dma_data_direction dir,
60188 struct dma_attrs *attrs);
60189 - void (*unmap_sg)(struct device *dev,
60190 + void (* const unmap_sg)(struct device *dev,
60191 struct scatterlist *sg, int nents,
60192 enum dma_data_direction dir,
60193 struct dma_attrs *attrs);
60194 - void (*sync_single_for_cpu)(struct device *dev,
60195 + void (* const sync_single_for_cpu)(struct device *dev,
60196 dma_addr_t dma_handle, size_t size,
60197 enum dma_data_direction dir);
60198 - void (*sync_single_for_device)(struct device *dev,
60199 + void (* const sync_single_for_device)(struct device *dev,
60200 dma_addr_t dma_handle, size_t size,
60201 enum dma_data_direction dir);
60202 - void (*sync_single_range_for_cpu)(struct device *dev,
60203 + void (* const sync_single_range_for_cpu)(struct device *dev,
60204 dma_addr_t dma_handle,
60205 unsigned long offset,
60206 size_t size,
60207 enum dma_data_direction dir);
60208 - void (*sync_single_range_for_device)(struct device *dev,
60209 + void (* const sync_single_range_for_device)(struct device *dev,
60210 dma_addr_t dma_handle,
60211 unsigned long offset,
60212 size_t size,
60213 enum dma_data_direction dir);
60214 - void (*sync_sg_for_cpu)(struct device *dev,
60215 + void (* const sync_sg_for_cpu)(struct device *dev,
60216 struct scatterlist *sg, int nents,
60217 enum dma_data_direction dir);
60218 - void (*sync_sg_for_device)(struct device *dev,
60219 + void (* const sync_sg_for_device)(struct device *dev,
60220 struct scatterlist *sg, int nents,
60221 enum dma_data_direction dir);
60222 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
60223 - int (*dma_supported)(struct device *dev, u64 mask);
60224 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
60225 + int (* const dma_supported)(struct device *dev, u64 mask);
60226 int (*set_dma_mask)(struct device *dev, u64 mask);
60227 int is_phys;
60228 -};
60229 +} __do_const;
60230
60231 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
60232
60233 diff -urNp linux-2.6.32.46/include/linux/dst.h linux-2.6.32.46/include/linux/dst.h
60234 --- linux-2.6.32.46/include/linux/dst.h 2011-03-27 14:31:47.000000000 -0400
60235 +++ linux-2.6.32.46/include/linux/dst.h 2011-04-17 15:56:46.000000000 -0400
60236 @@ -380,7 +380,7 @@ struct dst_node
60237 struct thread_pool *pool;
60238
60239 /* Transaction IDs live here */
60240 - atomic_long_t gen;
60241 + atomic_long_unchecked_t gen;
60242
60243 /*
60244 * How frequently and how many times transaction
60245 diff -urNp linux-2.6.32.46/include/linux/elf.h linux-2.6.32.46/include/linux/elf.h
60246 --- linux-2.6.32.46/include/linux/elf.h 2011-03-27 14:31:47.000000000 -0400
60247 +++ linux-2.6.32.46/include/linux/elf.h 2011-04-17 15:56:46.000000000 -0400
60248 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
60249 #define PT_GNU_EH_FRAME 0x6474e550
60250
60251 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
60252 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
60253 +
60254 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
60255 +
60256 +/* Constants for the e_flags field */
60257 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
60258 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
60259 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
60260 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
60261 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
60262 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
60263
60264 /* These constants define the different elf file types */
60265 #define ET_NONE 0
60266 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
60267 #define DT_DEBUG 21
60268 #define DT_TEXTREL 22
60269 #define DT_JMPREL 23
60270 +#define DT_FLAGS 30
60271 + #define DF_TEXTREL 0x00000004
60272 #define DT_ENCODING 32
60273 #define OLD_DT_LOOS 0x60000000
60274 #define DT_LOOS 0x6000000d
60275 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
60276 #define PF_W 0x2
60277 #define PF_X 0x1
60278
60279 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
60280 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
60281 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
60282 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
60283 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
60284 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
60285 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
60286 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
60287 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
60288 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
60289 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
60290 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
60291 +
60292 typedef struct elf32_phdr{
60293 Elf32_Word p_type;
60294 Elf32_Off p_offset;
60295 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
60296 #define EI_OSABI 7
60297 #define EI_PAD 8
60298
60299 +#define EI_PAX 14
60300 +
60301 #define ELFMAG0 0x7f /* EI_MAG */
60302 #define ELFMAG1 'E'
60303 #define ELFMAG2 'L'
60304 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
60305 #define elf_phdr elf32_phdr
60306 #define elf_note elf32_note
60307 #define elf_addr_t Elf32_Off
60308 +#define elf_dyn Elf32_Dyn
60309
60310 #else
60311
60312 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
60313 #define elf_phdr elf64_phdr
60314 #define elf_note elf64_note
60315 #define elf_addr_t Elf64_Off
60316 +#define elf_dyn Elf64_Dyn
60317
60318 #endif
60319
60320 diff -urNp linux-2.6.32.46/include/linux/fscache-cache.h linux-2.6.32.46/include/linux/fscache-cache.h
60321 --- linux-2.6.32.46/include/linux/fscache-cache.h 2011-03-27 14:31:47.000000000 -0400
60322 +++ linux-2.6.32.46/include/linux/fscache-cache.h 2011-05-04 17:56:28.000000000 -0400
60323 @@ -116,7 +116,7 @@ struct fscache_operation {
60324 #endif
60325 };
60326
60327 -extern atomic_t fscache_op_debug_id;
60328 +extern atomic_unchecked_t fscache_op_debug_id;
60329 extern const struct slow_work_ops fscache_op_slow_work_ops;
60330
60331 extern void fscache_enqueue_operation(struct fscache_operation *);
60332 @@ -134,7 +134,7 @@ static inline void fscache_operation_ini
60333 fscache_operation_release_t release)
60334 {
60335 atomic_set(&op->usage, 1);
60336 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
60337 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
60338 op->release = release;
60339 INIT_LIST_HEAD(&op->pend_link);
60340 fscache_set_op_state(op, "Init");
60341 diff -urNp linux-2.6.32.46/include/linux/fs.h linux-2.6.32.46/include/linux/fs.h
60342 --- linux-2.6.32.46/include/linux/fs.h 2011-07-13 17:23:04.000000000 -0400
60343 +++ linux-2.6.32.46/include/linux/fs.h 2011-08-26 20:19:09.000000000 -0400
60344 @@ -90,6 +90,11 @@ struct inodes_stat_t {
60345 /* Expect random access pattern */
60346 #define FMODE_RANDOM ((__force fmode_t)4096)
60347
60348 +/* Hack for grsec so as not to require read permission simply to execute
60349 + * a binary
60350 + */
60351 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
60352 +
60353 /*
60354 * The below are the various read and write types that we support. Some of
60355 * them include behavioral modifiers that send information down to the
60356 @@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
60357 unsigned long, unsigned long);
60358
60359 struct address_space_operations {
60360 - int (*writepage)(struct page *page, struct writeback_control *wbc);
60361 - int (*readpage)(struct file *, struct page *);
60362 - void (*sync_page)(struct page *);
60363 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
60364 + int (* const readpage)(struct file *, struct page *);
60365 + void (* const sync_page)(struct page *);
60366
60367 /* Write back some dirty pages from this mapping. */
60368 - int (*writepages)(struct address_space *, struct writeback_control *);
60369 + int (* const writepages)(struct address_space *, struct writeback_control *);
60370
60371 /* Set a page dirty. Return true if this dirtied it */
60372 - int (*set_page_dirty)(struct page *page);
60373 + int (* const set_page_dirty)(struct page *page);
60374
60375 - int (*readpages)(struct file *filp, struct address_space *mapping,
60376 + int (* const readpages)(struct file *filp, struct address_space *mapping,
60377 struct list_head *pages, unsigned nr_pages);
60378
60379 - int (*write_begin)(struct file *, struct address_space *mapping,
60380 + int (* const write_begin)(struct file *, struct address_space *mapping,
60381 loff_t pos, unsigned len, unsigned flags,
60382 struct page **pagep, void **fsdata);
60383 - int (*write_end)(struct file *, struct address_space *mapping,
60384 + int (* const write_end)(struct file *, struct address_space *mapping,
60385 loff_t pos, unsigned len, unsigned copied,
60386 struct page *page, void *fsdata);
60387
60388 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
60389 - sector_t (*bmap)(struct address_space *, sector_t);
60390 - void (*invalidatepage) (struct page *, unsigned long);
60391 - int (*releasepage) (struct page *, gfp_t);
60392 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
60393 + sector_t (* const bmap)(struct address_space *, sector_t);
60394 + void (* const invalidatepage) (struct page *, unsigned long);
60395 + int (* const releasepage) (struct page *, gfp_t);
60396 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
60397 loff_t offset, unsigned long nr_segs);
60398 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
60399 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
60400 void **, unsigned long *);
60401 /* migrate the contents of a page to the specified target */
60402 - int (*migratepage) (struct address_space *,
60403 + int (* const migratepage) (struct address_space *,
60404 struct page *, struct page *);
60405 - int (*launder_page) (struct page *);
60406 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
60407 + int (* const launder_page) (struct page *);
60408 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
60409 unsigned long);
60410 - int (*error_remove_page)(struct address_space *, struct page *);
60411 + int (* const error_remove_page)(struct address_space *, struct page *);
60412 };
60413
60414 /*
60415 @@ -1031,19 +1036,19 @@ static inline int file_check_writeable(s
60416 typedef struct files_struct *fl_owner_t;
60417
60418 struct file_lock_operations {
60419 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
60420 - void (*fl_release_private)(struct file_lock *);
60421 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
60422 + void (* const fl_release_private)(struct file_lock *);
60423 };
60424
60425 struct lock_manager_operations {
60426 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
60427 - void (*fl_notify)(struct file_lock *); /* unblock callback */
60428 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
60429 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
60430 - void (*fl_release_private)(struct file_lock *);
60431 - void (*fl_break)(struct file_lock *);
60432 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
60433 - int (*fl_change)(struct file_lock **, int);
60434 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
60435 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
60436 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
60437 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
60438 + void (* const fl_release_private)(struct file_lock *);
60439 + void (* const fl_break)(struct file_lock *);
60440 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
60441 + int (* const fl_change)(struct file_lock **, int);
60442 };
60443
60444 struct lock_manager {
60445 @@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
60446 unsigned int fi_flags; /* Flags as passed from user */
60447 unsigned int fi_extents_mapped; /* Number of mapped extents */
60448 unsigned int fi_extents_max; /* Size of fiemap_extent array */
60449 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
60450 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
60451 * array */
60452 };
60453 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
60454 @@ -1512,7 +1517,8 @@ struct file_operations {
60455 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
60456 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
60457 int (*setlease)(struct file *, long, struct file_lock **);
60458 -};
60459 +} __do_const;
60460 +typedef struct file_operations __no_const file_operations_no_const;
60461
60462 struct inode_operations {
60463 int (*create) (struct inode *,struct dentry *,int, struct nameidata *);
60464 @@ -1559,30 +1565,30 @@ extern ssize_t vfs_writev(struct file *,
60465 unsigned long, loff_t *);
60466
60467 struct super_operations {
60468 - struct inode *(*alloc_inode)(struct super_block *sb);
60469 - void (*destroy_inode)(struct inode *);
60470 + struct inode *(* const alloc_inode)(struct super_block *sb);
60471 + void (* const destroy_inode)(struct inode *);
60472
60473 - void (*dirty_inode) (struct inode *);
60474 - int (*write_inode) (struct inode *, int);
60475 - void (*drop_inode) (struct inode *);
60476 - void (*delete_inode) (struct inode *);
60477 - void (*put_super) (struct super_block *);
60478 - void (*write_super) (struct super_block *);
60479 - int (*sync_fs)(struct super_block *sb, int wait);
60480 - int (*freeze_fs) (struct super_block *);
60481 - int (*unfreeze_fs) (struct super_block *);
60482 - int (*statfs) (struct dentry *, struct kstatfs *);
60483 - int (*remount_fs) (struct super_block *, int *, char *);
60484 - void (*clear_inode) (struct inode *);
60485 - void (*umount_begin) (struct super_block *);
60486 + void (* const dirty_inode) (struct inode *);
60487 + int (* const write_inode) (struct inode *, int);
60488 + void (* const drop_inode) (struct inode *);
60489 + void (* const delete_inode) (struct inode *);
60490 + void (* const put_super) (struct super_block *);
60491 + void (* const write_super) (struct super_block *);
60492 + int (* const sync_fs)(struct super_block *sb, int wait);
60493 + int (* const freeze_fs) (struct super_block *);
60494 + int (* const unfreeze_fs) (struct super_block *);
60495 + int (* const statfs) (struct dentry *, struct kstatfs *);
60496 + int (* const remount_fs) (struct super_block *, int *, char *);
60497 + void (* const clear_inode) (struct inode *);
60498 + void (* const umount_begin) (struct super_block *);
60499
60500 - int (*show_options)(struct seq_file *, struct vfsmount *);
60501 - int (*show_stats)(struct seq_file *, struct vfsmount *);
60502 + int (* const show_options)(struct seq_file *, struct vfsmount *);
60503 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
60504 #ifdef CONFIG_QUOTA
60505 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
60506 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
60507 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
60508 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
60509 #endif
60510 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
60511 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
60512 };
60513
60514 /*
60515 diff -urNp linux-2.6.32.46/include/linux/fs_struct.h linux-2.6.32.46/include/linux/fs_struct.h
60516 --- linux-2.6.32.46/include/linux/fs_struct.h 2011-03-27 14:31:47.000000000 -0400
60517 +++ linux-2.6.32.46/include/linux/fs_struct.h 2011-04-17 15:56:46.000000000 -0400
60518 @@ -4,7 +4,7 @@
60519 #include <linux/path.h>
60520
60521 struct fs_struct {
60522 - int users;
60523 + atomic_t users;
60524 rwlock_t lock;
60525 int umask;
60526 int in_exec;
60527 diff -urNp linux-2.6.32.46/include/linux/ftrace_event.h linux-2.6.32.46/include/linux/ftrace_event.h
60528 --- linux-2.6.32.46/include/linux/ftrace_event.h 2011-03-27 14:31:47.000000000 -0400
60529 +++ linux-2.6.32.46/include/linux/ftrace_event.h 2011-05-04 17:56:28.000000000 -0400
60530 @@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
60531 int filter_type);
60532 extern int trace_define_common_fields(struct ftrace_event_call *call);
60533
60534 -#define is_signed_type(type) (((type)(-1)) < 0)
60535 +#define is_signed_type(type) (((type)(-1)) < (type)1)
60536
60537 int trace_set_clr_event(const char *system, const char *event, int set);
60538
60539 diff -urNp linux-2.6.32.46/include/linux/genhd.h linux-2.6.32.46/include/linux/genhd.h
60540 --- linux-2.6.32.46/include/linux/genhd.h 2011-03-27 14:31:47.000000000 -0400
60541 +++ linux-2.6.32.46/include/linux/genhd.h 2011-04-17 15:56:46.000000000 -0400
60542 @@ -161,7 +161,7 @@ struct gendisk {
60543
60544 struct timer_rand_state *random;
60545
60546 - atomic_t sync_io; /* RAID */
60547 + atomic_unchecked_t sync_io; /* RAID */
60548 struct work_struct async_notify;
60549 #ifdef CONFIG_BLK_DEV_INTEGRITY
60550 struct blk_integrity *integrity;
60551 diff -urNp linux-2.6.32.46/include/linux/gracl.h linux-2.6.32.46/include/linux/gracl.h
60552 --- linux-2.6.32.46/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
60553 +++ linux-2.6.32.46/include/linux/gracl.h 2011-04-17 15:56:46.000000000 -0400
60554 @@ -0,0 +1,317 @@
60555 +#ifndef GR_ACL_H
60556 +#define GR_ACL_H
60557 +
60558 +#include <linux/grdefs.h>
60559 +#include <linux/resource.h>
60560 +#include <linux/capability.h>
60561 +#include <linux/dcache.h>
60562 +#include <asm/resource.h>
60563 +
60564 +/* Major status information */
60565 +
60566 +#define GR_VERSION "grsecurity 2.2.2"
60567 +#define GRSECURITY_VERSION 0x2202
60568 +
60569 +enum {
60570 + GR_SHUTDOWN = 0,
60571 + GR_ENABLE = 1,
60572 + GR_SPROLE = 2,
60573 + GR_RELOAD = 3,
60574 + GR_SEGVMOD = 4,
60575 + GR_STATUS = 5,
60576 + GR_UNSPROLE = 6,
60577 + GR_PASSSET = 7,
60578 + GR_SPROLEPAM = 8,
60579 +};
60580 +
60581 +/* Password setup definitions
60582 + * kernel/grhash.c */
60583 +enum {
60584 + GR_PW_LEN = 128,
60585 + GR_SALT_LEN = 16,
60586 + GR_SHA_LEN = 32,
60587 +};
60588 +
60589 +enum {
60590 + GR_SPROLE_LEN = 64,
60591 +};
60592 +
60593 +enum {
60594 + GR_NO_GLOB = 0,
60595 + GR_REG_GLOB,
60596 + GR_CREATE_GLOB
60597 +};
60598 +
60599 +#define GR_NLIMITS 32
60600 +
60601 +/* Begin Data Structures */
60602 +
60603 +struct sprole_pw {
60604 + unsigned char *rolename;
60605 + unsigned char salt[GR_SALT_LEN];
60606 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
60607 +};
60608 +
60609 +struct name_entry {
60610 + __u32 key;
60611 + ino_t inode;
60612 + dev_t device;
60613 + char *name;
60614 + __u16 len;
60615 + __u8 deleted;
60616 + struct name_entry *prev;
60617 + struct name_entry *next;
60618 +};
60619 +
60620 +struct inodev_entry {
60621 + struct name_entry *nentry;
60622 + struct inodev_entry *prev;
60623 + struct inodev_entry *next;
60624 +};
60625 +
60626 +struct acl_role_db {
60627 + struct acl_role_label **r_hash;
60628 + __u32 r_size;
60629 +};
60630 +
60631 +struct inodev_db {
60632 + struct inodev_entry **i_hash;
60633 + __u32 i_size;
60634 +};
60635 +
60636 +struct name_db {
60637 + struct name_entry **n_hash;
60638 + __u32 n_size;
60639 +};
60640 +
60641 +struct crash_uid {
60642 + uid_t uid;
60643 + unsigned long expires;
60644 +};
60645 +
60646 +struct gr_hash_struct {
60647 + void **table;
60648 + void **nametable;
60649 + void *first;
60650 + __u32 table_size;
60651 + __u32 used_size;
60652 + int type;
60653 +};
60654 +
60655 +/* Userspace Grsecurity ACL data structures */
60656 +
60657 +struct acl_subject_label {
60658 + char *filename;
60659 + ino_t inode;
60660 + dev_t device;
60661 + __u32 mode;
60662 + kernel_cap_t cap_mask;
60663 + kernel_cap_t cap_lower;
60664 + kernel_cap_t cap_invert_audit;
60665 +
60666 + struct rlimit res[GR_NLIMITS];
60667 + __u32 resmask;
60668 +
60669 + __u8 user_trans_type;
60670 + __u8 group_trans_type;
60671 + uid_t *user_transitions;
60672 + gid_t *group_transitions;
60673 + __u16 user_trans_num;
60674 + __u16 group_trans_num;
60675 +
60676 + __u32 sock_families[2];
60677 + __u32 ip_proto[8];
60678 + __u32 ip_type;
60679 + struct acl_ip_label **ips;
60680 + __u32 ip_num;
60681 + __u32 inaddr_any_override;
60682 +
60683 + __u32 crashes;
60684 + unsigned long expires;
60685 +
60686 + struct acl_subject_label *parent_subject;
60687 + struct gr_hash_struct *hash;
60688 + struct acl_subject_label *prev;
60689 + struct acl_subject_label *next;
60690 +
60691 + struct acl_object_label **obj_hash;
60692 + __u32 obj_hash_size;
60693 + __u16 pax_flags;
60694 +};
60695 +
60696 +struct role_allowed_ip {
60697 + __u32 addr;
60698 + __u32 netmask;
60699 +
60700 + struct role_allowed_ip *prev;
60701 + struct role_allowed_ip *next;
60702 +};
60703 +
60704 +struct role_transition {
60705 + char *rolename;
60706 +
60707 + struct role_transition *prev;
60708 + struct role_transition *next;
60709 +};
60710 +
60711 +struct acl_role_label {
60712 + char *rolename;
60713 + uid_t uidgid;
60714 + __u16 roletype;
60715 +
60716 + __u16 auth_attempts;
60717 + unsigned long expires;
60718 +
60719 + struct acl_subject_label *root_label;
60720 + struct gr_hash_struct *hash;
60721 +
60722 + struct acl_role_label *prev;
60723 + struct acl_role_label *next;
60724 +
60725 + struct role_transition *transitions;
60726 + struct role_allowed_ip *allowed_ips;
60727 + uid_t *domain_children;
60728 + __u16 domain_child_num;
60729 +
60730 + struct acl_subject_label **subj_hash;
60731 + __u32 subj_hash_size;
60732 +};
60733 +
60734 +struct user_acl_role_db {
60735 + struct acl_role_label **r_table;
60736 + __u32 num_pointers; /* Number of allocations to track */
60737 + __u32 num_roles; /* Number of roles */
60738 + __u32 num_domain_children; /* Number of domain children */
60739 + __u32 num_subjects; /* Number of subjects */
60740 + __u32 num_objects; /* Number of objects */
60741 +};
60742 +
60743 +struct acl_object_label {
60744 + char *filename;
60745 + ino_t inode;
60746 + dev_t device;
60747 + __u32 mode;
60748 +
60749 + struct acl_subject_label *nested;
60750 + struct acl_object_label *globbed;
60751 +
60752 + /* next two structures not used */
60753 +
60754 + struct acl_object_label *prev;
60755 + struct acl_object_label *next;
60756 +};
60757 +
60758 +struct acl_ip_label {
60759 + char *iface;
60760 + __u32 addr;
60761 + __u32 netmask;
60762 + __u16 low, high;
60763 + __u8 mode;
60764 + __u32 type;
60765 + __u32 proto[8];
60766 +
60767 + /* next two structures not used */
60768 +
60769 + struct acl_ip_label *prev;
60770 + struct acl_ip_label *next;
60771 +};
60772 +
60773 +struct gr_arg {
60774 + struct user_acl_role_db role_db;
60775 + unsigned char pw[GR_PW_LEN];
60776 + unsigned char salt[GR_SALT_LEN];
60777 + unsigned char sum[GR_SHA_LEN];
60778 + unsigned char sp_role[GR_SPROLE_LEN];
60779 + struct sprole_pw *sprole_pws;
60780 + dev_t segv_device;
60781 + ino_t segv_inode;
60782 + uid_t segv_uid;
60783 + __u16 num_sprole_pws;
60784 + __u16 mode;
60785 +};
60786 +
60787 +struct gr_arg_wrapper {
60788 + struct gr_arg *arg;
60789 + __u32 version;
60790 + __u32 size;
60791 +};
60792 +
60793 +struct subject_map {
60794 + struct acl_subject_label *user;
60795 + struct acl_subject_label *kernel;
60796 + struct subject_map *prev;
60797 + struct subject_map *next;
60798 +};
60799 +
60800 +struct acl_subj_map_db {
60801 + struct subject_map **s_hash;
60802 + __u32 s_size;
60803 +};
60804 +
60805 +/* End Data Structures Section */
60806 +
60807 +/* Hash functions generated by empirical testing by Brad Spengler
60808 + Makes good use of the low bits of the inode. Generally 0-1 times
60809 + in loop for successful match. 0-3 for unsuccessful match.
60810 + Shift/add algorithm with modulus of table size and an XOR*/
60811 +
60812 +static __inline__ unsigned int
60813 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
60814 +{
60815 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
60816 +}
60817 +
60818 + static __inline__ unsigned int
60819 +shash(const struct acl_subject_label *userp, const unsigned int sz)
60820 +{
60821 + return ((const unsigned long)userp % sz);
60822 +}
60823 +
60824 +static __inline__ unsigned int
60825 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
60826 +{
60827 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
60828 +}
60829 +
60830 +static __inline__ unsigned int
60831 +nhash(const char *name, const __u16 len, const unsigned int sz)
60832 +{
60833 + return full_name_hash((const unsigned char *)name, len) % sz;
60834 +}
60835 +
60836 +#define FOR_EACH_ROLE_START(role) \
60837 + role = role_list; \
60838 + while (role) {
60839 +
60840 +#define FOR_EACH_ROLE_END(role) \
60841 + role = role->prev; \
60842 + }
60843 +
60844 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
60845 + subj = NULL; \
60846 + iter = 0; \
60847 + while (iter < role->subj_hash_size) { \
60848 + if (subj == NULL) \
60849 + subj = role->subj_hash[iter]; \
60850 + if (subj == NULL) { \
60851 + iter++; \
60852 + continue; \
60853 + }
60854 +
60855 +#define FOR_EACH_SUBJECT_END(subj,iter) \
60856 + subj = subj->next; \
60857 + if (subj == NULL) \
60858 + iter++; \
60859 + }
60860 +
60861 +
60862 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
60863 + subj = role->hash->first; \
60864 + while (subj != NULL) {
60865 +
60866 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
60867 + subj = subj->next; \
60868 + }
60869 +
60870 +#endif
60871 +
60872 diff -urNp linux-2.6.32.46/include/linux/gralloc.h linux-2.6.32.46/include/linux/gralloc.h
60873 --- linux-2.6.32.46/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
60874 +++ linux-2.6.32.46/include/linux/gralloc.h 2011-04-17 15:56:46.000000000 -0400
60875 @@ -0,0 +1,9 @@
60876 +#ifndef __GRALLOC_H
60877 +#define __GRALLOC_H
60878 +
60879 +void acl_free_all(void);
60880 +int acl_alloc_stack_init(unsigned long size);
60881 +void *acl_alloc(unsigned long len);
60882 +void *acl_alloc_num(unsigned long num, unsigned long len);
60883 +
60884 +#endif
60885 diff -urNp linux-2.6.32.46/include/linux/grdefs.h linux-2.6.32.46/include/linux/grdefs.h
60886 --- linux-2.6.32.46/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
60887 +++ linux-2.6.32.46/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400
60888 @@ -0,0 +1,140 @@
60889 +#ifndef GRDEFS_H
60890 +#define GRDEFS_H
60891 +
60892 +/* Begin grsecurity status declarations */
60893 +
60894 +enum {
60895 + GR_READY = 0x01,
60896 + GR_STATUS_INIT = 0x00 // disabled state
60897 +};
60898 +
60899 +/* Begin ACL declarations */
60900 +
60901 +/* Role flags */
60902 +
60903 +enum {
60904 + GR_ROLE_USER = 0x0001,
60905 + GR_ROLE_GROUP = 0x0002,
60906 + GR_ROLE_DEFAULT = 0x0004,
60907 + GR_ROLE_SPECIAL = 0x0008,
60908 + GR_ROLE_AUTH = 0x0010,
60909 + GR_ROLE_NOPW = 0x0020,
60910 + GR_ROLE_GOD = 0x0040,
60911 + GR_ROLE_LEARN = 0x0080,
60912 + GR_ROLE_TPE = 0x0100,
60913 + GR_ROLE_DOMAIN = 0x0200,
60914 + GR_ROLE_PAM = 0x0400,
60915 + GR_ROLE_PERSIST = 0x800
60916 +};
60917 +
60918 +/* ACL Subject and Object mode flags */
60919 +enum {
60920 + GR_DELETED = 0x80000000
60921 +};
60922 +
60923 +/* ACL Object-only mode flags */
60924 +enum {
60925 + GR_READ = 0x00000001,
60926 + GR_APPEND = 0x00000002,
60927 + GR_WRITE = 0x00000004,
60928 + GR_EXEC = 0x00000008,
60929 + GR_FIND = 0x00000010,
60930 + GR_INHERIT = 0x00000020,
60931 + GR_SETID = 0x00000040,
60932 + GR_CREATE = 0x00000080,
60933 + GR_DELETE = 0x00000100,
60934 + GR_LINK = 0x00000200,
60935 + GR_AUDIT_READ = 0x00000400,
60936 + GR_AUDIT_APPEND = 0x00000800,
60937 + GR_AUDIT_WRITE = 0x00001000,
60938 + GR_AUDIT_EXEC = 0x00002000,
60939 + GR_AUDIT_FIND = 0x00004000,
60940 + GR_AUDIT_INHERIT= 0x00008000,
60941 + GR_AUDIT_SETID = 0x00010000,
60942 + GR_AUDIT_CREATE = 0x00020000,
60943 + GR_AUDIT_DELETE = 0x00040000,
60944 + GR_AUDIT_LINK = 0x00080000,
60945 + GR_PTRACERD = 0x00100000,
60946 + GR_NOPTRACE = 0x00200000,
60947 + GR_SUPPRESS = 0x00400000,
60948 + GR_NOLEARN = 0x00800000,
60949 + GR_INIT_TRANSFER= 0x01000000
60950 +};
60951 +
60952 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
60953 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
60954 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
60955 +
60956 +/* ACL subject-only mode flags */
60957 +enum {
60958 + GR_KILL = 0x00000001,
60959 + GR_VIEW = 0x00000002,
60960 + GR_PROTECTED = 0x00000004,
60961 + GR_LEARN = 0x00000008,
60962 + GR_OVERRIDE = 0x00000010,
60963 + /* just a placeholder, this mode is only used in userspace */
60964 + GR_DUMMY = 0x00000020,
60965 + GR_PROTSHM = 0x00000040,
60966 + GR_KILLPROC = 0x00000080,
60967 + GR_KILLIPPROC = 0x00000100,
60968 + /* just a placeholder, this mode is only used in userspace */
60969 + GR_NOTROJAN = 0x00000200,
60970 + GR_PROTPROCFD = 0x00000400,
60971 + GR_PROCACCT = 0x00000800,
60972 + GR_RELAXPTRACE = 0x00001000,
60973 + GR_NESTED = 0x00002000,
60974 + GR_INHERITLEARN = 0x00004000,
60975 + GR_PROCFIND = 0x00008000,
60976 + GR_POVERRIDE = 0x00010000,
60977 + GR_KERNELAUTH = 0x00020000,
60978 + GR_ATSECURE = 0x00040000,
60979 + GR_SHMEXEC = 0x00080000
60980 +};
60981 +
60982 +enum {
60983 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
60984 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
60985 + GR_PAX_ENABLE_MPROTECT = 0x0004,
60986 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
60987 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
60988 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
60989 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
60990 + GR_PAX_DISABLE_MPROTECT = 0x0400,
60991 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
60992 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
60993 +};
60994 +
60995 +enum {
60996 + GR_ID_USER = 0x01,
60997 + GR_ID_GROUP = 0x02,
60998 +};
60999 +
61000 +enum {
61001 + GR_ID_ALLOW = 0x01,
61002 + GR_ID_DENY = 0x02,
61003 +};
61004 +
61005 +#define GR_CRASH_RES 31
61006 +#define GR_UIDTABLE_MAX 500
61007 +
61008 +/* begin resource learning section */
61009 +enum {
61010 + GR_RLIM_CPU_BUMP = 60,
61011 + GR_RLIM_FSIZE_BUMP = 50000,
61012 + GR_RLIM_DATA_BUMP = 10000,
61013 + GR_RLIM_STACK_BUMP = 1000,
61014 + GR_RLIM_CORE_BUMP = 10000,
61015 + GR_RLIM_RSS_BUMP = 500000,
61016 + GR_RLIM_NPROC_BUMP = 1,
61017 + GR_RLIM_NOFILE_BUMP = 5,
61018 + GR_RLIM_MEMLOCK_BUMP = 50000,
61019 + GR_RLIM_AS_BUMP = 500000,
61020 + GR_RLIM_LOCKS_BUMP = 2,
61021 + GR_RLIM_SIGPENDING_BUMP = 5,
61022 + GR_RLIM_MSGQUEUE_BUMP = 10000,
61023 + GR_RLIM_NICE_BUMP = 1,
61024 + GR_RLIM_RTPRIO_BUMP = 1,
61025 + GR_RLIM_RTTIME_BUMP = 1000000
61026 +};
61027 +
61028 +#endif
61029 diff -urNp linux-2.6.32.46/include/linux/grinternal.h linux-2.6.32.46/include/linux/grinternal.h
61030 --- linux-2.6.32.46/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
61031 +++ linux-2.6.32.46/include/linux/grinternal.h 2011-08-11 19:58:37.000000000 -0400
61032 @@ -0,0 +1,217 @@
61033 +#ifndef __GRINTERNAL_H
61034 +#define __GRINTERNAL_H
61035 +
61036 +#ifdef CONFIG_GRKERNSEC
61037 +
61038 +#include <linux/fs.h>
61039 +#include <linux/mnt_namespace.h>
61040 +#include <linux/nsproxy.h>
61041 +#include <linux/gracl.h>
61042 +#include <linux/grdefs.h>
61043 +#include <linux/grmsg.h>
61044 +
61045 +void gr_add_learn_entry(const char *fmt, ...)
61046 + __attribute__ ((format (printf, 1, 2)));
61047 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
61048 + const struct vfsmount *mnt);
61049 +__u32 gr_check_create(const struct dentry *new_dentry,
61050 + const struct dentry *parent,
61051 + const struct vfsmount *mnt, const __u32 mode);
61052 +int gr_check_protected_task(const struct task_struct *task);
61053 +__u32 to_gr_audit(const __u32 reqmode);
61054 +int gr_set_acls(const int type);
61055 +int gr_apply_subject_to_task(struct task_struct *task);
61056 +int gr_acl_is_enabled(void);
61057 +char gr_roletype_to_char(void);
61058 +
61059 +void gr_handle_alertkill(struct task_struct *task);
61060 +char *gr_to_filename(const struct dentry *dentry,
61061 + const struct vfsmount *mnt);
61062 +char *gr_to_filename1(const struct dentry *dentry,
61063 + const struct vfsmount *mnt);
61064 +char *gr_to_filename2(const struct dentry *dentry,
61065 + const struct vfsmount *mnt);
61066 +char *gr_to_filename3(const struct dentry *dentry,
61067 + const struct vfsmount *mnt);
61068 +
61069 +extern int grsec_enable_harden_ptrace;
61070 +extern int grsec_enable_link;
61071 +extern int grsec_enable_fifo;
61072 +extern int grsec_enable_shm;
61073 +extern int grsec_enable_execlog;
61074 +extern int grsec_enable_signal;
61075 +extern int grsec_enable_audit_ptrace;
61076 +extern int grsec_enable_forkfail;
61077 +extern int grsec_enable_time;
61078 +extern int grsec_enable_rofs;
61079 +extern int grsec_enable_chroot_shmat;
61080 +extern int grsec_enable_chroot_mount;
61081 +extern int grsec_enable_chroot_double;
61082 +extern int grsec_enable_chroot_pivot;
61083 +extern int grsec_enable_chroot_chdir;
61084 +extern int grsec_enable_chroot_chmod;
61085 +extern int grsec_enable_chroot_mknod;
61086 +extern int grsec_enable_chroot_fchdir;
61087 +extern int grsec_enable_chroot_nice;
61088 +extern int grsec_enable_chroot_execlog;
61089 +extern int grsec_enable_chroot_caps;
61090 +extern int grsec_enable_chroot_sysctl;
61091 +extern int grsec_enable_chroot_unix;
61092 +extern int grsec_enable_tpe;
61093 +extern int grsec_tpe_gid;
61094 +extern int grsec_enable_tpe_all;
61095 +extern int grsec_enable_tpe_invert;
61096 +extern int grsec_enable_socket_all;
61097 +extern int grsec_socket_all_gid;
61098 +extern int grsec_enable_socket_client;
61099 +extern int grsec_socket_client_gid;
61100 +extern int grsec_enable_socket_server;
61101 +extern int grsec_socket_server_gid;
61102 +extern int grsec_audit_gid;
61103 +extern int grsec_enable_group;
61104 +extern int grsec_enable_audit_textrel;
61105 +extern int grsec_enable_log_rwxmaps;
61106 +extern int grsec_enable_mount;
61107 +extern int grsec_enable_chdir;
61108 +extern int grsec_resource_logging;
61109 +extern int grsec_enable_blackhole;
61110 +extern int grsec_lastack_retries;
61111 +extern int grsec_enable_brute;
61112 +extern int grsec_lock;
61113 +
61114 +extern spinlock_t grsec_alert_lock;
61115 +extern unsigned long grsec_alert_wtime;
61116 +extern unsigned long grsec_alert_fyet;
61117 +
61118 +extern spinlock_t grsec_audit_lock;
61119 +
61120 +extern rwlock_t grsec_exec_file_lock;
61121 +
61122 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
61123 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
61124 + (tsk)->exec_file->f_vfsmnt) : "/")
61125 +
61126 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
61127 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
61128 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
61129 +
61130 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
61131 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
61132 + (tsk)->exec_file->f_vfsmnt) : "/")
61133 +
61134 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
61135 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
61136 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
61137 +
61138 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
61139 +
61140 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
61141 +
61142 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
61143 + (task)->pid, (cred)->uid, \
61144 + (cred)->euid, (cred)->gid, (cred)->egid, \
61145 + gr_parent_task_fullpath(task), \
61146 + (task)->real_parent->comm, (task)->real_parent->pid, \
61147 + (pcred)->uid, (pcred)->euid, \
61148 + (pcred)->gid, (pcred)->egid
61149 +
61150 +#define GR_CHROOT_CAPS {{ \
61151 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
61152 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
61153 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
61154 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
61155 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
61156 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
61157 +
61158 +#define security_learn(normal_msg,args...) \
61159 +({ \
61160 + read_lock(&grsec_exec_file_lock); \
61161 + gr_add_learn_entry(normal_msg "\n", ## args); \
61162 + read_unlock(&grsec_exec_file_lock); \
61163 +})
61164 +
61165 +enum {
61166 + GR_DO_AUDIT,
61167 + GR_DONT_AUDIT,
61168 + GR_DONT_AUDIT_GOOD
61169 +};
61170 +
61171 +enum {
61172 + GR_TTYSNIFF,
61173 + GR_RBAC,
61174 + GR_RBAC_STR,
61175 + GR_STR_RBAC,
61176 + GR_RBAC_MODE2,
61177 + GR_RBAC_MODE3,
61178 + GR_FILENAME,
61179 + GR_SYSCTL_HIDDEN,
61180 + GR_NOARGS,
61181 + GR_ONE_INT,
61182 + GR_ONE_INT_TWO_STR,
61183 + GR_ONE_STR,
61184 + GR_STR_INT,
61185 + GR_TWO_STR_INT,
61186 + GR_TWO_INT,
61187 + GR_TWO_U64,
61188 + GR_THREE_INT,
61189 + GR_FIVE_INT_TWO_STR,
61190 + GR_TWO_STR,
61191 + GR_THREE_STR,
61192 + GR_FOUR_STR,
61193 + GR_STR_FILENAME,
61194 + GR_FILENAME_STR,
61195 + GR_FILENAME_TWO_INT,
61196 + GR_FILENAME_TWO_INT_STR,
61197 + GR_TEXTREL,
61198 + GR_PTRACE,
61199 + GR_RESOURCE,
61200 + GR_CAP,
61201 + GR_SIG,
61202 + GR_SIG2,
61203 + GR_CRASH1,
61204 + GR_CRASH2,
61205 + GR_PSACCT,
61206 + GR_RWXMAP
61207 +};
61208 +
61209 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
61210 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
61211 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
61212 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
61213 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
61214 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
61215 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
61216 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
61217 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
61218 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
61219 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
61220 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
61221 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
61222 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
61223 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
61224 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
61225 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
61226 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
61227 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
61228 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
61229 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
61230 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
61231 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
61232 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
61233 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
61234 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
61235 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
61236 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
61237 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
61238 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
61239 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
61240 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
61241 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
61242 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
61243 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
61244 +
61245 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
61246 +
61247 +#endif
61248 +
61249 +#endif
61250 diff -urNp linux-2.6.32.46/include/linux/grmsg.h linux-2.6.32.46/include/linux/grmsg.h
61251 --- linux-2.6.32.46/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
61252 +++ linux-2.6.32.46/include/linux/grmsg.h 2011-08-25 17:28:11.000000000 -0400
61253 @@ -0,0 +1,107 @@
61254 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
61255 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
61256 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
61257 +#define GR_STOPMOD_MSG "denied modification of module state by "
61258 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
61259 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
61260 +#define GR_IOPERM_MSG "denied use of ioperm() by "
61261 +#define GR_IOPL_MSG "denied use of iopl() by "
61262 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
61263 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
61264 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
61265 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
61266 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
61267 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
61268 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
61269 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
61270 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
61271 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
61272 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
61273 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
61274 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
61275 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
61276 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
61277 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
61278 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
61279 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
61280 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
61281 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
61282 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
61283 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
61284 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
61285 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
61286 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
61287 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
61288 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
61289 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
61290 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
61291 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
61292 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
61293 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
61294 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
61295 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
61296 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
61297 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
61298 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
61299 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
61300 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
61301 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
61302 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
61303 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
61304 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
61305 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
61306 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
61307 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
61308 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
61309 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
61310 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
61311 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
61312 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
61313 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
61314 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
61315 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
61316 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
61317 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
61318 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
61319 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
61320 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
61321 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
61322 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
61323 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
61324 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
61325 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
61326 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
61327 +#define GR_NICE_CHROOT_MSG "denied priority change by "
61328 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
61329 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
61330 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
61331 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
61332 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
61333 +#define GR_TIME_MSG "time set by "
61334 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
61335 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
61336 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
61337 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
61338 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
61339 +#define GR_BIND_MSG "denied bind() by "
61340 +#define GR_CONNECT_MSG "denied connect() by "
61341 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
61342 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
61343 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
61344 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
61345 +#define GR_CAP_ACL_MSG "use of %s denied for "
61346 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
61347 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
61348 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
61349 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
61350 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
61351 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
61352 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
61353 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
61354 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
61355 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
61356 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
61357 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
61358 +#define GR_VM86_MSG "denied use of vm86 by "
61359 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
61360 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
61361 diff -urNp linux-2.6.32.46/include/linux/grsecurity.h linux-2.6.32.46/include/linux/grsecurity.h
61362 --- linux-2.6.32.46/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
61363 +++ linux-2.6.32.46/include/linux/grsecurity.h 2011-08-11 19:58:57.000000000 -0400
61364 @@ -0,0 +1,217 @@
61365 +#ifndef GR_SECURITY_H
61366 +#define GR_SECURITY_H
61367 +#include <linux/fs.h>
61368 +#include <linux/fs_struct.h>
61369 +#include <linux/binfmts.h>
61370 +#include <linux/gracl.h>
61371 +#include <linux/compat.h>
61372 +
61373 +/* notify of brain-dead configs */
61374 +#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
61375 +#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
61376 +#endif
61377 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
61378 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
61379 +#endif
61380 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
61381 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
61382 +#endif
61383 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
61384 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
61385 +#endif
61386 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
61387 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
61388 +#endif
61389 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
61390 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
61391 +#endif
61392 +
61393 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
61394 +void gr_handle_brute_check(void);
61395 +void gr_handle_kernel_exploit(void);
61396 +int gr_process_user_ban(void);
61397 +
61398 +char gr_roletype_to_char(void);
61399 +
61400 +int gr_acl_enable_at_secure(void);
61401 +
61402 +int gr_check_user_change(int real, int effective, int fs);
61403 +int gr_check_group_change(int real, int effective, int fs);
61404 +
61405 +void gr_del_task_from_ip_table(struct task_struct *p);
61406 +
61407 +int gr_pid_is_chrooted(struct task_struct *p);
61408 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
61409 +int gr_handle_chroot_nice(void);
61410 +int gr_handle_chroot_sysctl(const int op);
61411 +int gr_handle_chroot_setpriority(struct task_struct *p,
61412 + const int niceval);
61413 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
61414 +int gr_handle_chroot_chroot(const struct dentry *dentry,
61415 + const struct vfsmount *mnt);
61416 +int gr_handle_chroot_caps(struct path *path);
61417 +void gr_handle_chroot_chdir(struct path *path);
61418 +int gr_handle_chroot_chmod(const struct dentry *dentry,
61419 + const struct vfsmount *mnt, const int mode);
61420 +int gr_handle_chroot_mknod(const struct dentry *dentry,
61421 + const struct vfsmount *mnt, const int mode);
61422 +int gr_handle_chroot_mount(const struct dentry *dentry,
61423 + const struct vfsmount *mnt,
61424 + const char *dev_name);
61425 +int gr_handle_chroot_pivot(void);
61426 +int gr_handle_chroot_unix(const pid_t pid);
61427 +
61428 +int gr_handle_rawio(const struct inode *inode);
61429 +
61430 +void gr_handle_ioperm(void);
61431 +void gr_handle_iopl(void);
61432 +
61433 +int gr_tpe_allow(const struct file *file);
61434 +
61435 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
61436 +void gr_clear_chroot_entries(struct task_struct *task);
61437 +
61438 +void gr_log_forkfail(const int retval);
61439 +void gr_log_timechange(void);
61440 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
61441 +void gr_log_chdir(const struct dentry *dentry,
61442 + const struct vfsmount *mnt);
61443 +void gr_log_chroot_exec(const struct dentry *dentry,
61444 + const struct vfsmount *mnt);
61445 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
61446 +#ifdef CONFIG_COMPAT
61447 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
61448 +#endif
61449 +void gr_log_remount(const char *devname, const int retval);
61450 +void gr_log_unmount(const char *devname, const int retval);
61451 +void gr_log_mount(const char *from, const char *to, const int retval);
61452 +void gr_log_textrel(struct vm_area_struct *vma);
61453 +void gr_log_rwxmmap(struct file *file);
61454 +void gr_log_rwxmprotect(struct file *file);
61455 +
61456 +int gr_handle_follow_link(const struct inode *parent,
61457 + const struct inode *inode,
61458 + const struct dentry *dentry,
61459 + const struct vfsmount *mnt);
61460 +int gr_handle_fifo(const struct dentry *dentry,
61461 + const struct vfsmount *mnt,
61462 + const struct dentry *dir, const int flag,
61463 + const int acc_mode);
61464 +int gr_handle_hardlink(const struct dentry *dentry,
61465 + const struct vfsmount *mnt,
61466 + struct inode *inode,
61467 + const int mode, const char *to);
61468 +
61469 +int gr_is_capable(const int cap);
61470 +int gr_is_capable_nolog(const int cap);
61471 +void gr_learn_resource(const struct task_struct *task, const int limit,
61472 + const unsigned long wanted, const int gt);
61473 +void gr_copy_label(struct task_struct *tsk);
61474 +void gr_handle_crash(struct task_struct *task, const int sig);
61475 +int gr_handle_signal(const struct task_struct *p, const int sig);
61476 +int gr_check_crash_uid(const uid_t uid);
61477 +int gr_check_protected_task(const struct task_struct *task);
61478 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
61479 +int gr_acl_handle_mmap(const struct file *file,
61480 + const unsigned long prot);
61481 +int gr_acl_handle_mprotect(const struct file *file,
61482 + const unsigned long prot);
61483 +int gr_check_hidden_task(const struct task_struct *tsk);
61484 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
61485 + const struct vfsmount *mnt);
61486 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
61487 + const struct vfsmount *mnt);
61488 +__u32 gr_acl_handle_access(const struct dentry *dentry,
61489 + const struct vfsmount *mnt, const int fmode);
61490 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
61491 + const struct vfsmount *mnt, mode_t mode);
61492 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
61493 + const struct vfsmount *mnt, mode_t mode);
61494 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
61495 + const struct vfsmount *mnt);
61496 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
61497 + const struct vfsmount *mnt);
61498 +int gr_handle_ptrace(struct task_struct *task, const long request);
61499 +int gr_handle_proc_ptrace(struct task_struct *task);
61500 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
61501 + const struct vfsmount *mnt);
61502 +int gr_check_crash_exec(const struct file *filp);
61503 +int gr_acl_is_enabled(void);
61504 +void gr_set_kernel_label(struct task_struct *task);
61505 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
61506 + const gid_t gid);
61507 +int gr_set_proc_label(const struct dentry *dentry,
61508 + const struct vfsmount *mnt,
61509 + const int unsafe_share);
61510 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
61511 + const struct vfsmount *mnt);
61512 +__u32 gr_acl_handle_open(const struct dentry *dentry,
61513 + const struct vfsmount *mnt, const int fmode);
61514 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
61515 + const struct dentry *p_dentry,
61516 + const struct vfsmount *p_mnt, const int fmode,
61517 + const int imode);
61518 +void gr_handle_create(const struct dentry *dentry,
61519 + const struct vfsmount *mnt);
61520 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
61521 + const struct dentry *parent_dentry,
61522 + const struct vfsmount *parent_mnt,
61523 + const int mode);
61524 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
61525 + const struct dentry *parent_dentry,
61526 + const struct vfsmount *parent_mnt);
61527 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
61528 + const struct vfsmount *mnt);
61529 +void gr_handle_delete(const ino_t ino, const dev_t dev);
61530 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
61531 + const struct vfsmount *mnt);
61532 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
61533 + const struct dentry *parent_dentry,
61534 + const struct vfsmount *parent_mnt,
61535 + const char *from);
61536 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
61537 + const struct dentry *parent_dentry,
61538 + const struct vfsmount *parent_mnt,
61539 + const struct dentry *old_dentry,
61540 + const struct vfsmount *old_mnt, const char *to);
61541 +int gr_acl_handle_rename(struct dentry *new_dentry,
61542 + struct dentry *parent_dentry,
61543 + const struct vfsmount *parent_mnt,
61544 + struct dentry *old_dentry,
61545 + struct inode *old_parent_inode,
61546 + struct vfsmount *old_mnt, const char *newname);
61547 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
61548 + struct dentry *old_dentry,
61549 + struct dentry *new_dentry,
61550 + struct vfsmount *mnt, const __u8 replace);
61551 +__u32 gr_check_link(const struct dentry *new_dentry,
61552 + const struct dentry *parent_dentry,
61553 + const struct vfsmount *parent_mnt,
61554 + const struct dentry *old_dentry,
61555 + const struct vfsmount *old_mnt);
61556 +int gr_acl_handle_filldir(const struct file *file, const char *name,
61557 + const unsigned int namelen, const ino_t ino);
61558 +
61559 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
61560 + const struct vfsmount *mnt);
61561 +void gr_acl_handle_exit(void);
61562 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
61563 +int gr_acl_handle_procpidmem(const struct task_struct *task);
61564 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
61565 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
61566 +void gr_audit_ptrace(struct task_struct *task);
61567 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
61568 +
61569 +#ifdef CONFIG_GRKERNSEC
61570 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
61571 +void gr_handle_vm86(void);
61572 +void gr_handle_mem_readwrite(u64 from, u64 to);
61573 +
61574 +extern int grsec_enable_dmesg;
61575 +extern int grsec_disable_privio;
61576 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
61577 +extern int grsec_enable_chroot_findtask;
61578 +#endif
61579 +#endif
61580 +
61581 +#endif
61582 diff -urNp linux-2.6.32.46/include/linux/hdpu_features.h linux-2.6.32.46/include/linux/hdpu_features.h
61583 --- linux-2.6.32.46/include/linux/hdpu_features.h 2011-03-27 14:31:47.000000000 -0400
61584 +++ linux-2.6.32.46/include/linux/hdpu_features.h 2011-04-17 15:56:46.000000000 -0400
61585 @@ -3,7 +3,7 @@
61586 struct cpustate_t {
61587 spinlock_t lock;
61588 int excl;
61589 - int open_count;
61590 + atomic_t open_count;
61591 unsigned char cached_val;
61592 int inited;
61593 unsigned long *set_addr;
61594 diff -urNp linux-2.6.32.46/include/linux/highmem.h linux-2.6.32.46/include/linux/highmem.h
61595 --- linux-2.6.32.46/include/linux/highmem.h 2011-03-27 14:31:47.000000000 -0400
61596 +++ linux-2.6.32.46/include/linux/highmem.h 2011-04-17 15:56:46.000000000 -0400
61597 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
61598 kunmap_atomic(kaddr, KM_USER0);
61599 }
61600
61601 +static inline void sanitize_highpage(struct page *page)
61602 +{
61603 + void *kaddr;
61604 + unsigned long flags;
61605 +
61606 + local_irq_save(flags);
61607 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
61608 + clear_page(kaddr);
61609 + kunmap_atomic(kaddr, KM_CLEARPAGE);
61610 + local_irq_restore(flags);
61611 +}
61612 +
61613 static inline void zero_user_segments(struct page *page,
61614 unsigned start1, unsigned end1,
61615 unsigned start2, unsigned end2)
61616 diff -urNp linux-2.6.32.46/include/linux/i2c.h linux-2.6.32.46/include/linux/i2c.h
61617 --- linux-2.6.32.46/include/linux/i2c.h 2011-03-27 14:31:47.000000000 -0400
61618 +++ linux-2.6.32.46/include/linux/i2c.h 2011-08-23 21:22:38.000000000 -0400
61619 @@ -325,6 +325,7 @@ struct i2c_algorithm {
61620 /* To determine what the adapter supports */
61621 u32 (*functionality) (struct i2c_adapter *);
61622 };
61623 +typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
61624
61625 /*
61626 * i2c_adapter is the structure used to identify a physical i2c bus along
61627 diff -urNp linux-2.6.32.46/include/linux/i2o.h linux-2.6.32.46/include/linux/i2o.h
61628 --- linux-2.6.32.46/include/linux/i2o.h 2011-03-27 14:31:47.000000000 -0400
61629 +++ linux-2.6.32.46/include/linux/i2o.h 2011-05-04 17:56:28.000000000 -0400
61630 @@ -564,7 +564,7 @@ struct i2o_controller {
61631 struct i2o_device *exec; /* Executive */
61632 #if BITS_PER_LONG == 64
61633 spinlock_t context_list_lock; /* lock for context_list */
61634 - atomic_t context_list_counter; /* needed for unique contexts */
61635 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
61636 struct list_head context_list; /* list of context id's
61637 and pointers */
61638 #endif
61639 diff -urNp linux-2.6.32.46/include/linux/init_task.h linux-2.6.32.46/include/linux/init_task.h
61640 --- linux-2.6.32.46/include/linux/init_task.h 2011-03-27 14:31:47.000000000 -0400
61641 +++ linux-2.6.32.46/include/linux/init_task.h 2011-05-18 20:44:59.000000000 -0400
61642 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
61643 #define INIT_IDS
61644 #endif
61645
61646 +#ifdef CONFIG_X86
61647 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
61648 +#else
61649 +#define INIT_TASK_THREAD_INFO
61650 +#endif
61651 +
61652 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
61653 /*
61654 * Because of the reduced scope of CAP_SETPCAP when filesystem
61655 @@ -156,6 +162,7 @@ extern struct cred init_cred;
61656 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
61657 .comm = "swapper", \
61658 .thread = INIT_THREAD, \
61659 + INIT_TASK_THREAD_INFO \
61660 .fs = &init_fs, \
61661 .files = &init_files, \
61662 .signal = &init_signals, \
61663 diff -urNp linux-2.6.32.46/include/linux/intel-iommu.h linux-2.6.32.46/include/linux/intel-iommu.h
61664 --- linux-2.6.32.46/include/linux/intel-iommu.h 2011-03-27 14:31:47.000000000 -0400
61665 +++ linux-2.6.32.46/include/linux/intel-iommu.h 2011-08-05 20:33:55.000000000 -0400
61666 @@ -296,7 +296,7 @@ struct iommu_flush {
61667 u8 fm, u64 type);
61668 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
61669 unsigned int size_order, u64 type);
61670 -};
61671 +} __no_const;
61672
61673 enum {
61674 SR_DMAR_FECTL_REG,
61675 diff -urNp linux-2.6.32.46/include/linux/interrupt.h linux-2.6.32.46/include/linux/interrupt.h
61676 --- linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:55:35.000000000 -0400
61677 +++ linux-2.6.32.46/include/linux/interrupt.h 2011-06-25 12:56:37.000000000 -0400
61678 @@ -363,7 +363,7 @@ enum
61679 /* map softirq index to softirq name. update 'softirq_to_name' in
61680 * kernel/softirq.c when adding a new softirq.
61681 */
61682 -extern char *softirq_to_name[NR_SOFTIRQS];
61683 +extern const char * const softirq_to_name[NR_SOFTIRQS];
61684
61685 /* softirq mask and active fields moved to irq_cpustat_t in
61686 * asm/hardirq.h to get better cache usage. KAO
61687 @@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
61688
61689 struct softirq_action
61690 {
61691 - void (*action)(struct softirq_action *);
61692 + void (*action)(void);
61693 };
61694
61695 asmlinkage void do_softirq(void);
61696 asmlinkage void __do_softirq(void);
61697 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
61698 +extern void open_softirq(int nr, void (*action)(void));
61699 extern void softirq_init(void);
61700 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
61701 extern void raise_softirq_irqoff(unsigned int nr);
61702 diff -urNp linux-2.6.32.46/include/linux/irq.h linux-2.6.32.46/include/linux/irq.h
61703 --- linux-2.6.32.46/include/linux/irq.h 2011-03-27 14:31:47.000000000 -0400
61704 +++ linux-2.6.32.46/include/linux/irq.h 2011-04-17 15:56:46.000000000 -0400
61705 @@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
61706 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
61707 bool boot)
61708 {
61709 +#ifdef CONFIG_CPUMASK_OFFSTACK
61710 gfp_t gfp = GFP_ATOMIC;
61711
61712 if (boot)
61713 gfp = GFP_NOWAIT;
61714
61715 -#ifdef CONFIG_CPUMASK_OFFSTACK
61716 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
61717 return false;
61718
61719 diff -urNp linux-2.6.32.46/include/linux/kallsyms.h linux-2.6.32.46/include/linux/kallsyms.h
61720 --- linux-2.6.32.46/include/linux/kallsyms.h 2011-03-27 14:31:47.000000000 -0400
61721 +++ linux-2.6.32.46/include/linux/kallsyms.h 2011-04-17 15:56:46.000000000 -0400
61722 @@ -15,7 +15,8 @@
61723
61724 struct module;
61725
61726 -#ifdef CONFIG_KALLSYMS
61727 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
61728 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
61729 /* Lookup the address for a symbol. Returns 0 if not found. */
61730 unsigned long kallsyms_lookup_name(const char *name);
61731
61732 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
61733 /* Stupid that this does nothing, but I didn't create this mess. */
61734 #define __print_symbol(fmt, addr)
61735 #endif /*CONFIG_KALLSYMS*/
61736 +#else /* when included by kallsyms.c, vsnprintf.c, or
61737 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
61738 +extern void __print_symbol(const char *fmt, unsigned long address);
61739 +extern int sprint_symbol(char *buffer, unsigned long address);
61740 +const char *kallsyms_lookup(unsigned long addr,
61741 + unsigned long *symbolsize,
61742 + unsigned long *offset,
61743 + char **modname, char *namebuf);
61744 +#endif
61745
61746 /* This macro allows us to keep printk typechecking */
61747 static void __check_printsym_format(const char *fmt, ...)
61748 diff -urNp linux-2.6.32.46/include/linux/kgdb.h linux-2.6.32.46/include/linux/kgdb.h
61749 --- linux-2.6.32.46/include/linux/kgdb.h 2011-03-27 14:31:47.000000000 -0400
61750 +++ linux-2.6.32.46/include/linux/kgdb.h 2011-08-26 20:25:20.000000000 -0400
61751 @@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
61752
61753 extern int kgdb_connected;
61754
61755 -extern atomic_t kgdb_setting_breakpoint;
61756 -extern atomic_t kgdb_cpu_doing_single_step;
61757 +extern atomic_unchecked_t kgdb_setting_breakpoint;
61758 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
61759
61760 extern struct task_struct *kgdb_usethread;
61761 extern struct task_struct *kgdb_contthread;
61762 @@ -235,7 +235,7 @@ struct kgdb_arch {
61763 int (*remove_hw_breakpoint)(unsigned long, int, enum kgdb_bptype);
61764 void (*remove_all_hw_break)(void);
61765 void (*correct_hw_break)(void);
61766 -};
61767 +} __do_const;
61768
61769 /**
61770 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
61771 @@ -257,14 +257,14 @@ struct kgdb_io {
61772 int (*init) (void);
61773 void (*pre_exception) (void);
61774 void (*post_exception) (void);
61775 -};
61776 +} __do_const;
61777
61778 -extern struct kgdb_arch arch_kgdb_ops;
61779 +extern const struct kgdb_arch arch_kgdb_ops;
61780
61781 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
61782
61783 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
61784 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
61785 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
61786 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
61787
61788 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
61789 extern int kgdb_mem2hex(char *mem, char *buf, int count);
61790 diff -urNp linux-2.6.32.46/include/linux/kmod.h linux-2.6.32.46/include/linux/kmod.h
61791 --- linux-2.6.32.46/include/linux/kmod.h 2011-03-27 14:31:47.000000000 -0400
61792 +++ linux-2.6.32.46/include/linux/kmod.h 2011-04-17 15:56:46.000000000 -0400
61793 @@ -31,6 +31,8 @@
61794 * usually useless though. */
61795 extern int __request_module(bool wait, const char *name, ...) \
61796 __attribute__((format(printf, 2, 3)));
61797 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
61798 + __attribute__((format(printf, 3, 4)));
61799 #define request_module(mod...) __request_module(true, mod)
61800 #define request_module_nowait(mod...) __request_module(false, mod)
61801 #define try_then_request_module(x, mod...) \
61802 diff -urNp linux-2.6.32.46/include/linux/kobject.h linux-2.6.32.46/include/linux/kobject.h
61803 --- linux-2.6.32.46/include/linux/kobject.h 2011-03-27 14:31:47.000000000 -0400
61804 +++ linux-2.6.32.46/include/linux/kobject.h 2011-04-17 15:56:46.000000000 -0400
61805 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
61806
61807 struct kobj_type {
61808 void (*release)(struct kobject *kobj);
61809 - struct sysfs_ops *sysfs_ops;
61810 + const struct sysfs_ops *sysfs_ops;
61811 struct attribute **default_attrs;
61812 };
61813
61814 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
61815 };
61816
61817 struct kset_uevent_ops {
61818 - int (*filter)(struct kset *kset, struct kobject *kobj);
61819 - const char *(*name)(struct kset *kset, struct kobject *kobj);
61820 - int (*uevent)(struct kset *kset, struct kobject *kobj,
61821 + int (* const filter)(struct kset *kset, struct kobject *kobj);
61822 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
61823 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
61824 struct kobj_uevent_env *env);
61825 };
61826
61827 @@ -132,7 +132,7 @@ struct kobj_attribute {
61828 const char *buf, size_t count);
61829 };
61830
61831 -extern struct sysfs_ops kobj_sysfs_ops;
61832 +extern const struct sysfs_ops kobj_sysfs_ops;
61833
61834 /**
61835 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
61836 @@ -155,14 +155,14 @@ struct kset {
61837 struct list_head list;
61838 spinlock_t list_lock;
61839 struct kobject kobj;
61840 - struct kset_uevent_ops *uevent_ops;
61841 + const struct kset_uevent_ops *uevent_ops;
61842 };
61843
61844 extern void kset_init(struct kset *kset);
61845 extern int __must_check kset_register(struct kset *kset);
61846 extern void kset_unregister(struct kset *kset);
61847 extern struct kset * __must_check kset_create_and_add(const char *name,
61848 - struct kset_uevent_ops *u,
61849 + const struct kset_uevent_ops *u,
61850 struct kobject *parent_kobj);
61851
61852 static inline struct kset *to_kset(struct kobject *kobj)
61853 diff -urNp linux-2.6.32.46/include/linux/kvm_host.h linux-2.6.32.46/include/linux/kvm_host.h
61854 --- linux-2.6.32.46/include/linux/kvm_host.h 2011-03-27 14:31:47.000000000 -0400
61855 +++ linux-2.6.32.46/include/linux/kvm_host.h 2011-04-17 15:56:46.000000000 -0400
61856 @@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
61857 void vcpu_load(struct kvm_vcpu *vcpu);
61858 void vcpu_put(struct kvm_vcpu *vcpu);
61859
61860 -int kvm_init(void *opaque, unsigned int vcpu_size,
61861 +int kvm_init(const void *opaque, unsigned int vcpu_size,
61862 struct module *module);
61863 void kvm_exit(void);
61864
61865 @@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
61866 struct kvm_guest_debug *dbg);
61867 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
61868
61869 -int kvm_arch_init(void *opaque);
61870 +int kvm_arch_init(const void *opaque);
61871 void kvm_arch_exit(void);
61872
61873 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
61874 diff -urNp linux-2.6.32.46/include/linux/libata.h linux-2.6.32.46/include/linux/libata.h
61875 --- linux-2.6.32.46/include/linux/libata.h 2011-03-27 14:31:47.000000000 -0400
61876 +++ linux-2.6.32.46/include/linux/libata.h 2011-08-26 20:19:09.000000000 -0400
61877 @@ -525,11 +525,11 @@ struct ata_ioports {
61878
61879 struct ata_host {
61880 spinlock_t lock;
61881 - struct device *dev;
61882 + struct device *dev;
61883 void __iomem * const *iomap;
61884 unsigned int n_ports;
61885 void *private_data;
61886 - struct ata_port_operations *ops;
61887 + const struct ata_port_operations *ops;
61888 unsigned long flags;
61889 #ifdef CONFIG_ATA_ACPI
61890 acpi_handle acpi_handle;
61891 @@ -710,7 +710,7 @@ struct ata_link {
61892
61893 struct ata_port {
61894 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
61895 - struct ata_port_operations *ops;
61896 + const struct ata_port_operations *ops;
61897 spinlock_t *lock;
61898 /* Flags owned by the EH context. Only EH should touch these once the
61899 port is active */
61900 @@ -884,7 +884,7 @@ struct ata_port_operations {
61901 * fields must be pointers.
61902 */
61903 const struct ata_port_operations *inherits;
61904 -};
61905 +} __do_const;
61906
61907 struct ata_port_info {
61908 unsigned long flags;
61909 @@ -892,7 +892,7 @@ struct ata_port_info {
61910 unsigned long pio_mask;
61911 unsigned long mwdma_mask;
61912 unsigned long udma_mask;
61913 - struct ata_port_operations *port_ops;
61914 + const struct ata_port_operations *port_ops;
61915 void *private_data;
61916 };
61917
61918 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
61919 extern const unsigned long sata_deb_timing_hotplug[];
61920 extern const unsigned long sata_deb_timing_long[];
61921
61922 -extern struct ata_port_operations ata_dummy_port_ops;
61923 +extern const struct ata_port_operations ata_dummy_port_ops;
61924 extern const struct ata_port_info ata_dummy_port_info;
61925
61926 static inline const unsigned long *
61927 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
61928 struct scsi_host_template *sht);
61929 extern void ata_host_detach(struct ata_host *host);
61930 extern void ata_host_init(struct ata_host *, struct device *,
61931 - unsigned long, struct ata_port_operations *);
61932 + unsigned long, const struct ata_port_operations *);
61933 extern int ata_scsi_detect(struct scsi_host_template *sht);
61934 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
61935 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
61936 diff -urNp linux-2.6.32.46/include/linux/lockd/bind.h linux-2.6.32.46/include/linux/lockd/bind.h
61937 --- linux-2.6.32.46/include/linux/lockd/bind.h 2011-03-27 14:31:47.000000000 -0400
61938 +++ linux-2.6.32.46/include/linux/lockd/bind.h 2011-04-17 15:56:46.000000000 -0400
61939 @@ -23,13 +23,13 @@ struct svc_rqst;
61940 * This is the set of functions for lockd->nfsd communication
61941 */
61942 struct nlmsvc_binding {
61943 - __be32 (*fopen)(struct svc_rqst *,
61944 + __be32 (* const fopen)(struct svc_rqst *,
61945 struct nfs_fh *,
61946 struct file **);
61947 - void (*fclose)(struct file *);
61948 + void (* const fclose)(struct file *);
61949 };
61950
61951 -extern struct nlmsvc_binding * nlmsvc_ops;
61952 +extern const struct nlmsvc_binding * nlmsvc_ops;
61953
61954 /*
61955 * Similar to nfs_client_initdata, but without the NFS-specific
61956 diff -urNp linux-2.6.32.46/include/linux/mca.h linux-2.6.32.46/include/linux/mca.h
61957 --- linux-2.6.32.46/include/linux/mca.h 2011-03-27 14:31:47.000000000 -0400
61958 +++ linux-2.6.32.46/include/linux/mca.h 2011-08-05 20:33:55.000000000 -0400
61959 @@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
61960 int region);
61961 void * (*mca_transform_memory)(struct mca_device *,
61962 void *memory);
61963 -};
61964 +} __no_const;
61965
61966 struct mca_bus {
61967 u64 default_dma_mask;
61968 diff -urNp linux-2.6.32.46/include/linux/memory.h linux-2.6.32.46/include/linux/memory.h
61969 --- linux-2.6.32.46/include/linux/memory.h 2011-03-27 14:31:47.000000000 -0400
61970 +++ linux-2.6.32.46/include/linux/memory.h 2011-08-05 20:33:55.000000000 -0400
61971 @@ -108,7 +108,7 @@ struct memory_accessor {
61972 size_t count);
61973 ssize_t (*write)(struct memory_accessor *, const char *buf,
61974 off_t offset, size_t count);
61975 -};
61976 +} __no_const;
61977
61978 /*
61979 * Kernel text modification mutex, used for code patching. Users of this lock
61980 diff -urNp linux-2.6.32.46/include/linux/mm.h linux-2.6.32.46/include/linux/mm.h
61981 --- linux-2.6.32.46/include/linux/mm.h 2011-03-27 14:31:47.000000000 -0400
61982 +++ linux-2.6.32.46/include/linux/mm.h 2011-04-17 15:56:46.000000000 -0400
61983 @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
61984
61985 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
61986 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
61987 +
61988 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
61989 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
61990 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
61991 +#else
61992 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
61993 +#endif
61994 +
61995 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
61996 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
61997
61998 @@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
61999 int set_page_dirty_lock(struct page *page);
62000 int clear_page_dirty_for_io(struct page *page);
62001
62002 -/* Is the vma a continuation of the stack vma above it? */
62003 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
62004 -{
62005 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
62006 -}
62007 -
62008 extern unsigned long move_page_tables(struct vm_area_struct *vma,
62009 unsigned long old_addr, struct vm_area_struct *new_vma,
62010 unsigned long new_addr, unsigned long len);
62011 @@ -890,6 +891,8 @@ struct shrinker {
62012 extern void register_shrinker(struct shrinker *);
62013 extern void unregister_shrinker(struct shrinker *);
62014
62015 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
62016 +
62017 int vma_wants_writenotify(struct vm_area_struct *vma);
62018
62019 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
62020 @@ -1162,6 +1165,7 @@ out:
62021 }
62022
62023 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
62024 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
62025
62026 extern unsigned long do_brk(unsigned long, unsigned long);
62027
62028 @@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
62029 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
62030 struct vm_area_struct **pprev);
62031
62032 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
62033 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
62034 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
62035 +
62036 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
62037 NULL if none. Assume start_addr < end_addr. */
62038 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
62039 @@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
62040 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
62041 }
62042
62043 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
62044 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
62045 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
62046 unsigned long pfn, unsigned long size, pgprot_t);
62047 @@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
62048 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
62049 extern int sysctl_memory_failure_early_kill;
62050 extern int sysctl_memory_failure_recovery;
62051 -extern atomic_long_t mce_bad_pages;
62052 +extern atomic_long_unchecked_t mce_bad_pages;
62053 +
62054 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
62055 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
62056 +#else
62057 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
62058 +#endif
62059
62060 #endif /* __KERNEL__ */
62061 #endif /* _LINUX_MM_H */
62062 diff -urNp linux-2.6.32.46/include/linux/mm_types.h linux-2.6.32.46/include/linux/mm_types.h
62063 --- linux-2.6.32.46/include/linux/mm_types.h 2011-03-27 14:31:47.000000000 -0400
62064 +++ linux-2.6.32.46/include/linux/mm_types.h 2011-04-17 15:56:46.000000000 -0400
62065 @@ -186,6 +186,8 @@ struct vm_area_struct {
62066 #ifdef CONFIG_NUMA
62067 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
62068 #endif
62069 +
62070 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
62071 };
62072
62073 struct core_thread {
62074 @@ -287,6 +289,24 @@ struct mm_struct {
62075 #ifdef CONFIG_MMU_NOTIFIER
62076 struct mmu_notifier_mm *mmu_notifier_mm;
62077 #endif
62078 +
62079 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
62080 + unsigned long pax_flags;
62081 +#endif
62082 +
62083 +#ifdef CONFIG_PAX_DLRESOLVE
62084 + unsigned long call_dl_resolve;
62085 +#endif
62086 +
62087 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
62088 + unsigned long call_syscall;
62089 +#endif
62090 +
62091 +#ifdef CONFIG_PAX_ASLR
62092 + unsigned long delta_mmap; /* randomized offset */
62093 + unsigned long delta_stack; /* randomized offset */
62094 +#endif
62095 +
62096 };
62097
62098 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
62099 diff -urNp linux-2.6.32.46/include/linux/mmu_notifier.h linux-2.6.32.46/include/linux/mmu_notifier.h
62100 --- linux-2.6.32.46/include/linux/mmu_notifier.h 2011-03-27 14:31:47.000000000 -0400
62101 +++ linux-2.6.32.46/include/linux/mmu_notifier.h 2011-04-17 15:56:46.000000000 -0400
62102 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
62103 */
62104 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
62105 ({ \
62106 - pte_t __pte; \
62107 + pte_t ___pte; \
62108 struct vm_area_struct *___vma = __vma; \
62109 unsigned long ___address = __address; \
62110 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
62111 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
62112 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
62113 - __pte; \
62114 + ___pte; \
62115 })
62116
62117 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
62118 diff -urNp linux-2.6.32.46/include/linux/mmzone.h linux-2.6.32.46/include/linux/mmzone.h
62119 --- linux-2.6.32.46/include/linux/mmzone.h 2011-03-27 14:31:47.000000000 -0400
62120 +++ linux-2.6.32.46/include/linux/mmzone.h 2011-04-17 15:56:46.000000000 -0400
62121 @@ -350,7 +350,7 @@ struct zone {
62122 unsigned long flags; /* zone flags, see below */
62123
62124 /* Zone statistics */
62125 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
62126 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
62127
62128 /*
62129 * prev_priority holds the scanning priority for this zone. It is
62130 diff -urNp linux-2.6.32.46/include/linux/mod_devicetable.h linux-2.6.32.46/include/linux/mod_devicetable.h
62131 --- linux-2.6.32.46/include/linux/mod_devicetable.h 2011-03-27 14:31:47.000000000 -0400
62132 +++ linux-2.6.32.46/include/linux/mod_devicetable.h 2011-04-17 15:56:46.000000000 -0400
62133 @@ -12,7 +12,7 @@
62134 typedef unsigned long kernel_ulong_t;
62135 #endif
62136
62137 -#define PCI_ANY_ID (~0)
62138 +#define PCI_ANY_ID ((__u16)~0)
62139
62140 struct pci_device_id {
62141 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
62142 @@ -131,7 +131,7 @@ struct usb_device_id {
62143 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
62144 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
62145
62146 -#define HID_ANY_ID (~0)
62147 +#define HID_ANY_ID (~0U)
62148
62149 struct hid_device_id {
62150 __u16 bus;
62151 diff -urNp linux-2.6.32.46/include/linux/module.h linux-2.6.32.46/include/linux/module.h
62152 --- linux-2.6.32.46/include/linux/module.h 2011-03-27 14:31:47.000000000 -0400
62153 +++ linux-2.6.32.46/include/linux/module.h 2011-08-05 20:33:55.000000000 -0400
62154 @@ -16,6 +16,7 @@
62155 #include <linux/kobject.h>
62156 #include <linux/moduleparam.h>
62157 #include <linux/tracepoint.h>
62158 +#include <linux/fs.h>
62159
62160 #include <asm/local.h>
62161 #include <asm/module.h>
62162 @@ -287,16 +288,16 @@ struct module
62163 int (*init)(void);
62164
62165 /* If this is non-NULL, vfree after init() returns */
62166 - void *module_init;
62167 + void *module_init_rx, *module_init_rw;
62168
62169 /* Here is the actual code + data, vfree'd on unload. */
62170 - void *module_core;
62171 + void *module_core_rx, *module_core_rw;
62172
62173 /* Here are the sizes of the init and core sections */
62174 - unsigned int init_size, core_size;
62175 + unsigned int init_size_rw, core_size_rw;
62176
62177 /* The size of the executable code in each section. */
62178 - unsigned int init_text_size, core_text_size;
62179 + unsigned int init_size_rx, core_size_rx;
62180
62181 /* Arch-specific module values */
62182 struct mod_arch_specific arch;
62183 @@ -345,6 +346,10 @@ struct module
62184 #ifdef CONFIG_EVENT_TRACING
62185 struct ftrace_event_call *trace_events;
62186 unsigned int num_trace_events;
62187 + struct file_operations trace_id;
62188 + struct file_operations trace_enable;
62189 + struct file_operations trace_format;
62190 + struct file_operations trace_filter;
62191 #endif
62192 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
62193 unsigned long *ftrace_callsites;
62194 @@ -393,16 +398,46 @@ struct module *__module_address(unsigned
62195 bool is_module_address(unsigned long addr);
62196 bool is_module_text_address(unsigned long addr);
62197
62198 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
62199 +{
62200 +
62201 +#ifdef CONFIG_PAX_KERNEXEC
62202 + if (ktla_ktva(addr) >= (unsigned long)start &&
62203 + ktla_ktva(addr) < (unsigned long)start + size)
62204 + return 1;
62205 +#endif
62206 +
62207 + return ((void *)addr >= start && (void *)addr < start + size);
62208 +}
62209 +
62210 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
62211 +{
62212 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
62213 +}
62214 +
62215 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
62216 +{
62217 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
62218 +}
62219 +
62220 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
62221 +{
62222 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
62223 +}
62224 +
62225 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
62226 +{
62227 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
62228 +}
62229 +
62230 static inline int within_module_core(unsigned long addr, struct module *mod)
62231 {
62232 - return (unsigned long)mod->module_core <= addr &&
62233 - addr < (unsigned long)mod->module_core + mod->core_size;
62234 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
62235 }
62236
62237 static inline int within_module_init(unsigned long addr, struct module *mod)
62238 {
62239 - return (unsigned long)mod->module_init <= addr &&
62240 - addr < (unsigned long)mod->module_init + mod->init_size;
62241 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
62242 }
62243
62244 /* Search for module by name: must hold module_mutex. */
62245 diff -urNp linux-2.6.32.46/include/linux/moduleloader.h linux-2.6.32.46/include/linux/moduleloader.h
62246 --- linux-2.6.32.46/include/linux/moduleloader.h 2011-03-27 14:31:47.000000000 -0400
62247 +++ linux-2.6.32.46/include/linux/moduleloader.h 2011-04-17 15:56:46.000000000 -0400
62248 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
62249 sections. Returns NULL on failure. */
62250 void *module_alloc(unsigned long size);
62251
62252 +#ifdef CONFIG_PAX_KERNEXEC
62253 +void *module_alloc_exec(unsigned long size);
62254 +#else
62255 +#define module_alloc_exec(x) module_alloc(x)
62256 +#endif
62257 +
62258 /* Free memory returned from module_alloc. */
62259 void module_free(struct module *mod, void *module_region);
62260
62261 +#ifdef CONFIG_PAX_KERNEXEC
62262 +void module_free_exec(struct module *mod, void *module_region);
62263 +#else
62264 +#define module_free_exec(x, y) module_free((x), (y))
62265 +#endif
62266 +
62267 /* Apply the given relocation to the (simplified) ELF. Return -error
62268 or 0. */
62269 int apply_relocate(Elf_Shdr *sechdrs,
62270 diff -urNp linux-2.6.32.46/include/linux/moduleparam.h linux-2.6.32.46/include/linux/moduleparam.h
62271 --- linux-2.6.32.46/include/linux/moduleparam.h 2011-03-27 14:31:47.000000000 -0400
62272 +++ linux-2.6.32.46/include/linux/moduleparam.h 2011-04-17 15:56:46.000000000 -0400
62273 @@ -132,7 +132,7 @@ struct kparam_array
62274
62275 /* Actually copy string: maxlen param is usually sizeof(string). */
62276 #define module_param_string(name, string, len, perm) \
62277 - static const struct kparam_string __param_string_##name \
62278 + static const struct kparam_string __param_string_##name __used \
62279 = { len, string }; \
62280 __module_param_call(MODULE_PARAM_PREFIX, name, \
62281 param_set_copystring, param_get_string, \
62282 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
62283
62284 /* Comma-separated array: *nump is set to number they actually specified. */
62285 #define module_param_array_named(name, array, type, nump, perm) \
62286 - static const struct kparam_array __param_arr_##name \
62287 + static const struct kparam_array __param_arr_##name __used \
62288 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
62289 sizeof(array[0]), array }; \
62290 __module_param_call(MODULE_PARAM_PREFIX, name, \
62291 diff -urNp linux-2.6.32.46/include/linux/mutex.h linux-2.6.32.46/include/linux/mutex.h
62292 --- linux-2.6.32.46/include/linux/mutex.h 2011-03-27 14:31:47.000000000 -0400
62293 +++ linux-2.6.32.46/include/linux/mutex.h 2011-04-17 15:56:46.000000000 -0400
62294 @@ -51,7 +51,7 @@ struct mutex {
62295 spinlock_t wait_lock;
62296 struct list_head wait_list;
62297 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
62298 - struct thread_info *owner;
62299 + struct task_struct *owner;
62300 #endif
62301 #ifdef CONFIG_DEBUG_MUTEXES
62302 const char *name;
62303 diff -urNp linux-2.6.32.46/include/linux/namei.h linux-2.6.32.46/include/linux/namei.h
62304 --- linux-2.6.32.46/include/linux/namei.h 2011-03-27 14:31:47.000000000 -0400
62305 +++ linux-2.6.32.46/include/linux/namei.h 2011-04-17 15:56:46.000000000 -0400
62306 @@ -22,7 +22,7 @@ struct nameidata {
62307 unsigned int flags;
62308 int last_type;
62309 unsigned depth;
62310 - char *saved_names[MAX_NESTED_LINKS + 1];
62311 + const char *saved_names[MAX_NESTED_LINKS + 1];
62312
62313 /* Intent data */
62314 union {
62315 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
62316 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
62317 extern void unlock_rename(struct dentry *, struct dentry *);
62318
62319 -static inline void nd_set_link(struct nameidata *nd, char *path)
62320 +static inline void nd_set_link(struct nameidata *nd, const char *path)
62321 {
62322 nd->saved_names[nd->depth] = path;
62323 }
62324
62325 -static inline char *nd_get_link(struct nameidata *nd)
62326 +static inline const char *nd_get_link(const struct nameidata *nd)
62327 {
62328 return nd->saved_names[nd->depth];
62329 }
62330 diff -urNp linux-2.6.32.46/include/linux/netdevice.h linux-2.6.32.46/include/linux/netdevice.h
62331 --- linux-2.6.32.46/include/linux/netdevice.h 2011-08-09 18:35:30.000000000 -0400
62332 +++ linux-2.6.32.46/include/linux/netdevice.h 2011-08-23 21:22:38.000000000 -0400
62333 @@ -637,6 +637,7 @@ struct net_device_ops {
62334 u16 xid);
62335 #endif
62336 };
62337 +typedef struct net_device_ops __no_const net_device_ops_no_const;
62338
62339 /*
62340 * The DEVICE structure.
62341 diff -urNp linux-2.6.32.46/include/linux/netfilter/xt_gradm.h linux-2.6.32.46/include/linux/netfilter/xt_gradm.h
62342 --- linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
62343 +++ linux-2.6.32.46/include/linux/netfilter/xt_gradm.h 2011-04-17 15:56:46.000000000 -0400
62344 @@ -0,0 +1,9 @@
62345 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
62346 +#define _LINUX_NETFILTER_XT_GRADM_H 1
62347 +
62348 +struct xt_gradm_mtinfo {
62349 + __u16 flags;
62350 + __u16 invflags;
62351 +};
62352 +
62353 +#endif
62354 diff -urNp linux-2.6.32.46/include/linux/nodemask.h linux-2.6.32.46/include/linux/nodemask.h
62355 --- linux-2.6.32.46/include/linux/nodemask.h 2011-03-27 14:31:47.000000000 -0400
62356 +++ linux-2.6.32.46/include/linux/nodemask.h 2011-04-17 15:56:46.000000000 -0400
62357 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
62358
62359 #define any_online_node(mask) \
62360 ({ \
62361 - int node; \
62362 - for_each_node_mask(node, (mask)) \
62363 - if (node_online(node)) \
62364 + int __node; \
62365 + for_each_node_mask(__node, (mask)) \
62366 + if (node_online(__node)) \
62367 break; \
62368 - node; \
62369 + __node; \
62370 })
62371
62372 #define num_online_nodes() num_node_state(N_ONLINE)
62373 diff -urNp linux-2.6.32.46/include/linux/oprofile.h linux-2.6.32.46/include/linux/oprofile.h
62374 --- linux-2.6.32.46/include/linux/oprofile.h 2011-03-27 14:31:47.000000000 -0400
62375 +++ linux-2.6.32.46/include/linux/oprofile.h 2011-04-17 15:56:46.000000000 -0400
62376 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
62377 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
62378 char const * name, ulong * val);
62379
62380 -/** Create a file for read-only access to an atomic_t. */
62381 +/** Create a file for read-only access to an atomic_unchecked_t. */
62382 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
62383 - char const * name, atomic_t * val);
62384 + char const * name, atomic_unchecked_t * val);
62385
62386 /** create a directory */
62387 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
62388 diff -urNp linux-2.6.32.46/include/linux/pagemap.h linux-2.6.32.46/include/linux/pagemap.h
62389 --- linux-2.6.32.46/include/linux/pagemap.h 2011-03-27 14:31:47.000000000 -0400
62390 +++ linux-2.6.32.46/include/linux/pagemap.h 2011-08-17 19:36:28.000000000 -0400
62391 @@ -425,6 +425,7 @@ static inline int fault_in_pages_readabl
62392 if (((unsigned long)uaddr & PAGE_MASK) !=
62393 ((unsigned long)end & PAGE_MASK))
62394 ret = __get_user(c, end);
62395 + (void)c;
62396 }
62397 return ret;
62398 }
62399 diff -urNp linux-2.6.32.46/include/linux/perf_event.h linux-2.6.32.46/include/linux/perf_event.h
62400 --- linux-2.6.32.46/include/linux/perf_event.h 2011-03-27 14:31:47.000000000 -0400
62401 +++ linux-2.6.32.46/include/linux/perf_event.h 2011-05-04 17:56:28.000000000 -0400
62402 @@ -476,7 +476,7 @@ struct hw_perf_event {
62403 struct hrtimer hrtimer;
62404 };
62405 };
62406 - atomic64_t prev_count;
62407 + atomic64_unchecked_t prev_count;
62408 u64 sample_period;
62409 u64 last_period;
62410 atomic64_t period_left;
62411 @@ -557,7 +557,7 @@ struct perf_event {
62412 const struct pmu *pmu;
62413
62414 enum perf_event_active_state state;
62415 - atomic64_t count;
62416 + atomic64_unchecked_t count;
62417
62418 /*
62419 * These are the total time in nanoseconds that the event
62420 @@ -595,8 +595,8 @@ struct perf_event {
62421 * These accumulate total time (in nanoseconds) that children
62422 * events have been enabled and running, respectively.
62423 */
62424 - atomic64_t child_total_time_enabled;
62425 - atomic64_t child_total_time_running;
62426 + atomic64_unchecked_t child_total_time_enabled;
62427 + atomic64_unchecked_t child_total_time_running;
62428
62429 /*
62430 * Protect attach/detach and child_list:
62431 diff -urNp linux-2.6.32.46/include/linux/pipe_fs_i.h linux-2.6.32.46/include/linux/pipe_fs_i.h
62432 --- linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-03-27 14:31:47.000000000 -0400
62433 +++ linux-2.6.32.46/include/linux/pipe_fs_i.h 2011-04-17 15:56:46.000000000 -0400
62434 @@ -46,9 +46,9 @@ struct pipe_inode_info {
62435 wait_queue_head_t wait;
62436 unsigned int nrbufs, curbuf;
62437 struct page *tmp_page;
62438 - unsigned int readers;
62439 - unsigned int writers;
62440 - unsigned int waiting_writers;
62441 + atomic_t readers;
62442 + atomic_t writers;
62443 + atomic_t waiting_writers;
62444 unsigned int r_counter;
62445 unsigned int w_counter;
62446 struct fasync_struct *fasync_readers;
62447 diff -urNp linux-2.6.32.46/include/linux/poison.h linux-2.6.32.46/include/linux/poison.h
62448 --- linux-2.6.32.46/include/linux/poison.h 2011-03-27 14:31:47.000000000 -0400
62449 +++ linux-2.6.32.46/include/linux/poison.h 2011-04-17 15:56:46.000000000 -0400
62450 @@ -19,8 +19,8 @@
62451 * under normal circumstances, used to verify that nobody uses
62452 * non-initialized list entries.
62453 */
62454 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
62455 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
62456 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
62457 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
62458
62459 /********** include/linux/timer.h **********/
62460 /*
62461 diff -urNp linux-2.6.32.46/include/linux/posix-timers.h linux-2.6.32.46/include/linux/posix-timers.h
62462 --- linux-2.6.32.46/include/linux/posix-timers.h 2011-03-27 14:31:47.000000000 -0400
62463 +++ linux-2.6.32.46/include/linux/posix-timers.h 2011-08-05 20:33:55.000000000 -0400
62464 @@ -67,7 +67,7 @@ struct k_itimer {
62465 };
62466
62467 struct k_clock {
62468 - int res; /* in nanoseconds */
62469 + const int res; /* in nanoseconds */
62470 int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
62471 int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
62472 int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
62473 diff -urNp linux-2.6.32.46/include/linux/preempt.h linux-2.6.32.46/include/linux/preempt.h
62474 --- linux-2.6.32.46/include/linux/preempt.h 2011-03-27 14:31:47.000000000 -0400
62475 +++ linux-2.6.32.46/include/linux/preempt.h 2011-08-05 20:33:55.000000000 -0400
62476 @@ -110,7 +110,7 @@ struct preempt_ops {
62477 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
62478 void (*sched_out)(struct preempt_notifier *notifier,
62479 struct task_struct *next);
62480 -};
62481 +} __no_const;
62482
62483 /**
62484 * preempt_notifier - key for installing preemption notifiers
62485 diff -urNp linux-2.6.32.46/include/linux/proc_fs.h linux-2.6.32.46/include/linux/proc_fs.h
62486 --- linux-2.6.32.46/include/linux/proc_fs.h 2011-03-27 14:31:47.000000000 -0400
62487 +++ linux-2.6.32.46/include/linux/proc_fs.h 2011-08-05 20:33:55.000000000 -0400
62488 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
62489 return proc_create_data(name, mode, parent, proc_fops, NULL);
62490 }
62491
62492 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
62493 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
62494 +{
62495 +#ifdef CONFIG_GRKERNSEC_PROC_USER
62496 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
62497 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
62498 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
62499 +#else
62500 + return proc_create_data(name, mode, parent, proc_fops, NULL);
62501 +#endif
62502 +}
62503 +
62504 +
62505 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
62506 mode_t mode, struct proc_dir_entry *base,
62507 read_proc_t *read_proc, void * data)
62508 @@ -256,7 +269,7 @@ union proc_op {
62509 int (*proc_show)(struct seq_file *m,
62510 struct pid_namespace *ns, struct pid *pid,
62511 struct task_struct *task);
62512 -};
62513 +} __no_const;
62514
62515 struct ctl_table_header;
62516 struct ctl_table;
62517 diff -urNp linux-2.6.32.46/include/linux/ptrace.h linux-2.6.32.46/include/linux/ptrace.h
62518 --- linux-2.6.32.46/include/linux/ptrace.h 2011-03-27 14:31:47.000000000 -0400
62519 +++ linux-2.6.32.46/include/linux/ptrace.h 2011-04-17 15:56:46.000000000 -0400
62520 @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
62521 extern void exit_ptrace(struct task_struct *tracer);
62522 #define PTRACE_MODE_READ 1
62523 #define PTRACE_MODE_ATTACH 2
62524 -/* Returns 0 on success, -errno on denial. */
62525 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
62526 /* Returns true on success, false on denial. */
62527 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
62528 +/* Returns true on success, false on denial. */
62529 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
62530
62531 static inline int ptrace_reparented(struct task_struct *child)
62532 {
62533 diff -urNp linux-2.6.32.46/include/linux/random.h linux-2.6.32.46/include/linux/random.h
62534 --- linux-2.6.32.46/include/linux/random.h 2011-08-16 20:37:25.000000000 -0400
62535 +++ linux-2.6.32.46/include/linux/random.h 2011-08-07 19:48:09.000000000 -0400
62536 @@ -63,6 +63,11 @@ unsigned long randomize_range(unsigned l
62537 u32 random32(void);
62538 void srandom32(u32 seed);
62539
62540 +static inline unsigned long pax_get_random_long(void)
62541 +{
62542 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
62543 +}
62544 +
62545 #endif /* __KERNEL___ */
62546
62547 #endif /* _LINUX_RANDOM_H */
62548 diff -urNp linux-2.6.32.46/include/linux/reboot.h linux-2.6.32.46/include/linux/reboot.h
62549 --- linux-2.6.32.46/include/linux/reboot.h 2011-03-27 14:31:47.000000000 -0400
62550 +++ linux-2.6.32.46/include/linux/reboot.h 2011-05-22 23:02:06.000000000 -0400
62551 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
62552 * Architecture-specific implementations of sys_reboot commands.
62553 */
62554
62555 -extern void machine_restart(char *cmd);
62556 -extern void machine_halt(void);
62557 -extern void machine_power_off(void);
62558 +extern void machine_restart(char *cmd) __noreturn;
62559 +extern void machine_halt(void) __noreturn;
62560 +extern void machine_power_off(void) __noreturn;
62561
62562 extern void machine_shutdown(void);
62563 struct pt_regs;
62564 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
62565 */
62566
62567 extern void kernel_restart_prepare(char *cmd);
62568 -extern void kernel_restart(char *cmd);
62569 -extern void kernel_halt(void);
62570 -extern void kernel_power_off(void);
62571 +extern void kernel_restart(char *cmd) __noreturn;
62572 +extern void kernel_halt(void) __noreturn;
62573 +extern void kernel_power_off(void) __noreturn;
62574
62575 void ctrl_alt_del(void);
62576
62577 @@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
62578 * Emergency restart, callable from an interrupt handler.
62579 */
62580
62581 -extern void emergency_restart(void);
62582 +extern void emergency_restart(void) __noreturn;
62583 #include <asm/emergency-restart.h>
62584
62585 #endif
62586 diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs.h linux-2.6.32.46/include/linux/reiserfs_fs.h
62587 --- linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-03-27 14:31:47.000000000 -0400
62588 +++ linux-2.6.32.46/include/linux/reiserfs_fs.h 2011-04-17 15:56:46.000000000 -0400
62589 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
62590 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
62591
62592 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
62593 -#define get_generation(s) atomic_read (&fs_generation(s))
62594 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
62595 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
62596 #define __fs_changed(gen,s) (gen != get_generation (s))
62597 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
62598 @@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
62599 */
62600
62601 struct item_operations {
62602 - int (*bytes_number) (struct item_head * ih, int block_size);
62603 - void (*decrement_key) (struct cpu_key *);
62604 - int (*is_left_mergeable) (struct reiserfs_key * ih,
62605 + int (* const bytes_number) (struct item_head * ih, int block_size);
62606 + void (* const decrement_key) (struct cpu_key *);
62607 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
62608 unsigned long bsize);
62609 - void (*print_item) (struct item_head *, char *item);
62610 - void (*check_item) (struct item_head *, char *item);
62611 + void (* const print_item) (struct item_head *, char *item);
62612 + void (* const check_item) (struct item_head *, char *item);
62613
62614 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
62615 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
62616 int is_affected, int insert_size);
62617 - int (*check_left) (struct virtual_item * vi, int free,
62618 + int (* const check_left) (struct virtual_item * vi, int free,
62619 int start_skip, int end_skip);
62620 - int (*check_right) (struct virtual_item * vi, int free);
62621 - int (*part_size) (struct virtual_item * vi, int from, int to);
62622 - int (*unit_num) (struct virtual_item * vi);
62623 - void (*print_vi) (struct virtual_item * vi);
62624 + int (* const check_right) (struct virtual_item * vi, int free);
62625 + int (* const part_size) (struct virtual_item * vi, int from, int to);
62626 + int (* const unit_num) (struct virtual_item * vi);
62627 + void (* const print_vi) (struct virtual_item * vi);
62628 };
62629
62630 -extern struct item_operations *item_ops[TYPE_ANY + 1];
62631 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
62632
62633 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
62634 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
62635 diff -urNp linux-2.6.32.46/include/linux/reiserfs_fs_sb.h linux-2.6.32.46/include/linux/reiserfs_fs_sb.h
62636 --- linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-03-27 14:31:47.000000000 -0400
62637 +++ linux-2.6.32.46/include/linux/reiserfs_fs_sb.h 2011-04-17 15:56:46.000000000 -0400
62638 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
62639 /* Comment? -Hans */
62640 wait_queue_head_t s_wait;
62641 /* To be obsoleted soon by per buffer seals.. -Hans */
62642 - atomic_t s_generation_counter; // increased by one every time the
62643 + atomic_unchecked_t s_generation_counter; // increased by one every time the
62644 // tree gets re-balanced
62645 unsigned long s_properties; /* File system properties. Currently holds
62646 on-disk FS format */
62647 diff -urNp linux-2.6.32.46/include/linux/relay.h linux-2.6.32.46/include/linux/relay.h
62648 --- linux-2.6.32.46/include/linux/relay.h 2011-03-27 14:31:47.000000000 -0400
62649 +++ linux-2.6.32.46/include/linux/relay.h 2011-08-05 20:33:55.000000000 -0400
62650 @@ -159,7 +159,7 @@ struct rchan_callbacks
62651 * The callback should return 0 if successful, negative if not.
62652 */
62653 int (*remove_buf_file)(struct dentry *dentry);
62654 -};
62655 +} __no_const;
62656
62657 /*
62658 * CONFIG_RELAY kernel API, kernel/relay.c
62659 diff -urNp linux-2.6.32.46/include/linux/rfkill.h linux-2.6.32.46/include/linux/rfkill.h
62660 --- linux-2.6.32.46/include/linux/rfkill.h 2011-03-27 14:31:47.000000000 -0400
62661 +++ linux-2.6.32.46/include/linux/rfkill.h 2011-08-23 21:22:38.000000000 -0400
62662 @@ -144,6 +144,7 @@ struct rfkill_ops {
62663 void (*query)(struct rfkill *rfkill, void *data);
62664 int (*set_block)(void *data, bool blocked);
62665 };
62666 +typedef struct rfkill_ops __no_const rfkill_ops_no_const;
62667
62668 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
62669 /**
62670 diff -urNp linux-2.6.32.46/include/linux/sched.h linux-2.6.32.46/include/linux/sched.h
62671 --- linux-2.6.32.46/include/linux/sched.h 2011-03-27 14:31:47.000000000 -0400
62672 +++ linux-2.6.32.46/include/linux/sched.h 2011-08-11 19:48:55.000000000 -0400
62673 @@ -101,6 +101,7 @@ struct bio;
62674 struct fs_struct;
62675 struct bts_context;
62676 struct perf_event_context;
62677 +struct linux_binprm;
62678
62679 /*
62680 * List of flags we want to share for kernel threads,
62681 @@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
62682 extern signed long schedule_timeout_uninterruptible(signed long timeout);
62683 asmlinkage void __schedule(void);
62684 asmlinkage void schedule(void);
62685 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
62686 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
62687
62688 struct nsproxy;
62689 struct user_namespace;
62690 @@ -371,9 +372,12 @@ struct user_namespace;
62691 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
62692
62693 extern int sysctl_max_map_count;
62694 +extern unsigned long sysctl_heap_stack_gap;
62695
62696 #include <linux/aio.h>
62697
62698 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
62699 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
62700 extern unsigned long
62701 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
62702 unsigned long, unsigned long);
62703 @@ -666,6 +670,16 @@ struct signal_struct {
62704 struct tty_audit_buf *tty_audit_buf;
62705 #endif
62706
62707 +#ifdef CONFIG_GRKERNSEC
62708 + u32 curr_ip;
62709 + u32 saved_ip;
62710 + u32 gr_saddr;
62711 + u32 gr_daddr;
62712 + u16 gr_sport;
62713 + u16 gr_dport;
62714 + u8 used_accept:1;
62715 +#endif
62716 +
62717 int oom_adj; /* OOM kill score adjustment (bit shift) */
62718 };
62719
62720 @@ -723,6 +737,11 @@ struct user_struct {
62721 struct key *session_keyring; /* UID's default session keyring */
62722 #endif
62723
62724 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
62725 + unsigned int banned;
62726 + unsigned long ban_expires;
62727 +#endif
62728 +
62729 /* Hash table maintenance information */
62730 struct hlist_node uidhash_node;
62731 uid_t uid;
62732 @@ -1328,8 +1347,8 @@ struct task_struct {
62733 struct list_head thread_group;
62734
62735 struct completion *vfork_done; /* for vfork() */
62736 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
62737 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
62738 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
62739 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
62740
62741 cputime_t utime, stime, utimescaled, stimescaled;
62742 cputime_t gtime;
62743 @@ -1343,16 +1362,6 @@ struct task_struct {
62744 struct task_cputime cputime_expires;
62745 struct list_head cpu_timers[3];
62746
62747 -/* process credentials */
62748 - const struct cred *real_cred; /* objective and real subjective task
62749 - * credentials (COW) */
62750 - const struct cred *cred; /* effective (overridable) subjective task
62751 - * credentials (COW) */
62752 - struct mutex cred_guard_mutex; /* guard against foreign influences on
62753 - * credential calculations
62754 - * (notably. ptrace) */
62755 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
62756 -
62757 char comm[TASK_COMM_LEN]; /* executable name excluding path
62758 - access with [gs]et_task_comm (which lock
62759 it with task_lock())
62760 @@ -1369,6 +1378,10 @@ struct task_struct {
62761 #endif
62762 /* CPU-specific state of this task */
62763 struct thread_struct thread;
62764 +/* thread_info moved to task_struct */
62765 +#ifdef CONFIG_X86
62766 + struct thread_info tinfo;
62767 +#endif
62768 /* filesystem information */
62769 struct fs_struct *fs;
62770 /* open file information */
62771 @@ -1436,6 +1449,15 @@ struct task_struct {
62772 int hardirq_context;
62773 int softirq_context;
62774 #endif
62775 +
62776 +/* process credentials */
62777 + const struct cred *real_cred; /* objective and real subjective task
62778 + * credentials (COW) */
62779 + struct mutex cred_guard_mutex; /* guard against foreign influences on
62780 + * credential calculations
62781 + * (notably. ptrace) */
62782 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
62783 +
62784 #ifdef CONFIG_LOCKDEP
62785 # define MAX_LOCK_DEPTH 48UL
62786 u64 curr_chain_key;
62787 @@ -1456,6 +1478,9 @@ struct task_struct {
62788
62789 struct backing_dev_info *backing_dev_info;
62790
62791 + const struct cred *cred; /* effective (overridable) subjective task
62792 + * credentials (COW) */
62793 +
62794 struct io_context *io_context;
62795
62796 unsigned long ptrace_message;
62797 @@ -1519,6 +1544,21 @@ struct task_struct {
62798 unsigned long default_timer_slack_ns;
62799
62800 struct list_head *scm_work_list;
62801 +
62802 +#ifdef CONFIG_GRKERNSEC
62803 + /* grsecurity */
62804 + struct dentry *gr_chroot_dentry;
62805 + struct acl_subject_label *acl;
62806 + struct acl_role_label *role;
62807 + struct file *exec_file;
62808 + u16 acl_role_id;
62809 + /* is this the task that authenticated to the special role */
62810 + u8 acl_sp_role;
62811 + u8 is_writable;
62812 + u8 brute;
62813 + u8 gr_is_chrooted;
62814 +#endif
62815 +
62816 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
62817 /* Index of current stored adress in ret_stack */
62818 int curr_ret_stack;
62819 @@ -1542,6 +1582,57 @@ struct task_struct {
62820 #endif /* CONFIG_TRACING */
62821 };
62822
62823 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
62824 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
62825 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
62826 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
62827 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
62828 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
62829 +
62830 +#ifdef CONFIG_PAX_SOFTMODE
62831 +extern int pax_softmode;
62832 +#endif
62833 +
62834 +extern int pax_check_flags(unsigned long *);
62835 +
62836 +/* if tsk != current then task_lock must be held on it */
62837 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
62838 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
62839 +{
62840 + if (likely(tsk->mm))
62841 + return tsk->mm->pax_flags;
62842 + else
62843 + return 0UL;
62844 +}
62845 +
62846 +/* if tsk != current then task_lock must be held on it */
62847 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
62848 +{
62849 + if (likely(tsk->mm)) {
62850 + tsk->mm->pax_flags = flags;
62851 + return 0;
62852 + }
62853 + return -EINVAL;
62854 +}
62855 +#endif
62856 +
62857 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
62858 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
62859 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
62860 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
62861 +#endif
62862 +
62863 +extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
62864 +extern void pax_report_insns(void *pc, void *sp);
62865 +extern void pax_report_refcount_overflow(struct pt_regs *regs);
62866 +extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
62867 +
62868 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
62869 +extern void pax_track_stack(void);
62870 +#else
62871 +static inline void pax_track_stack(void) {}
62872 +#endif
62873 +
62874 /* Future-safe accessor for struct task_struct's cpus_allowed. */
62875 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
62876
62877 @@ -1740,7 +1831,7 @@ extern void thread_group_times(struct ta
62878 #define PF_DUMPCORE 0x00000200 /* dumped core */
62879 #define PF_SIGNALED 0x00000400 /* killed by a signal */
62880 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
62881 -#define PF_FLUSHER 0x00001000 /* responsible for disk writeback */
62882 +#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
62883 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
62884 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
62885 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
62886 @@ -1978,7 +2069,9 @@ void yield(void);
62887 extern struct exec_domain default_exec_domain;
62888
62889 union thread_union {
62890 +#ifndef CONFIG_X86
62891 struct thread_info thread_info;
62892 +#endif
62893 unsigned long stack[THREAD_SIZE/sizeof(long)];
62894 };
62895
62896 @@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
62897 */
62898
62899 extern struct task_struct *find_task_by_vpid(pid_t nr);
62900 +extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
62901 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
62902 struct pid_namespace *ns);
62903
62904 @@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
62905 extern void exit_itimers(struct signal_struct *);
62906 extern void flush_itimer_signals(void);
62907
62908 -extern NORET_TYPE void do_group_exit(int);
62909 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
62910
62911 extern void daemonize(const char *, ...);
62912 extern int allow_signal(int);
62913 @@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
62914
62915 #endif
62916
62917 -static inline int object_is_on_stack(void *obj)
62918 +static inline int object_starts_on_stack(void *obj)
62919 {
62920 - void *stack = task_stack_page(current);
62921 + const void *stack = task_stack_page(current);
62922
62923 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
62924 }
62925
62926 +#ifdef CONFIG_PAX_USERCOPY
62927 +extern int object_is_on_stack(const void *obj, unsigned long len);
62928 +#endif
62929 +
62930 extern void thread_info_cache_init(void);
62931
62932 #ifdef CONFIG_DEBUG_STACK_USAGE
62933 diff -urNp linux-2.6.32.46/include/linux/screen_info.h linux-2.6.32.46/include/linux/screen_info.h
62934 --- linux-2.6.32.46/include/linux/screen_info.h 2011-03-27 14:31:47.000000000 -0400
62935 +++ linux-2.6.32.46/include/linux/screen_info.h 2011-04-17 15:56:46.000000000 -0400
62936 @@ -42,7 +42,8 @@ struct screen_info {
62937 __u16 pages; /* 0x32 */
62938 __u16 vesa_attributes; /* 0x34 */
62939 __u32 capabilities; /* 0x36 */
62940 - __u8 _reserved[6]; /* 0x3a */
62941 + __u16 vesapm_size; /* 0x3a */
62942 + __u8 _reserved[4]; /* 0x3c */
62943 } __attribute__((packed));
62944
62945 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
62946 diff -urNp linux-2.6.32.46/include/linux/security.h linux-2.6.32.46/include/linux/security.h
62947 --- linux-2.6.32.46/include/linux/security.h 2011-03-27 14:31:47.000000000 -0400
62948 +++ linux-2.6.32.46/include/linux/security.h 2011-04-17 15:56:46.000000000 -0400
62949 @@ -34,6 +34,7 @@
62950 #include <linux/key.h>
62951 #include <linux/xfrm.h>
62952 #include <linux/gfp.h>
62953 +#include <linux/grsecurity.h>
62954 #include <net/flow.h>
62955
62956 /* Maximum number of letters for an LSM name string */
62957 diff -urNp linux-2.6.32.46/include/linux/seq_file.h linux-2.6.32.46/include/linux/seq_file.h
62958 --- linux-2.6.32.46/include/linux/seq_file.h 2011-03-27 14:31:47.000000000 -0400
62959 +++ linux-2.6.32.46/include/linux/seq_file.h 2011-08-23 21:22:38.000000000 -0400
62960 @@ -32,6 +32,7 @@ struct seq_operations {
62961 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
62962 int (*show) (struct seq_file *m, void *v);
62963 };
62964 +typedef struct seq_operations __no_const seq_operations_no_const;
62965
62966 #define SEQ_SKIP 1
62967
62968 diff -urNp linux-2.6.32.46/include/linux/shm.h linux-2.6.32.46/include/linux/shm.h
62969 --- linux-2.6.32.46/include/linux/shm.h 2011-03-27 14:31:47.000000000 -0400
62970 +++ linux-2.6.32.46/include/linux/shm.h 2011-04-17 15:56:46.000000000 -0400
62971 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
62972 pid_t shm_cprid;
62973 pid_t shm_lprid;
62974 struct user_struct *mlock_user;
62975 +#ifdef CONFIG_GRKERNSEC
62976 + time_t shm_createtime;
62977 + pid_t shm_lapid;
62978 +#endif
62979 };
62980
62981 /* shm_mode upper byte flags */
62982 diff -urNp linux-2.6.32.46/include/linux/skbuff.h linux-2.6.32.46/include/linux/skbuff.h
62983 --- linux-2.6.32.46/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400
62984 +++ linux-2.6.32.46/include/linux/skbuff.h 2011-08-21 15:27:56.000000000 -0400
62985 @@ -14,6 +14,7 @@
62986 #ifndef _LINUX_SKBUFF_H
62987 #define _LINUX_SKBUFF_H
62988
62989 +#include <linux/const.h>
62990 #include <linux/kernel.h>
62991 #include <linux/kmemcheck.h>
62992 #include <linux/compiler.h>
62993 @@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
62994 */
62995 static inline int skb_queue_empty(const struct sk_buff_head *list)
62996 {
62997 - return list->next == (struct sk_buff *)list;
62998 + return list->next == (const struct sk_buff *)list;
62999 }
63000
63001 /**
63002 @@ -557,7 +558,7 @@ static inline int skb_queue_empty(const
63003 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
63004 const struct sk_buff *skb)
63005 {
63006 - return (skb->next == (struct sk_buff *) list);
63007 + return (skb->next == (const struct sk_buff *) list);
63008 }
63009
63010 /**
63011 @@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
63012 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
63013 const struct sk_buff *skb)
63014 {
63015 - return (skb->prev == (struct sk_buff *) list);
63016 + return (skb->prev == (const struct sk_buff *) list);
63017 }
63018
63019 /**
63020 @@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
63021 * headroom, you should not reduce this.
63022 */
63023 #ifndef NET_SKB_PAD
63024 -#define NET_SKB_PAD 32
63025 +#define NET_SKB_PAD (_AC(32,UL))
63026 #endif
63027
63028 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
63029 diff -urNp linux-2.6.32.46/include/linux/slab_def.h linux-2.6.32.46/include/linux/slab_def.h
63030 --- linux-2.6.32.46/include/linux/slab_def.h 2011-03-27 14:31:47.000000000 -0400
63031 +++ linux-2.6.32.46/include/linux/slab_def.h 2011-05-04 17:56:28.000000000 -0400
63032 @@ -69,10 +69,10 @@ struct kmem_cache {
63033 unsigned long node_allocs;
63034 unsigned long node_frees;
63035 unsigned long node_overflow;
63036 - atomic_t allochit;
63037 - atomic_t allocmiss;
63038 - atomic_t freehit;
63039 - atomic_t freemiss;
63040 + atomic_unchecked_t allochit;
63041 + atomic_unchecked_t allocmiss;
63042 + atomic_unchecked_t freehit;
63043 + atomic_unchecked_t freemiss;
63044
63045 /*
63046 * If debugging is enabled, then the allocator can add additional
63047 diff -urNp linux-2.6.32.46/include/linux/slab.h linux-2.6.32.46/include/linux/slab.h
63048 --- linux-2.6.32.46/include/linux/slab.h 2011-03-27 14:31:47.000000000 -0400
63049 +++ linux-2.6.32.46/include/linux/slab.h 2011-04-17 15:56:46.000000000 -0400
63050 @@ -11,12 +11,20 @@
63051
63052 #include <linux/gfp.h>
63053 #include <linux/types.h>
63054 +#include <linux/err.h>
63055
63056 /*
63057 * Flags to pass to kmem_cache_create().
63058 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
63059 */
63060 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
63061 +
63062 +#ifdef CONFIG_PAX_USERCOPY
63063 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
63064 +#else
63065 +#define SLAB_USERCOPY 0x00000000UL
63066 +#endif
63067 +
63068 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
63069 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
63070 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
63071 @@ -82,10 +90,13 @@
63072 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
63073 * Both make kfree a no-op.
63074 */
63075 -#define ZERO_SIZE_PTR ((void *)16)
63076 +#define ZERO_SIZE_PTR \
63077 +({ \
63078 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
63079 + (void *)(-MAX_ERRNO-1L); \
63080 +})
63081
63082 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
63083 - (unsigned long)ZERO_SIZE_PTR)
63084 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
63085
63086 /*
63087 * struct kmem_cache related prototypes
63088 @@ -138,6 +149,7 @@ void * __must_check krealloc(const void
63089 void kfree(const void *);
63090 void kzfree(const void *);
63091 size_t ksize(const void *);
63092 +void check_object_size(const void *ptr, unsigned long n, bool to);
63093
63094 /*
63095 * Allocator specific definitions. These are mainly used to establish optimized
63096 @@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
63097
63098 void __init kmem_cache_init_late(void);
63099
63100 +#define kmalloc(x, y) \
63101 +({ \
63102 + void *___retval; \
63103 + intoverflow_t ___x = (intoverflow_t)x; \
63104 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
63105 + ___retval = NULL; \
63106 + else \
63107 + ___retval = kmalloc((size_t)___x, (y)); \
63108 + ___retval; \
63109 +})
63110 +
63111 +#define kmalloc_node(x, y, z) \
63112 +({ \
63113 + void *___retval; \
63114 + intoverflow_t ___x = (intoverflow_t)x; \
63115 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
63116 + ___retval = NULL; \
63117 + else \
63118 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
63119 + ___retval; \
63120 +})
63121 +
63122 +#define kzalloc(x, y) \
63123 +({ \
63124 + void *___retval; \
63125 + intoverflow_t ___x = (intoverflow_t)x; \
63126 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
63127 + ___retval = NULL; \
63128 + else \
63129 + ___retval = kzalloc((size_t)___x, (y)); \
63130 + ___retval; \
63131 +})
63132 +
63133 #endif /* _LINUX_SLAB_H */
63134 diff -urNp linux-2.6.32.46/include/linux/slub_def.h linux-2.6.32.46/include/linux/slub_def.h
63135 --- linux-2.6.32.46/include/linux/slub_def.h 2011-03-27 14:31:47.000000000 -0400
63136 +++ linux-2.6.32.46/include/linux/slub_def.h 2011-08-05 20:33:55.000000000 -0400
63137 @@ -86,7 +86,7 @@ struct kmem_cache {
63138 struct kmem_cache_order_objects max;
63139 struct kmem_cache_order_objects min;
63140 gfp_t allocflags; /* gfp flags to use on each alloc */
63141 - int refcount; /* Refcount for slab cache destroy */
63142 + atomic_t refcount; /* Refcount for slab cache destroy */
63143 void (*ctor)(void *);
63144 int inuse; /* Offset to metadata */
63145 int align; /* Alignment */
63146 @@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
63147 #endif
63148
63149 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
63150 -void *__kmalloc(size_t size, gfp_t flags);
63151 +void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
63152
63153 #ifdef CONFIG_KMEMTRACE
63154 extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
63155 diff -urNp linux-2.6.32.46/include/linux/sonet.h linux-2.6.32.46/include/linux/sonet.h
63156 --- linux-2.6.32.46/include/linux/sonet.h 2011-03-27 14:31:47.000000000 -0400
63157 +++ linux-2.6.32.46/include/linux/sonet.h 2011-04-17 15:56:46.000000000 -0400
63158 @@ -61,7 +61,7 @@ struct sonet_stats {
63159 #include <asm/atomic.h>
63160
63161 struct k_sonet_stats {
63162 -#define __HANDLE_ITEM(i) atomic_t i
63163 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
63164 __SONET_ITEMS
63165 #undef __HANDLE_ITEM
63166 };
63167 diff -urNp linux-2.6.32.46/include/linux/sunrpc/cache.h linux-2.6.32.46/include/linux/sunrpc/cache.h
63168 --- linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-03-27 14:31:47.000000000 -0400
63169 +++ linux-2.6.32.46/include/linux/sunrpc/cache.h 2011-08-05 20:33:55.000000000 -0400
63170 @@ -125,7 +125,7 @@ struct cache_detail {
63171 */
63172 struct cache_req {
63173 struct cache_deferred_req *(*defer)(struct cache_req *req);
63174 -};
63175 +} __no_const;
63176 /* this must be embedded in a deferred_request that is being
63177 * delayed awaiting cache-fill
63178 */
63179 diff -urNp linux-2.6.32.46/include/linux/sunrpc/clnt.h linux-2.6.32.46/include/linux/sunrpc/clnt.h
63180 --- linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-03-27 14:31:47.000000000 -0400
63181 +++ linux-2.6.32.46/include/linux/sunrpc/clnt.h 2011-04-17 15:56:46.000000000 -0400
63182 @@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
63183 {
63184 switch (sap->sa_family) {
63185 case AF_INET:
63186 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
63187 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
63188 case AF_INET6:
63189 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
63190 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
63191 }
63192 return 0;
63193 }
63194 @@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
63195 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
63196 const struct sockaddr *src)
63197 {
63198 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
63199 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
63200 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
63201
63202 dsin->sin_family = ssin->sin_family;
63203 @@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
63204 if (sa->sa_family != AF_INET6)
63205 return 0;
63206
63207 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
63208 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
63209 }
63210
63211 #endif /* __KERNEL__ */
63212 diff -urNp linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h
63213 --- linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-03-27 14:31:47.000000000 -0400
63214 +++ linux-2.6.32.46/include/linux/sunrpc/svc_rdma.h 2011-05-04 17:56:28.000000000 -0400
63215 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
63216 extern unsigned int svcrdma_max_requests;
63217 extern unsigned int svcrdma_max_req_size;
63218
63219 -extern atomic_t rdma_stat_recv;
63220 -extern atomic_t rdma_stat_read;
63221 -extern atomic_t rdma_stat_write;
63222 -extern atomic_t rdma_stat_sq_starve;
63223 -extern atomic_t rdma_stat_rq_starve;
63224 -extern atomic_t rdma_stat_rq_poll;
63225 -extern atomic_t rdma_stat_rq_prod;
63226 -extern atomic_t rdma_stat_sq_poll;
63227 -extern atomic_t rdma_stat_sq_prod;
63228 +extern atomic_unchecked_t rdma_stat_recv;
63229 +extern atomic_unchecked_t rdma_stat_read;
63230 +extern atomic_unchecked_t rdma_stat_write;
63231 +extern atomic_unchecked_t rdma_stat_sq_starve;
63232 +extern atomic_unchecked_t rdma_stat_rq_starve;
63233 +extern atomic_unchecked_t rdma_stat_rq_poll;
63234 +extern atomic_unchecked_t rdma_stat_rq_prod;
63235 +extern atomic_unchecked_t rdma_stat_sq_poll;
63236 +extern atomic_unchecked_t rdma_stat_sq_prod;
63237
63238 #define RPCRDMA_VERSION 1
63239
63240 diff -urNp linux-2.6.32.46/include/linux/suspend.h linux-2.6.32.46/include/linux/suspend.h
63241 --- linux-2.6.32.46/include/linux/suspend.h 2011-03-27 14:31:47.000000000 -0400
63242 +++ linux-2.6.32.46/include/linux/suspend.h 2011-04-17 15:56:46.000000000 -0400
63243 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
63244 * which require special recovery actions in that situation.
63245 */
63246 struct platform_suspend_ops {
63247 - int (*valid)(suspend_state_t state);
63248 - int (*begin)(suspend_state_t state);
63249 - int (*prepare)(void);
63250 - int (*prepare_late)(void);
63251 - int (*enter)(suspend_state_t state);
63252 - void (*wake)(void);
63253 - void (*finish)(void);
63254 - void (*end)(void);
63255 - void (*recover)(void);
63256 + int (* const valid)(suspend_state_t state);
63257 + int (* const begin)(suspend_state_t state);
63258 + int (* const prepare)(void);
63259 + int (* const prepare_late)(void);
63260 + int (* const enter)(suspend_state_t state);
63261 + void (* const wake)(void);
63262 + void (* const finish)(void);
63263 + void (* const end)(void);
63264 + void (* const recover)(void);
63265 };
63266
63267 #ifdef CONFIG_SUSPEND
63268 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
63269 * suspend_set_ops - set platform dependent suspend operations
63270 * @ops: The new suspend operations to set.
63271 */
63272 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
63273 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
63274 extern int suspend_valid_only_mem(suspend_state_t state);
63275
63276 /**
63277 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
63278 #else /* !CONFIG_SUSPEND */
63279 #define suspend_valid_only_mem NULL
63280
63281 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
63282 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
63283 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
63284 #endif /* !CONFIG_SUSPEND */
63285
63286 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
63287 * platforms which require special recovery actions in that situation.
63288 */
63289 struct platform_hibernation_ops {
63290 - int (*begin)(void);
63291 - void (*end)(void);
63292 - int (*pre_snapshot)(void);
63293 - void (*finish)(void);
63294 - int (*prepare)(void);
63295 - int (*enter)(void);
63296 - void (*leave)(void);
63297 - int (*pre_restore)(void);
63298 - void (*restore_cleanup)(void);
63299 - void (*recover)(void);
63300 + int (* const begin)(void);
63301 + void (* const end)(void);
63302 + int (* const pre_snapshot)(void);
63303 + void (* const finish)(void);
63304 + int (* const prepare)(void);
63305 + int (* const enter)(void);
63306 + void (* const leave)(void);
63307 + int (* const pre_restore)(void);
63308 + void (* const restore_cleanup)(void);
63309 + void (* const recover)(void);
63310 };
63311
63312 #ifdef CONFIG_HIBERNATION
63313 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
63314 extern void swsusp_unset_page_free(struct page *);
63315 extern unsigned long get_safe_page(gfp_t gfp_mask);
63316
63317 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
63318 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
63319 extern int hibernate(void);
63320 extern bool system_entering_hibernation(void);
63321 #else /* CONFIG_HIBERNATION */
63322 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
63323 static inline void swsusp_set_page_free(struct page *p) {}
63324 static inline void swsusp_unset_page_free(struct page *p) {}
63325
63326 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
63327 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
63328 static inline int hibernate(void) { return -ENOSYS; }
63329 static inline bool system_entering_hibernation(void) { return false; }
63330 #endif /* CONFIG_HIBERNATION */
63331 diff -urNp linux-2.6.32.46/include/linux/sysctl.h linux-2.6.32.46/include/linux/sysctl.h
63332 --- linux-2.6.32.46/include/linux/sysctl.h 2011-03-27 14:31:47.000000000 -0400
63333 +++ linux-2.6.32.46/include/linux/sysctl.h 2011-04-17 15:56:46.000000000 -0400
63334 @@ -164,7 +164,11 @@ enum
63335 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
63336 };
63337
63338 -
63339 +#ifdef CONFIG_PAX_SOFTMODE
63340 +enum {
63341 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
63342 +};
63343 +#endif
63344
63345 /* CTL_VM names: */
63346 enum
63347 @@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
63348
63349 extern int proc_dostring(struct ctl_table *, int,
63350 void __user *, size_t *, loff_t *);
63351 +extern int proc_dostring_modpriv(struct ctl_table *, int,
63352 + void __user *, size_t *, loff_t *);
63353 extern int proc_dointvec(struct ctl_table *, int,
63354 void __user *, size_t *, loff_t *);
63355 extern int proc_dointvec_minmax(struct ctl_table *, int,
63356 @@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
63357
63358 extern ctl_handler sysctl_data;
63359 extern ctl_handler sysctl_string;
63360 +extern ctl_handler sysctl_string_modpriv;
63361 extern ctl_handler sysctl_intvec;
63362 extern ctl_handler sysctl_jiffies;
63363 extern ctl_handler sysctl_ms_jiffies;
63364 diff -urNp linux-2.6.32.46/include/linux/sysfs.h linux-2.6.32.46/include/linux/sysfs.h
63365 --- linux-2.6.32.46/include/linux/sysfs.h 2011-03-27 14:31:47.000000000 -0400
63366 +++ linux-2.6.32.46/include/linux/sysfs.h 2011-04-17 15:56:46.000000000 -0400
63367 @@ -75,8 +75,8 @@ struct bin_attribute {
63368 };
63369
63370 struct sysfs_ops {
63371 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
63372 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
63373 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
63374 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
63375 };
63376
63377 struct sysfs_dirent;
63378 diff -urNp linux-2.6.32.46/include/linux/thread_info.h linux-2.6.32.46/include/linux/thread_info.h
63379 --- linux-2.6.32.46/include/linux/thread_info.h 2011-03-27 14:31:47.000000000 -0400
63380 +++ linux-2.6.32.46/include/linux/thread_info.h 2011-04-17 15:56:46.000000000 -0400
63381 @@ -23,7 +23,7 @@ struct restart_block {
63382 };
63383 /* For futex_wait and futex_wait_requeue_pi */
63384 struct {
63385 - u32 *uaddr;
63386 + u32 __user *uaddr;
63387 u32 val;
63388 u32 flags;
63389 u32 bitset;
63390 diff -urNp linux-2.6.32.46/include/linux/tty.h linux-2.6.32.46/include/linux/tty.h
63391 --- linux-2.6.32.46/include/linux/tty.h 2011-03-27 14:31:47.000000000 -0400
63392 +++ linux-2.6.32.46/include/linux/tty.h 2011-08-05 20:33:55.000000000 -0400
63393 @@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
63394 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
63395 extern void tty_ldisc_enable(struct tty_struct *tty);
63396
63397 -
63398 /* n_tty.c */
63399 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
63400
63401 diff -urNp linux-2.6.32.46/include/linux/tty_ldisc.h linux-2.6.32.46/include/linux/tty_ldisc.h
63402 --- linux-2.6.32.46/include/linux/tty_ldisc.h 2011-03-27 14:31:47.000000000 -0400
63403 +++ linux-2.6.32.46/include/linux/tty_ldisc.h 2011-04-17 15:56:46.000000000 -0400
63404 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
63405
63406 struct module *owner;
63407
63408 - int refcount;
63409 + atomic_t refcount;
63410 };
63411
63412 struct tty_ldisc {
63413 diff -urNp linux-2.6.32.46/include/linux/types.h linux-2.6.32.46/include/linux/types.h
63414 --- linux-2.6.32.46/include/linux/types.h 2011-03-27 14:31:47.000000000 -0400
63415 +++ linux-2.6.32.46/include/linux/types.h 2011-04-17 15:56:46.000000000 -0400
63416 @@ -191,10 +191,26 @@ typedef struct {
63417 volatile int counter;
63418 } atomic_t;
63419
63420 +#ifdef CONFIG_PAX_REFCOUNT
63421 +typedef struct {
63422 + volatile int counter;
63423 +} atomic_unchecked_t;
63424 +#else
63425 +typedef atomic_t atomic_unchecked_t;
63426 +#endif
63427 +
63428 #ifdef CONFIG_64BIT
63429 typedef struct {
63430 volatile long counter;
63431 } atomic64_t;
63432 +
63433 +#ifdef CONFIG_PAX_REFCOUNT
63434 +typedef struct {
63435 + volatile long counter;
63436 +} atomic64_unchecked_t;
63437 +#else
63438 +typedef atomic64_t atomic64_unchecked_t;
63439 +#endif
63440 #endif
63441
63442 struct ustat {
63443 diff -urNp linux-2.6.32.46/include/linux/uaccess.h linux-2.6.32.46/include/linux/uaccess.h
63444 --- linux-2.6.32.46/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400
63445 +++ linux-2.6.32.46/include/linux/uaccess.h 2011-04-17 15:56:46.000000000 -0400
63446 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
63447 long ret; \
63448 mm_segment_t old_fs = get_fs(); \
63449 \
63450 - set_fs(KERNEL_DS); \
63451 pagefault_disable(); \
63452 + set_fs(KERNEL_DS); \
63453 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
63454 - pagefault_enable(); \
63455 set_fs(old_fs); \
63456 + pagefault_enable(); \
63457 ret; \
63458 })
63459
63460 @@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
63461 * Safely read from address @src to the buffer at @dst. If a kernel fault
63462 * happens, handle that and return -EFAULT.
63463 */
63464 -extern long probe_kernel_read(void *dst, void *src, size_t size);
63465 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
63466
63467 /*
63468 * probe_kernel_write(): safely attempt to write to a location
63469 @@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
63470 * Safely write to address @dst from the buffer at @src. If a kernel fault
63471 * happens, handle that and return -EFAULT.
63472 */
63473 -extern long probe_kernel_write(void *dst, void *src, size_t size);
63474 +extern long probe_kernel_write(void *dst, const void *src, size_t size);
63475
63476 #endif /* __LINUX_UACCESS_H__ */
63477 diff -urNp linux-2.6.32.46/include/linux/unaligned/access_ok.h linux-2.6.32.46/include/linux/unaligned/access_ok.h
63478 --- linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-03-27 14:31:47.000000000 -0400
63479 +++ linux-2.6.32.46/include/linux/unaligned/access_ok.h 2011-04-17 15:56:46.000000000 -0400
63480 @@ -6,32 +6,32 @@
63481
63482 static inline u16 get_unaligned_le16(const void *p)
63483 {
63484 - return le16_to_cpup((__le16 *)p);
63485 + return le16_to_cpup((const __le16 *)p);
63486 }
63487
63488 static inline u32 get_unaligned_le32(const void *p)
63489 {
63490 - return le32_to_cpup((__le32 *)p);
63491 + return le32_to_cpup((const __le32 *)p);
63492 }
63493
63494 static inline u64 get_unaligned_le64(const void *p)
63495 {
63496 - return le64_to_cpup((__le64 *)p);
63497 + return le64_to_cpup((const __le64 *)p);
63498 }
63499
63500 static inline u16 get_unaligned_be16(const void *p)
63501 {
63502 - return be16_to_cpup((__be16 *)p);
63503 + return be16_to_cpup((const __be16 *)p);
63504 }
63505
63506 static inline u32 get_unaligned_be32(const void *p)
63507 {
63508 - return be32_to_cpup((__be32 *)p);
63509 + return be32_to_cpup((const __be32 *)p);
63510 }
63511
63512 static inline u64 get_unaligned_be64(const void *p)
63513 {
63514 - return be64_to_cpup((__be64 *)p);
63515 + return be64_to_cpup((const __be64 *)p);
63516 }
63517
63518 static inline void put_unaligned_le16(u16 val, void *p)
63519 diff -urNp linux-2.6.32.46/include/linux/vmalloc.h linux-2.6.32.46/include/linux/vmalloc.h
63520 --- linux-2.6.32.46/include/linux/vmalloc.h 2011-03-27 14:31:47.000000000 -0400
63521 +++ linux-2.6.32.46/include/linux/vmalloc.h 2011-04-17 15:56:46.000000000 -0400
63522 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
63523 #define VM_MAP 0x00000004 /* vmap()ed pages */
63524 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
63525 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
63526 +
63527 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
63528 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
63529 +#endif
63530 +
63531 /* bits [20..32] reserved for arch specific ioremap internals */
63532
63533 /*
63534 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
63535
63536 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
63537
63538 +#define vmalloc(x) \
63539 +({ \
63540 + void *___retval; \
63541 + intoverflow_t ___x = (intoverflow_t)x; \
63542 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
63543 + ___retval = NULL; \
63544 + else \
63545 + ___retval = vmalloc((unsigned long)___x); \
63546 + ___retval; \
63547 +})
63548 +
63549 +#define __vmalloc(x, y, z) \
63550 +({ \
63551 + void *___retval; \
63552 + intoverflow_t ___x = (intoverflow_t)x; \
63553 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
63554 + ___retval = NULL; \
63555 + else \
63556 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
63557 + ___retval; \
63558 +})
63559 +
63560 +#define vmalloc_user(x) \
63561 +({ \
63562 + void *___retval; \
63563 + intoverflow_t ___x = (intoverflow_t)x; \
63564 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
63565 + ___retval = NULL; \
63566 + else \
63567 + ___retval = vmalloc_user((unsigned long)___x); \
63568 + ___retval; \
63569 +})
63570 +
63571 +#define vmalloc_exec(x) \
63572 +({ \
63573 + void *___retval; \
63574 + intoverflow_t ___x = (intoverflow_t)x; \
63575 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
63576 + ___retval = NULL; \
63577 + else \
63578 + ___retval = vmalloc_exec((unsigned long)___x); \
63579 + ___retval; \
63580 +})
63581 +
63582 +#define vmalloc_node(x, y) \
63583 +({ \
63584 + void *___retval; \
63585 + intoverflow_t ___x = (intoverflow_t)x; \
63586 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
63587 + ___retval = NULL; \
63588 + else \
63589 + ___retval = vmalloc_node((unsigned long)___x, (y));\
63590 + ___retval; \
63591 +})
63592 +
63593 +#define vmalloc_32(x) \
63594 +({ \
63595 + void *___retval; \
63596 + intoverflow_t ___x = (intoverflow_t)x; \
63597 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
63598 + ___retval = NULL; \
63599 + else \
63600 + ___retval = vmalloc_32((unsigned long)___x); \
63601 + ___retval; \
63602 +})
63603 +
63604 +#define vmalloc_32_user(x) \
63605 +({ \
63606 + void *___retval; \
63607 + intoverflow_t ___x = (intoverflow_t)x; \
63608 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
63609 + ___retval = NULL; \
63610 + else \
63611 + ___retval = vmalloc_32_user((unsigned long)___x);\
63612 + ___retval; \
63613 +})
63614 +
63615 #endif /* _LINUX_VMALLOC_H */
63616 diff -urNp linux-2.6.32.46/include/linux/vmstat.h linux-2.6.32.46/include/linux/vmstat.h
63617 --- linux-2.6.32.46/include/linux/vmstat.h 2011-03-27 14:31:47.000000000 -0400
63618 +++ linux-2.6.32.46/include/linux/vmstat.h 2011-04-17 15:56:46.000000000 -0400
63619 @@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
63620 /*
63621 * Zone based page accounting with per cpu differentials.
63622 */
63623 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63624 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
63625
63626 static inline void zone_page_state_add(long x, struct zone *zone,
63627 enum zone_stat_item item)
63628 {
63629 - atomic_long_add(x, &zone->vm_stat[item]);
63630 - atomic_long_add(x, &vm_stat[item]);
63631 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
63632 + atomic_long_add_unchecked(x, &vm_stat[item]);
63633 }
63634
63635 static inline unsigned long global_page_state(enum zone_stat_item item)
63636 {
63637 - long x = atomic_long_read(&vm_stat[item]);
63638 + long x = atomic_long_read_unchecked(&vm_stat[item]);
63639 #ifdef CONFIG_SMP
63640 if (x < 0)
63641 x = 0;
63642 @@ -158,7 +158,7 @@ static inline unsigned long global_page_
63643 static inline unsigned long zone_page_state(struct zone *zone,
63644 enum zone_stat_item item)
63645 {
63646 - long x = atomic_long_read(&zone->vm_stat[item]);
63647 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
63648 #ifdef CONFIG_SMP
63649 if (x < 0)
63650 x = 0;
63651 @@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
63652 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
63653 enum zone_stat_item item)
63654 {
63655 - long x = atomic_long_read(&zone->vm_stat[item]);
63656 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
63657
63658 #ifdef CONFIG_SMP
63659 int cpu;
63660 @@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
63661
63662 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
63663 {
63664 - atomic_long_inc(&zone->vm_stat[item]);
63665 - atomic_long_inc(&vm_stat[item]);
63666 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
63667 + atomic_long_inc_unchecked(&vm_stat[item]);
63668 }
63669
63670 static inline void __inc_zone_page_state(struct page *page,
63671 @@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
63672
63673 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
63674 {
63675 - atomic_long_dec(&zone->vm_stat[item]);
63676 - atomic_long_dec(&vm_stat[item]);
63677 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
63678 + atomic_long_dec_unchecked(&vm_stat[item]);
63679 }
63680
63681 static inline void __dec_zone_page_state(struct page *page,
63682 diff -urNp linux-2.6.32.46/include/media/saa7146_vv.h linux-2.6.32.46/include/media/saa7146_vv.h
63683 --- linux-2.6.32.46/include/media/saa7146_vv.h 2011-03-27 14:31:47.000000000 -0400
63684 +++ linux-2.6.32.46/include/media/saa7146_vv.h 2011-08-23 21:22:38.000000000 -0400
63685 @@ -167,7 +167,7 @@ struct saa7146_ext_vv
63686 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
63687
63688 /* the extension can override this */
63689 - struct v4l2_ioctl_ops ops;
63690 + v4l2_ioctl_ops_no_const ops;
63691 /* pointer to the saa7146 core ops */
63692 const struct v4l2_ioctl_ops *core_ops;
63693
63694 diff -urNp linux-2.6.32.46/include/media/v4l2-dev.h linux-2.6.32.46/include/media/v4l2-dev.h
63695 --- linux-2.6.32.46/include/media/v4l2-dev.h 2011-03-27 14:31:47.000000000 -0400
63696 +++ linux-2.6.32.46/include/media/v4l2-dev.h 2011-08-05 20:33:55.000000000 -0400
63697 @@ -34,7 +34,7 @@ struct v4l2_device;
63698 #define V4L2_FL_UNREGISTERED (0)
63699
63700 struct v4l2_file_operations {
63701 - struct module *owner;
63702 + struct module * const owner;
63703 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
63704 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
63705 unsigned int (*poll) (struct file *, struct poll_table_struct *);
63706 diff -urNp linux-2.6.32.46/include/media/v4l2-device.h linux-2.6.32.46/include/media/v4l2-device.h
63707 --- linux-2.6.32.46/include/media/v4l2-device.h 2011-03-27 14:31:47.000000000 -0400
63708 +++ linux-2.6.32.46/include/media/v4l2-device.h 2011-05-04 17:56:28.000000000 -0400
63709 @@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
63710 this function returns 0. If the name ends with a digit (e.g. cx18),
63711 then the name will be set to cx18-0 since cx180 looks really odd. */
63712 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
63713 - atomic_t *instance);
63714 + atomic_unchecked_t *instance);
63715
63716 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
63717 Since the parent disappears this ensures that v4l2_dev doesn't have an
63718 diff -urNp linux-2.6.32.46/include/media/v4l2-ioctl.h linux-2.6.32.46/include/media/v4l2-ioctl.h
63719 --- linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-03-27 14:31:47.000000000 -0400
63720 +++ linux-2.6.32.46/include/media/v4l2-ioctl.h 2011-08-23 21:22:38.000000000 -0400
63721 @@ -243,6 +243,7 @@ struct v4l2_ioctl_ops {
63722 long (*vidioc_default) (struct file *file, void *fh,
63723 int cmd, void *arg);
63724 };
63725 +typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
63726
63727
63728 /* v4l debugging and diagnostics */
63729 diff -urNp linux-2.6.32.46/include/net/flow.h linux-2.6.32.46/include/net/flow.h
63730 --- linux-2.6.32.46/include/net/flow.h 2011-03-27 14:31:47.000000000 -0400
63731 +++ linux-2.6.32.46/include/net/flow.h 2011-05-04 17:56:28.000000000 -0400
63732 @@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
63733 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
63734 u8 dir, flow_resolve_t resolver);
63735 extern void flow_cache_flush(void);
63736 -extern atomic_t flow_cache_genid;
63737 +extern atomic_unchecked_t flow_cache_genid;
63738
63739 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
63740 {
63741 diff -urNp linux-2.6.32.46/include/net/inetpeer.h linux-2.6.32.46/include/net/inetpeer.h
63742 --- linux-2.6.32.46/include/net/inetpeer.h 2011-03-27 14:31:47.000000000 -0400
63743 +++ linux-2.6.32.46/include/net/inetpeer.h 2011-04-17 15:56:46.000000000 -0400
63744 @@ -24,7 +24,7 @@ struct inet_peer
63745 __u32 dtime; /* the time of last use of not
63746 * referenced entries */
63747 atomic_t refcnt;
63748 - atomic_t rid; /* Frag reception counter */
63749 + atomic_unchecked_t rid; /* Frag reception counter */
63750 __u32 tcp_ts;
63751 unsigned long tcp_ts_stamp;
63752 };
63753 diff -urNp linux-2.6.32.46/include/net/ip_vs.h linux-2.6.32.46/include/net/ip_vs.h
63754 --- linux-2.6.32.46/include/net/ip_vs.h 2011-03-27 14:31:47.000000000 -0400
63755 +++ linux-2.6.32.46/include/net/ip_vs.h 2011-05-04 17:56:28.000000000 -0400
63756 @@ -365,7 +365,7 @@ struct ip_vs_conn {
63757 struct ip_vs_conn *control; /* Master control connection */
63758 atomic_t n_control; /* Number of controlled ones */
63759 struct ip_vs_dest *dest; /* real server */
63760 - atomic_t in_pkts; /* incoming packet counter */
63761 + atomic_unchecked_t in_pkts; /* incoming packet counter */
63762
63763 /* packet transmitter for different forwarding methods. If it
63764 mangles the packet, it must return NF_DROP or better NF_STOLEN,
63765 @@ -466,7 +466,7 @@ struct ip_vs_dest {
63766 union nf_inet_addr addr; /* IP address of the server */
63767 __be16 port; /* port number of the server */
63768 volatile unsigned flags; /* dest status flags */
63769 - atomic_t conn_flags; /* flags to copy to conn */
63770 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
63771 atomic_t weight; /* server weight */
63772
63773 atomic_t refcnt; /* reference counter */
63774 diff -urNp linux-2.6.32.46/include/net/irda/ircomm_core.h linux-2.6.32.46/include/net/irda/ircomm_core.h
63775 --- linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-03-27 14:31:47.000000000 -0400
63776 +++ linux-2.6.32.46/include/net/irda/ircomm_core.h 2011-08-05 20:33:55.000000000 -0400
63777 @@ -51,7 +51,7 @@ typedef struct {
63778 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
63779 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
63780 struct ircomm_info *);
63781 -} call_t;
63782 +} __no_const call_t;
63783
63784 struct ircomm_cb {
63785 irda_queue_t queue;
63786 diff -urNp linux-2.6.32.46/include/net/irda/ircomm_tty.h linux-2.6.32.46/include/net/irda/ircomm_tty.h
63787 --- linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-03-27 14:31:47.000000000 -0400
63788 +++ linux-2.6.32.46/include/net/irda/ircomm_tty.h 2011-04-17 15:56:46.000000000 -0400
63789 @@ -35,6 +35,7 @@
63790 #include <linux/termios.h>
63791 #include <linux/timer.h>
63792 #include <linux/tty.h> /* struct tty_struct */
63793 +#include <asm/local.h>
63794
63795 #include <net/irda/irias_object.h>
63796 #include <net/irda/ircomm_core.h>
63797 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
63798 unsigned short close_delay;
63799 unsigned short closing_wait; /* time to wait before closing */
63800
63801 - int open_count;
63802 - int blocked_open; /* # of blocked opens */
63803 + local_t open_count;
63804 + local_t blocked_open; /* # of blocked opens */
63805
63806 /* Protect concurent access to :
63807 * o self->open_count
63808 diff -urNp linux-2.6.32.46/include/net/iucv/af_iucv.h linux-2.6.32.46/include/net/iucv/af_iucv.h
63809 --- linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-03-27 14:31:47.000000000 -0400
63810 +++ linux-2.6.32.46/include/net/iucv/af_iucv.h 2011-05-04 17:56:28.000000000 -0400
63811 @@ -87,7 +87,7 @@ struct iucv_sock {
63812 struct iucv_sock_list {
63813 struct hlist_head head;
63814 rwlock_t lock;
63815 - atomic_t autobind_name;
63816 + atomic_unchecked_t autobind_name;
63817 };
63818
63819 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
63820 diff -urNp linux-2.6.32.46/include/net/lapb.h linux-2.6.32.46/include/net/lapb.h
63821 --- linux-2.6.32.46/include/net/lapb.h 2011-03-27 14:31:47.000000000 -0400
63822 +++ linux-2.6.32.46/include/net/lapb.h 2011-08-05 20:33:55.000000000 -0400
63823 @@ -95,7 +95,7 @@ struct lapb_cb {
63824 struct sk_buff_head write_queue;
63825 struct sk_buff_head ack_queue;
63826 unsigned char window;
63827 - struct lapb_register_struct callbacks;
63828 + struct lapb_register_struct *callbacks;
63829
63830 /* FRMR control information */
63831 struct lapb_frame frmr_data;
63832 diff -urNp linux-2.6.32.46/include/net/neighbour.h linux-2.6.32.46/include/net/neighbour.h
63833 --- linux-2.6.32.46/include/net/neighbour.h 2011-03-27 14:31:47.000000000 -0400
63834 +++ linux-2.6.32.46/include/net/neighbour.h 2011-08-26 20:29:08.000000000 -0400
63835 @@ -131,7 +131,7 @@ struct neigh_ops
63836 int (*connected_output)(struct sk_buff*);
63837 int (*hh_output)(struct sk_buff*);
63838 int (*queue_xmit)(struct sk_buff*);
63839 -};
63840 +} __do_const;
63841
63842 struct pneigh_entry
63843 {
63844 diff -urNp linux-2.6.32.46/include/net/netlink.h linux-2.6.32.46/include/net/netlink.h
63845 --- linux-2.6.32.46/include/net/netlink.h 2011-07-13 17:23:04.000000000 -0400
63846 +++ linux-2.6.32.46/include/net/netlink.h 2011-08-21 18:08:11.000000000 -0400
63847 @@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct
63848 {
63849 return (remaining >= (int) sizeof(struct nlmsghdr) &&
63850 nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
63851 - nlh->nlmsg_len <= remaining);
63852 + nlh->nlmsg_len <= (unsigned int)remaining);
63853 }
63854
63855 /**
63856 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
63857 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
63858 {
63859 if (mark)
63860 - skb_trim(skb, (unsigned char *) mark - skb->data);
63861 + skb_trim(skb, (const unsigned char *) mark - skb->data);
63862 }
63863
63864 /**
63865 diff -urNp linux-2.6.32.46/include/net/netns/ipv4.h linux-2.6.32.46/include/net/netns/ipv4.h
63866 --- linux-2.6.32.46/include/net/netns/ipv4.h 2011-03-27 14:31:47.000000000 -0400
63867 +++ linux-2.6.32.46/include/net/netns/ipv4.h 2011-05-04 17:56:28.000000000 -0400
63868 @@ -54,7 +54,7 @@ struct netns_ipv4 {
63869 int current_rt_cache_rebuild_count;
63870
63871 struct timer_list rt_secret_timer;
63872 - atomic_t rt_genid;
63873 + atomic_unchecked_t rt_genid;
63874
63875 #ifdef CONFIG_IP_MROUTE
63876 struct sock *mroute_sk;
63877 diff -urNp linux-2.6.32.46/include/net/sctp/sctp.h linux-2.6.32.46/include/net/sctp/sctp.h
63878 --- linux-2.6.32.46/include/net/sctp/sctp.h 2011-03-27 14:31:47.000000000 -0400
63879 +++ linux-2.6.32.46/include/net/sctp/sctp.h 2011-04-17 15:56:46.000000000 -0400
63880 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
63881
63882 #else /* SCTP_DEBUG */
63883
63884 -#define SCTP_DEBUG_PRINTK(whatever...)
63885 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
63886 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
63887 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
63888 #define SCTP_ENABLE_DEBUG
63889 #define SCTP_DISABLE_DEBUG
63890 #define SCTP_ASSERT(expr, str, func)
63891 diff -urNp linux-2.6.32.46/include/net/secure_seq.h linux-2.6.32.46/include/net/secure_seq.h
63892 --- linux-2.6.32.46/include/net/secure_seq.h 2011-08-16 20:37:25.000000000 -0400
63893 +++ linux-2.6.32.46/include/net/secure_seq.h 2011-08-07 19:48:09.000000000 -0400
63894 @@ -7,14 +7,14 @@ extern __u32 secure_ip_id(__be32 daddr);
63895 extern __u32 secure_ipv6_id(const __be32 daddr[4]);
63896 extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
63897 extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
63898 - __be16 dport);
63899 + __be16 dport);
63900 extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
63901 __be16 sport, __be16 dport);
63902 extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
63903 - __be16 sport, __be16 dport);
63904 + __be16 sport, __be16 dport);
63905 extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
63906 - __be16 sport, __be16 dport);
63907 + __be16 sport, __be16 dport);
63908 extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
63909 - __be16 sport, __be16 dport);
63910 + __be16 sport, __be16 dport);
63911
63912 #endif /* _NET_SECURE_SEQ */
63913 diff -urNp linux-2.6.32.46/include/net/sock.h linux-2.6.32.46/include/net/sock.h
63914 --- linux-2.6.32.46/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400
63915 +++ linux-2.6.32.46/include/net/sock.h 2011-08-21 17:24:37.000000000 -0400
63916 @@ -272,7 +272,7 @@ struct sock {
63917 rwlock_t sk_callback_lock;
63918 int sk_err,
63919 sk_err_soft;
63920 - atomic_t sk_drops;
63921 + atomic_unchecked_t sk_drops;
63922 unsigned short sk_ack_backlog;
63923 unsigned short sk_max_ack_backlog;
63924 __u32 sk_priority;
63925 @@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
63926 extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
63927 extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
63928 #else
63929 -static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
63930 +static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
63931 int inc)
63932 {
63933 }
63934 diff -urNp linux-2.6.32.46/include/net/tcp.h linux-2.6.32.46/include/net/tcp.h
63935 --- linux-2.6.32.46/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400
63936 +++ linux-2.6.32.46/include/net/tcp.h 2011-08-23 21:29:10.000000000 -0400
63937 @@ -1444,8 +1444,8 @@ enum tcp_seq_states {
63938 struct tcp_seq_afinfo {
63939 char *name;
63940 sa_family_t family;
63941 - struct file_operations seq_fops;
63942 - struct seq_operations seq_ops;
63943 + file_operations_no_const seq_fops;
63944 + seq_operations_no_const seq_ops;
63945 };
63946
63947 struct tcp_iter_state {
63948 diff -urNp linux-2.6.32.46/include/net/udp.h linux-2.6.32.46/include/net/udp.h
63949 --- linux-2.6.32.46/include/net/udp.h 2011-03-27 14:31:47.000000000 -0400
63950 +++ linux-2.6.32.46/include/net/udp.h 2011-08-23 21:29:34.000000000 -0400
63951 @@ -187,8 +187,8 @@ struct udp_seq_afinfo {
63952 char *name;
63953 sa_family_t family;
63954 struct udp_table *udp_table;
63955 - struct file_operations seq_fops;
63956 - struct seq_operations seq_ops;
63957 + file_operations_no_const seq_fops;
63958 + seq_operations_no_const seq_ops;
63959 };
63960
63961 struct udp_iter_state {
63962 diff -urNp linux-2.6.32.46/include/rdma/iw_cm.h linux-2.6.32.46/include/rdma/iw_cm.h
63963 --- linux-2.6.32.46/include/rdma/iw_cm.h 2011-03-27 14:31:47.000000000 -0400
63964 +++ linux-2.6.32.46/include/rdma/iw_cm.h 2011-08-05 20:33:55.000000000 -0400
63965 @@ -129,7 +129,7 @@ struct iw_cm_verbs {
63966 int backlog);
63967
63968 int (*destroy_listen)(struct iw_cm_id *cm_id);
63969 -};
63970 +} __no_const;
63971
63972 /**
63973 * iw_create_cm_id - Create an IW CM identifier.
63974 diff -urNp linux-2.6.32.46/include/scsi/libfc.h linux-2.6.32.46/include/scsi/libfc.h
63975 --- linux-2.6.32.46/include/scsi/libfc.h 2011-03-27 14:31:47.000000000 -0400
63976 +++ linux-2.6.32.46/include/scsi/libfc.h 2011-08-23 21:22:38.000000000 -0400
63977 @@ -675,6 +675,7 @@ struct libfc_function_template {
63978 */
63979 void (*disc_stop_final) (struct fc_lport *);
63980 };
63981 +typedef struct libfc_function_template __no_const libfc_function_template_no_const;
63982
63983 /* information used by the discovery layer */
63984 struct fc_disc {
63985 @@ -707,7 +708,7 @@ struct fc_lport {
63986 struct fc_disc disc;
63987
63988 /* Operational Information */
63989 - struct libfc_function_template tt;
63990 + libfc_function_template_no_const tt;
63991 u8 link_up;
63992 u8 qfull;
63993 enum fc_lport_state state;
63994 diff -urNp linux-2.6.32.46/include/scsi/scsi_device.h linux-2.6.32.46/include/scsi/scsi_device.h
63995 --- linux-2.6.32.46/include/scsi/scsi_device.h 2011-04-17 17:00:52.000000000 -0400
63996 +++ linux-2.6.32.46/include/scsi/scsi_device.h 2011-05-04 17:56:28.000000000 -0400
63997 @@ -156,9 +156,9 @@ struct scsi_device {
63998 unsigned int max_device_blocked; /* what device_blocked counts down from */
63999 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
64000
64001 - atomic_t iorequest_cnt;
64002 - atomic_t iodone_cnt;
64003 - atomic_t ioerr_cnt;
64004 + atomic_unchecked_t iorequest_cnt;
64005 + atomic_unchecked_t iodone_cnt;
64006 + atomic_unchecked_t ioerr_cnt;
64007
64008 struct device sdev_gendev,
64009 sdev_dev;
64010 diff -urNp linux-2.6.32.46/include/scsi/scsi_transport_fc.h linux-2.6.32.46/include/scsi/scsi_transport_fc.h
64011 --- linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-03-27 14:31:47.000000000 -0400
64012 +++ linux-2.6.32.46/include/scsi/scsi_transport_fc.h 2011-08-26 20:19:09.000000000 -0400
64013 @@ -708,7 +708,7 @@ struct fc_function_template {
64014 unsigned long show_host_system_hostname:1;
64015
64016 unsigned long disable_target_scan:1;
64017 -};
64018 +} __do_const;
64019
64020
64021 /**
64022 diff -urNp linux-2.6.32.46/include/sound/ac97_codec.h linux-2.6.32.46/include/sound/ac97_codec.h
64023 --- linux-2.6.32.46/include/sound/ac97_codec.h 2011-03-27 14:31:47.000000000 -0400
64024 +++ linux-2.6.32.46/include/sound/ac97_codec.h 2011-04-17 15:56:46.000000000 -0400
64025 @@ -419,15 +419,15 @@
64026 struct snd_ac97;
64027
64028 struct snd_ac97_build_ops {
64029 - int (*build_3d) (struct snd_ac97 *ac97);
64030 - int (*build_specific) (struct snd_ac97 *ac97);
64031 - int (*build_spdif) (struct snd_ac97 *ac97);
64032 - int (*build_post_spdif) (struct snd_ac97 *ac97);
64033 + int (* const build_3d) (struct snd_ac97 *ac97);
64034 + int (* const build_specific) (struct snd_ac97 *ac97);
64035 + int (* const build_spdif) (struct snd_ac97 *ac97);
64036 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
64037 #ifdef CONFIG_PM
64038 - void (*suspend) (struct snd_ac97 *ac97);
64039 - void (*resume) (struct snd_ac97 *ac97);
64040 + void (* const suspend) (struct snd_ac97 *ac97);
64041 + void (* const resume) (struct snd_ac97 *ac97);
64042 #endif
64043 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
64044 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
64045 };
64046
64047 struct snd_ac97_bus_ops {
64048 @@ -477,7 +477,7 @@ struct snd_ac97_template {
64049
64050 struct snd_ac97 {
64051 /* -- lowlevel (hardware) driver specific -- */
64052 - struct snd_ac97_build_ops * build_ops;
64053 + const struct snd_ac97_build_ops * build_ops;
64054 void *private_data;
64055 void (*private_free) (struct snd_ac97 *ac97);
64056 /* --- */
64057 diff -urNp linux-2.6.32.46/include/sound/ak4xxx-adda.h linux-2.6.32.46/include/sound/ak4xxx-adda.h
64058 --- linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-03-27 14:31:47.000000000 -0400
64059 +++ linux-2.6.32.46/include/sound/ak4xxx-adda.h 2011-08-05 20:33:55.000000000 -0400
64060 @@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
64061 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
64062 unsigned char val);
64063 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
64064 -};
64065 +} __no_const;
64066
64067 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
64068
64069 diff -urNp linux-2.6.32.46/include/sound/hwdep.h linux-2.6.32.46/include/sound/hwdep.h
64070 --- linux-2.6.32.46/include/sound/hwdep.h 2011-03-27 14:31:47.000000000 -0400
64071 +++ linux-2.6.32.46/include/sound/hwdep.h 2011-08-05 20:33:55.000000000 -0400
64072 @@ -49,7 +49,7 @@ struct snd_hwdep_ops {
64073 struct snd_hwdep_dsp_status *status);
64074 int (*dsp_load)(struct snd_hwdep *hw,
64075 struct snd_hwdep_dsp_image *image);
64076 -};
64077 +} __no_const;
64078
64079 struct snd_hwdep {
64080 struct snd_card *card;
64081 diff -urNp linux-2.6.32.46/include/sound/info.h linux-2.6.32.46/include/sound/info.h
64082 --- linux-2.6.32.46/include/sound/info.h 2011-03-27 14:31:47.000000000 -0400
64083 +++ linux-2.6.32.46/include/sound/info.h 2011-08-05 20:33:55.000000000 -0400
64084 @@ -44,7 +44,7 @@ struct snd_info_entry_text {
64085 struct snd_info_buffer *buffer);
64086 void (*write)(struct snd_info_entry *entry,
64087 struct snd_info_buffer *buffer);
64088 -};
64089 +} __no_const;
64090
64091 struct snd_info_entry_ops {
64092 int (*open)(struct snd_info_entry *entry,
64093 diff -urNp linux-2.6.32.46/include/sound/pcm.h linux-2.6.32.46/include/sound/pcm.h
64094 --- linux-2.6.32.46/include/sound/pcm.h 2011-03-27 14:31:47.000000000 -0400
64095 +++ linux-2.6.32.46/include/sound/pcm.h 2011-08-23 21:22:38.000000000 -0400
64096 @@ -80,6 +80,7 @@ struct snd_pcm_ops {
64097 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
64098 int (*ack)(struct snd_pcm_substream *substream);
64099 };
64100 +typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
64101
64102 /*
64103 *
64104 diff -urNp linux-2.6.32.46/include/sound/sb16_csp.h linux-2.6.32.46/include/sound/sb16_csp.h
64105 --- linux-2.6.32.46/include/sound/sb16_csp.h 2011-03-27 14:31:47.000000000 -0400
64106 +++ linux-2.6.32.46/include/sound/sb16_csp.h 2011-08-05 20:33:55.000000000 -0400
64107 @@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
64108 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
64109 int (*csp_stop) (struct snd_sb_csp * p);
64110 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
64111 -};
64112 +} __no_const;
64113
64114 /*
64115 * CSP private data
64116 diff -urNp linux-2.6.32.46/include/sound/ymfpci.h linux-2.6.32.46/include/sound/ymfpci.h
64117 --- linux-2.6.32.46/include/sound/ymfpci.h 2011-03-27 14:31:47.000000000 -0400
64118 +++ linux-2.6.32.46/include/sound/ymfpci.h 2011-05-04 17:56:28.000000000 -0400
64119 @@ -358,7 +358,7 @@ struct snd_ymfpci {
64120 spinlock_t reg_lock;
64121 spinlock_t voice_lock;
64122 wait_queue_head_t interrupt_sleep;
64123 - atomic_t interrupt_sleep_count;
64124 + atomic_unchecked_t interrupt_sleep_count;
64125 struct snd_info_entry *proc_entry;
64126 const struct firmware *dsp_microcode;
64127 const struct firmware *controller_microcode;
64128 diff -urNp linux-2.6.32.46/include/trace/events/irq.h linux-2.6.32.46/include/trace/events/irq.h
64129 --- linux-2.6.32.46/include/trace/events/irq.h 2011-03-27 14:31:47.000000000 -0400
64130 +++ linux-2.6.32.46/include/trace/events/irq.h 2011-04-17 15:56:46.000000000 -0400
64131 @@ -34,7 +34,7 @@
64132 */
64133 TRACE_EVENT(irq_handler_entry,
64134
64135 - TP_PROTO(int irq, struct irqaction *action),
64136 + TP_PROTO(int irq, const struct irqaction *action),
64137
64138 TP_ARGS(irq, action),
64139
64140 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
64141 */
64142 TRACE_EVENT(irq_handler_exit,
64143
64144 - TP_PROTO(int irq, struct irqaction *action, int ret),
64145 + TP_PROTO(int irq, const struct irqaction *action, int ret),
64146
64147 TP_ARGS(irq, action, ret),
64148
64149 @@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
64150 */
64151 TRACE_EVENT(softirq_entry,
64152
64153 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
64154 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
64155
64156 TP_ARGS(h, vec),
64157
64158 @@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
64159 */
64160 TRACE_EVENT(softirq_exit,
64161
64162 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
64163 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
64164
64165 TP_ARGS(h, vec),
64166
64167 diff -urNp linux-2.6.32.46/include/video/uvesafb.h linux-2.6.32.46/include/video/uvesafb.h
64168 --- linux-2.6.32.46/include/video/uvesafb.h 2011-03-27 14:31:47.000000000 -0400
64169 +++ linux-2.6.32.46/include/video/uvesafb.h 2011-04-17 15:56:46.000000000 -0400
64170 @@ -177,6 +177,7 @@ struct uvesafb_par {
64171 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
64172 u8 pmi_setpal; /* PMI for palette changes */
64173 u16 *pmi_base; /* protected mode interface location */
64174 + u8 *pmi_code; /* protected mode code location */
64175 void *pmi_start;
64176 void *pmi_pal;
64177 u8 *vbe_state_orig; /*
64178 diff -urNp linux-2.6.32.46/init/do_mounts.c linux-2.6.32.46/init/do_mounts.c
64179 --- linux-2.6.32.46/init/do_mounts.c 2011-03-27 14:31:47.000000000 -0400
64180 +++ linux-2.6.32.46/init/do_mounts.c 2011-04-17 15:56:46.000000000 -0400
64181 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
64182
64183 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
64184 {
64185 - int err = sys_mount(name, "/root", fs, flags, data);
64186 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
64187 if (err)
64188 return err;
64189
64190 - sys_chdir("/root");
64191 + sys_chdir((__force const char __user *)"/root");
64192 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
64193 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
64194 current->fs->pwd.mnt->mnt_sb->s_type->name,
64195 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
64196 va_start(args, fmt);
64197 vsprintf(buf, fmt, args);
64198 va_end(args);
64199 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
64200 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
64201 if (fd >= 0) {
64202 sys_ioctl(fd, FDEJECT, 0);
64203 sys_close(fd);
64204 }
64205 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
64206 - fd = sys_open("/dev/console", O_RDWR, 0);
64207 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
64208 if (fd >= 0) {
64209 sys_ioctl(fd, TCGETS, (long)&termios);
64210 termios.c_lflag &= ~ICANON;
64211 sys_ioctl(fd, TCSETSF, (long)&termios);
64212 - sys_read(fd, &c, 1);
64213 + sys_read(fd, (char __user *)&c, 1);
64214 termios.c_lflag |= ICANON;
64215 sys_ioctl(fd, TCSETSF, (long)&termios);
64216 sys_close(fd);
64217 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
64218 mount_root();
64219 out:
64220 devtmpfs_mount("dev");
64221 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
64222 - sys_chroot(".");
64223 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
64224 + sys_chroot((__force char __user *)".");
64225 }
64226 diff -urNp linux-2.6.32.46/init/do_mounts.h linux-2.6.32.46/init/do_mounts.h
64227 --- linux-2.6.32.46/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400
64228 +++ linux-2.6.32.46/init/do_mounts.h 2011-04-17 15:56:46.000000000 -0400
64229 @@ -15,15 +15,15 @@ extern int root_mountflags;
64230
64231 static inline int create_dev(char *name, dev_t dev)
64232 {
64233 - sys_unlink(name);
64234 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
64235 + sys_unlink((__force char __user *)name);
64236 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
64237 }
64238
64239 #if BITS_PER_LONG == 32
64240 static inline u32 bstat(char *name)
64241 {
64242 struct stat64 stat;
64243 - if (sys_stat64(name, &stat) != 0)
64244 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
64245 return 0;
64246 if (!S_ISBLK(stat.st_mode))
64247 return 0;
64248 diff -urNp linux-2.6.32.46/init/do_mounts_initrd.c linux-2.6.32.46/init/do_mounts_initrd.c
64249 --- linux-2.6.32.46/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400
64250 +++ linux-2.6.32.46/init/do_mounts_initrd.c 2011-04-17 15:56:46.000000000 -0400
64251 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
64252 sys_close(old_fd);sys_close(root_fd);
64253 sys_close(0);sys_close(1);sys_close(2);
64254 sys_setsid();
64255 - (void) sys_open("/dev/console",O_RDWR,0);
64256 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
64257 (void) sys_dup(0);
64258 (void) sys_dup(0);
64259 return kernel_execve(shell, argv, envp_init);
64260 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
64261 create_dev("/dev/root.old", Root_RAM0);
64262 /* mount initrd on rootfs' /root */
64263 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
64264 - sys_mkdir("/old", 0700);
64265 - root_fd = sys_open("/", 0, 0);
64266 - old_fd = sys_open("/old", 0, 0);
64267 + sys_mkdir((__force const char __user *)"/old", 0700);
64268 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
64269 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
64270 /* move initrd over / and chdir/chroot in initrd root */
64271 - sys_chdir("/root");
64272 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
64273 - sys_chroot(".");
64274 + sys_chdir((__force const char __user *)"/root");
64275 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
64276 + sys_chroot((__force const char __user *)".");
64277
64278 /*
64279 * In case that a resume from disk is carried out by linuxrc or one of
64280 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
64281
64282 /* move initrd to rootfs' /old */
64283 sys_fchdir(old_fd);
64284 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
64285 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
64286 /* switch root and cwd back to / of rootfs */
64287 sys_fchdir(root_fd);
64288 - sys_chroot(".");
64289 + sys_chroot((__force const char __user *)".");
64290 sys_close(old_fd);
64291 sys_close(root_fd);
64292
64293 if (new_decode_dev(real_root_dev) == Root_RAM0) {
64294 - sys_chdir("/old");
64295 + sys_chdir((__force const char __user *)"/old");
64296 return;
64297 }
64298
64299 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
64300 mount_root();
64301
64302 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
64303 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
64304 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
64305 if (!error)
64306 printk("okay\n");
64307 else {
64308 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
64309 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
64310 if (error == -ENOENT)
64311 printk("/initrd does not exist. Ignored.\n");
64312 else
64313 printk("failed\n");
64314 printk(KERN_NOTICE "Unmounting old root\n");
64315 - sys_umount("/old", MNT_DETACH);
64316 + sys_umount((__force char __user *)"/old", MNT_DETACH);
64317 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
64318 if (fd < 0) {
64319 error = fd;
64320 @@ -119,11 +119,11 @@ int __init initrd_load(void)
64321 * mounted in the normal path.
64322 */
64323 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
64324 - sys_unlink("/initrd.image");
64325 + sys_unlink((__force const char __user *)"/initrd.image");
64326 handle_initrd();
64327 return 1;
64328 }
64329 }
64330 - sys_unlink("/initrd.image");
64331 + sys_unlink((__force const char __user *)"/initrd.image");
64332 return 0;
64333 }
64334 diff -urNp linux-2.6.32.46/init/do_mounts_md.c linux-2.6.32.46/init/do_mounts_md.c
64335 --- linux-2.6.32.46/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400
64336 +++ linux-2.6.32.46/init/do_mounts_md.c 2011-04-17 15:56:46.000000000 -0400
64337 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
64338 partitioned ? "_d" : "", minor,
64339 md_setup_args[ent].device_names);
64340
64341 - fd = sys_open(name, 0, 0);
64342 + fd = sys_open((__force char __user *)name, 0, 0);
64343 if (fd < 0) {
64344 printk(KERN_ERR "md: open failed - cannot start "
64345 "array %s\n", name);
64346 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
64347 * array without it
64348 */
64349 sys_close(fd);
64350 - fd = sys_open(name, 0, 0);
64351 + fd = sys_open((__force char __user *)name, 0, 0);
64352 sys_ioctl(fd, BLKRRPART, 0);
64353 }
64354 sys_close(fd);
64355 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
64356
64357 wait_for_device_probe();
64358
64359 - fd = sys_open("/dev/md0", 0, 0);
64360 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
64361 if (fd >= 0) {
64362 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
64363 sys_close(fd);
64364 diff -urNp linux-2.6.32.46/init/initramfs.c linux-2.6.32.46/init/initramfs.c
64365 --- linux-2.6.32.46/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400
64366 +++ linux-2.6.32.46/init/initramfs.c 2011-04-17 15:56:46.000000000 -0400
64367 @@ -74,7 +74,7 @@ static void __init free_hash(void)
64368 }
64369 }
64370
64371 -static long __init do_utime(char __user *filename, time_t mtime)
64372 +static long __init do_utime(__force char __user *filename, time_t mtime)
64373 {
64374 struct timespec t[2];
64375
64376 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
64377 struct dir_entry *de, *tmp;
64378 list_for_each_entry_safe(de, tmp, &dir_list, list) {
64379 list_del(&de->list);
64380 - do_utime(de->name, de->mtime);
64381 + do_utime((__force char __user *)de->name, de->mtime);
64382 kfree(de->name);
64383 kfree(de);
64384 }
64385 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
64386 if (nlink >= 2) {
64387 char *old = find_link(major, minor, ino, mode, collected);
64388 if (old)
64389 - return (sys_link(old, collected) < 0) ? -1 : 1;
64390 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
64391 }
64392 return 0;
64393 }
64394 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
64395 {
64396 struct stat st;
64397
64398 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
64399 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
64400 if (S_ISDIR(st.st_mode))
64401 - sys_rmdir(path);
64402 + sys_rmdir((__force char __user *)path);
64403 else
64404 - sys_unlink(path);
64405 + sys_unlink((__force char __user *)path);
64406 }
64407 }
64408
64409 @@ -305,7 +305,7 @@ static int __init do_name(void)
64410 int openflags = O_WRONLY|O_CREAT;
64411 if (ml != 1)
64412 openflags |= O_TRUNC;
64413 - wfd = sys_open(collected, openflags, mode);
64414 + wfd = sys_open((__force char __user *)collected, openflags, mode);
64415
64416 if (wfd >= 0) {
64417 sys_fchown(wfd, uid, gid);
64418 @@ -317,17 +317,17 @@ static int __init do_name(void)
64419 }
64420 }
64421 } else if (S_ISDIR(mode)) {
64422 - sys_mkdir(collected, mode);
64423 - sys_chown(collected, uid, gid);
64424 - sys_chmod(collected, mode);
64425 + sys_mkdir((__force char __user *)collected, mode);
64426 + sys_chown((__force char __user *)collected, uid, gid);
64427 + sys_chmod((__force char __user *)collected, mode);
64428 dir_add(collected, mtime);
64429 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
64430 S_ISFIFO(mode) || S_ISSOCK(mode)) {
64431 if (maybe_link() == 0) {
64432 - sys_mknod(collected, mode, rdev);
64433 - sys_chown(collected, uid, gid);
64434 - sys_chmod(collected, mode);
64435 - do_utime(collected, mtime);
64436 + sys_mknod((__force char __user *)collected, mode, rdev);
64437 + sys_chown((__force char __user *)collected, uid, gid);
64438 + sys_chmod((__force char __user *)collected, mode);
64439 + do_utime((__force char __user *)collected, mtime);
64440 }
64441 }
64442 return 0;
64443 @@ -336,15 +336,15 @@ static int __init do_name(void)
64444 static int __init do_copy(void)
64445 {
64446 if (count >= body_len) {
64447 - sys_write(wfd, victim, body_len);
64448 + sys_write(wfd, (__force char __user *)victim, body_len);
64449 sys_close(wfd);
64450 - do_utime(vcollected, mtime);
64451 + do_utime((__force char __user *)vcollected, mtime);
64452 kfree(vcollected);
64453 eat(body_len);
64454 state = SkipIt;
64455 return 0;
64456 } else {
64457 - sys_write(wfd, victim, count);
64458 + sys_write(wfd, (__force char __user *)victim, count);
64459 body_len -= count;
64460 eat(count);
64461 return 1;
64462 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
64463 {
64464 collected[N_ALIGN(name_len) + body_len] = '\0';
64465 clean_path(collected, 0);
64466 - sys_symlink(collected + N_ALIGN(name_len), collected);
64467 - sys_lchown(collected, uid, gid);
64468 - do_utime(collected, mtime);
64469 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
64470 + sys_lchown((__force char __user *)collected, uid, gid);
64471 + do_utime((__force char __user *)collected, mtime);
64472 state = SkipIt;
64473 next_state = Reset;
64474 return 0;
64475 diff -urNp linux-2.6.32.46/init/Kconfig linux-2.6.32.46/init/Kconfig
64476 --- linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:01.000000000 -0400
64477 +++ linux-2.6.32.46/init/Kconfig 2011-05-10 22:12:34.000000000 -0400
64478 @@ -1004,7 +1004,7 @@ config SLUB_DEBUG
64479
64480 config COMPAT_BRK
64481 bool "Disable heap randomization"
64482 - default y
64483 + default n
64484 help
64485 Randomizing heap placement makes heap exploits harder, but it
64486 also breaks ancient binaries (including anything libc5 based).
64487 diff -urNp linux-2.6.32.46/init/main.c linux-2.6.32.46/init/main.c
64488 --- linux-2.6.32.46/init/main.c 2011-05-10 22:12:01.000000000 -0400
64489 +++ linux-2.6.32.46/init/main.c 2011-08-05 20:33:55.000000000 -0400
64490 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
64491 #ifdef CONFIG_TC
64492 extern void tc_init(void);
64493 #endif
64494 +extern void grsecurity_init(void);
64495
64496 enum system_states system_state __read_mostly;
64497 EXPORT_SYMBOL(system_state);
64498 @@ -183,6 +184,49 @@ static int __init set_reset_devices(char
64499
64500 __setup("reset_devices", set_reset_devices);
64501
64502 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
64503 +extern char pax_enter_kernel_user[];
64504 +extern char pax_exit_kernel_user[];
64505 +extern pgdval_t clone_pgd_mask;
64506 +#endif
64507 +
64508 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
64509 +static int __init setup_pax_nouderef(char *str)
64510 +{
64511 +#ifdef CONFIG_X86_32
64512 + unsigned int cpu;
64513 + struct desc_struct *gdt;
64514 +
64515 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
64516 + gdt = get_cpu_gdt_table(cpu);
64517 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
64518 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
64519 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
64520 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
64521 + }
64522 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
64523 +#else
64524 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
64525 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
64526 + clone_pgd_mask = ~(pgdval_t)0UL;
64527 +#endif
64528 +
64529 + return 0;
64530 +}
64531 +early_param("pax_nouderef", setup_pax_nouderef);
64532 +#endif
64533 +
64534 +#ifdef CONFIG_PAX_SOFTMODE
64535 +int pax_softmode;
64536 +
64537 +static int __init setup_pax_softmode(char *str)
64538 +{
64539 + get_option(&str, &pax_softmode);
64540 + return 1;
64541 +}
64542 +__setup("pax_softmode=", setup_pax_softmode);
64543 +#endif
64544 +
64545 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
64546 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
64547 static const char *panic_later, *panic_param;
64548 @@ -705,52 +749,53 @@ int initcall_debug;
64549 core_param(initcall_debug, initcall_debug, bool, 0644);
64550
64551 static char msgbuf[64];
64552 -static struct boot_trace_call call;
64553 -static struct boot_trace_ret ret;
64554 +static struct boot_trace_call trace_call;
64555 +static struct boot_trace_ret trace_ret;
64556
64557 int do_one_initcall(initcall_t fn)
64558 {
64559 int count = preempt_count();
64560 ktime_t calltime, delta, rettime;
64561 + const char *msg1 = "", *msg2 = "";
64562
64563 if (initcall_debug) {
64564 - call.caller = task_pid_nr(current);
64565 - printk("calling %pF @ %i\n", fn, call.caller);
64566 + trace_call.caller = task_pid_nr(current);
64567 + printk("calling %pF @ %i\n", fn, trace_call.caller);
64568 calltime = ktime_get();
64569 - trace_boot_call(&call, fn);
64570 + trace_boot_call(&trace_call, fn);
64571 enable_boot_trace();
64572 }
64573
64574 - ret.result = fn();
64575 + trace_ret.result = fn();
64576
64577 if (initcall_debug) {
64578 disable_boot_trace();
64579 rettime = ktime_get();
64580 delta = ktime_sub(rettime, calltime);
64581 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
64582 - trace_boot_ret(&ret, fn);
64583 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
64584 + trace_boot_ret(&trace_ret, fn);
64585 printk("initcall %pF returned %d after %Ld usecs\n", fn,
64586 - ret.result, ret.duration);
64587 + trace_ret.result, trace_ret.duration);
64588 }
64589
64590 msgbuf[0] = 0;
64591
64592 - if (ret.result && ret.result != -ENODEV && initcall_debug)
64593 - sprintf(msgbuf, "error code %d ", ret.result);
64594 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
64595 + sprintf(msgbuf, "error code %d ", trace_ret.result);
64596
64597 if (preempt_count() != count) {
64598 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
64599 + msg1 = " preemption imbalance";
64600 preempt_count() = count;
64601 }
64602 if (irqs_disabled()) {
64603 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
64604 + msg2 = " disabled interrupts";
64605 local_irq_enable();
64606 }
64607 - if (msgbuf[0]) {
64608 - printk("initcall %pF returned with %s\n", fn, msgbuf);
64609 + if (msgbuf[0] || *msg1 || *msg2) {
64610 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
64611 }
64612
64613 - return ret.result;
64614 + return trace_ret.result;
64615 }
64616
64617
64618 @@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
64619 if (!ramdisk_execute_command)
64620 ramdisk_execute_command = "/init";
64621
64622 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
64623 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
64624 ramdisk_execute_command = NULL;
64625 prepare_namespace();
64626 }
64627
64628 + grsecurity_init();
64629 +
64630 /*
64631 * Ok, we have completed the initial bootup, and
64632 * we're essentially up and running. Get rid of the
64633 diff -urNp linux-2.6.32.46/init/noinitramfs.c linux-2.6.32.46/init/noinitramfs.c
64634 --- linux-2.6.32.46/init/noinitramfs.c 2011-03-27 14:31:47.000000000 -0400
64635 +++ linux-2.6.32.46/init/noinitramfs.c 2011-04-17 15:56:46.000000000 -0400
64636 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
64637 {
64638 int err;
64639
64640 - err = sys_mkdir("/dev", 0755);
64641 + err = sys_mkdir((const char __user *)"/dev", 0755);
64642 if (err < 0)
64643 goto out;
64644
64645 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
64646 if (err < 0)
64647 goto out;
64648
64649 - err = sys_mkdir("/root", 0700);
64650 + err = sys_mkdir((const char __user *)"/root", 0700);
64651 if (err < 0)
64652 goto out;
64653
64654 diff -urNp linux-2.6.32.46/ipc/mqueue.c linux-2.6.32.46/ipc/mqueue.c
64655 --- linux-2.6.32.46/ipc/mqueue.c 2011-03-27 14:31:47.000000000 -0400
64656 +++ linux-2.6.32.46/ipc/mqueue.c 2011-04-17 15:56:46.000000000 -0400
64657 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
64658 mq_bytes = (mq_msg_tblsz +
64659 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
64660
64661 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
64662 spin_lock(&mq_lock);
64663 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
64664 u->mq_bytes + mq_bytes >
64665 diff -urNp linux-2.6.32.46/ipc/msg.c linux-2.6.32.46/ipc/msg.c
64666 --- linux-2.6.32.46/ipc/msg.c 2011-03-27 14:31:47.000000000 -0400
64667 +++ linux-2.6.32.46/ipc/msg.c 2011-08-05 20:33:55.000000000 -0400
64668 @@ -310,18 +310,19 @@ static inline int msg_security(struct ke
64669 return security_msg_queue_associate(msq, msgflg);
64670 }
64671
64672 +static struct ipc_ops msg_ops = {
64673 + .getnew = newque,
64674 + .associate = msg_security,
64675 + .more_checks = NULL
64676 +};
64677 +
64678 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
64679 {
64680 struct ipc_namespace *ns;
64681 - struct ipc_ops msg_ops;
64682 struct ipc_params msg_params;
64683
64684 ns = current->nsproxy->ipc_ns;
64685
64686 - msg_ops.getnew = newque;
64687 - msg_ops.associate = msg_security;
64688 - msg_ops.more_checks = NULL;
64689 -
64690 msg_params.key = key;
64691 msg_params.flg = msgflg;
64692
64693 diff -urNp linux-2.6.32.46/ipc/sem.c linux-2.6.32.46/ipc/sem.c
64694 --- linux-2.6.32.46/ipc/sem.c 2011-03-27 14:31:47.000000000 -0400
64695 +++ linux-2.6.32.46/ipc/sem.c 2011-08-05 20:33:55.000000000 -0400
64696 @@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
64697 return 0;
64698 }
64699
64700 +static struct ipc_ops sem_ops = {
64701 + .getnew = newary,
64702 + .associate = sem_security,
64703 + .more_checks = sem_more_checks
64704 +};
64705 +
64706 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
64707 {
64708 struct ipc_namespace *ns;
64709 - struct ipc_ops sem_ops;
64710 struct ipc_params sem_params;
64711
64712 ns = current->nsproxy->ipc_ns;
64713 @@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
64714 if (nsems < 0 || nsems > ns->sc_semmsl)
64715 return -EINVAL;
64716
64717 - sem_ops.getnew = newary;
64718 - sem_ops.associate = sem_security;
64719 - sem_ops.more_checks = sem_more_checks;
64720 -
64721 sem_params.key = key;
64722 sem_params.flg = semflg;
64723 sem_params.u.nsems = nsems;
64724 @@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
64725 ushort* sem_io = fast_sem_io;
64726 int nsems;
64727
64728 + pax_track_stack();
64729 +
64730 sma = sem_lock_check(ns, semid);
64731 if (IS_ERR(sma))
64732 return PTR_ERR(sma);
64733 @@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
64734 unsigned long jiffies_left = 0;
64735 struct ipc_namespace *ns;
64736
64737 + pax_track_stack();
64738 +
64739 ns = current->nsproxy->ipc_ns;
64740
64741 if (nsops < 1 || semid < 0)
64742 diff -urNp linux-2.6.32.46/ipc/shm.c linux-2.6.32.46/ipc/shm.c
64743 --- linux-2.6.32.46/ipc/shm.c 2011-03-27 14:31:47.000000000 -0400
64744 +++ linux-2.6.32.46/ipc/shm.c 2011-08-05 20:33:55.000000000 -0400
64745 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
64746 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
64747 #endif
64748
64749 +#ifdef CONFIG_GRKERNSEC
64750 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
64751 + const time_t shm_createtime, const uid_t cuid,
64752 + const int shmid);
64753 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
64754 + const time_t shm_createtime);
64755 +#endif
64756 +
64757 void shm_init_ns(struct ipc_namespace *ns)
64758 {
64759 ns->shm_ctlmax = SHMMAX;
64760 @@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
64761 shp->shm_lprid = 0;
64762 shp->shm_atim = shp->shm_dtim = 0;
64763 shp->shm_ctim = get_seconds();
64764 +#ifdef CONFIG_GRKERNSEC
64765 + {
64766 + struct timespec timeval;
64767 + do_posix_clock_monotonic_gettime(&timeval);
64768 +
64769 + shp->shm_createtime = timeval.tv_sec;
64770 + }
64771 +#endif
64772 shp->shm_segsz = size;
64773 shp->shm_nattch = 0;
64774 shp->shm_file = file;
64775 @@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
64776 return 0;
64777 }
64778
64779 +static struct ipc_ops shm_ops = {
64780 + .getnew = newseg,
64781 + .associate = shm_security,
64782 + .more_checks = shm_more_checks
64783 +};
64784 +
64785 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
64786 {
64787 struct ipc_namespace *ns;
64788 - struct ipc_ops shm_ops;
64789 struct ipc_params shm_params;
64790
64791 ns = current->nsproxy->ipc_ns;
64792
64793 - shm_ops.getnew = newseg;
64794 - shm_ops.associate = shm_security;
64795 - shm_ops.more_checks = shm_more_checks;
64796 -
64797 shm_params.key = key;
64798 shm_params.flg = shmflg;
64799 shm_params.u.size = size;
64800 @@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
64801 if (err)
64802 goto out_unlock;
64803
64804 +#ifdef CONFIG_GRKERNSEC
64805 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
64806 + shp->shm_perm.cuid, shmid) ||
64807 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
64808 + err = -EACCES;
64809 + goto out_unlock;
64810 + }
64811 +#endif
64812 +
64813 path.dentry = dget(shp->shm_file->f_path.dentry);
64814 path.mnt = shp->shm_file->f_path.mnt;
64815 shp->shm_nattch++;
64816 +#ifdef CONFIG_GRKERNSEC
64817 + shp->shm_lapid = current->pid;
64818 +#endif
64819 size = i_size_read(path.dentry->d_inode);
64820 shm_unlock(shp);
64821
64822 diff -urNp linux-2.6.32.46/kernel/acct.c linux-2.6.32.46/kernel/acct.c
64823 --- linux-2.6.32.46/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400
64824 +++ linux-2.6.32.46/kernel/acct.c 2011-04-17 15:56:46.000000000 -0400
64825 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
64826 */
64827 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
64828 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
64829 - file->f_op->write(file, (char *)&ac,
64830 + file->f_op->write(file, (__force char __user *)&ac,
64831 sizeof(acct_t), &file->f_pos);
64832 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
64833 set_fs(fs);
64834 diff -urNp linux-2.6.32.46/kernel/audit.c linux-2.6.32.46/kernel/audit.c
64835 --- linux-2.6.32.46/kernel/audit.c 2011-03-27 14:31:47.000000000 -0400
64836 +++ linux-2.6.32.46/kernel/audit.c 2011-05-04 17:56:28.000000000 -0400
64837 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
64838 3) suppressed due to audit_rate_limit
64839 4) suppressed due to audit_backlog_limit
64840 */
64841 -static atomic_t audit_lost = ATOMIC_INIT(0);
64842 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
64843
64844 /* The netlink socket. */
64845 static struct sock *audit_sock;
64846 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
64847 unsigned long now;
64848 int print;
64849
64850 - atomic_inc(&audit_lost);
64851 + atomic_inc_unchecked(&audit_lost);
64852
64853 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
64854
64855 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
64856 printk(KERN_WARNING
64857 "audit: audit_lost=%d audit_rate_limit=%d "
64858 "audit_backlog_limit=%d\n",
64859 - atomic_read(&audit_lost),
64860 + atomic_read_unchecked(&audit_lost),
64861 audit_rate_limit,
64862 audit_backlog_limit);
64863 audit_panic(message);
64864 @@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
64865 status_set.pid = audit_pid;
64866 status_set.rate_limit = audit_rate_limit;
64867 status_set.backlog_limit = audit_backlog_limit;
64868 - status_set.lost = atomic_read(&audit_lost);
64869 + status_set.lost = atomic_read_unchecked(&audit_lost);
64870 status_set.backlog = skb_queue_len(&audit_skb_queue);
64871 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
64872 &status_set, sizeof(status_set));
64873 @@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
64874 spin_unlock_irq(&tsk->sighand->siglock);
64875 }
64876 read_unlock(&tasklist_lock);
64877 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
64878 - &s, sizeof(s));
64879 +
64880 + if (!err)
64881 + audit_send_reply(NETLINK_CB(skb).pid, seq,
64882 + AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
64883 break;
64884 }
64885 case AUDIT_TTY_SET: {
64886 diff -urNp linux-2.6.32.46/kernel/auditsc.c linux-2.6.32.46/kernel/auditsc.c
64887 --- linux-2.6.32.46/kernel/auditsc.c 2011-03-27 14:31:47.000000000 -0400
64888 +++ linux-2.6.32.46/kernel/auditsc.c 2011-05-04 17:56:28.000000000 -0400
64889 @@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
64890 }
64891
64892 /* global counter which is incremented every time something logs in */
64893 -static atomic_t session_id = ATOMIC_INIT(0);
64894 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
64895
64896 /**
64897 * audit_set_loginuid - set a task's audit_context loginuid
64898 @@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
64899 */
64900 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
64901 {
64902 - unsigned int sessionid = atomic_inc_return(&session_id);
64903 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
64904 struct audit_context *context = task->audit_context;
64905
64906 if (context && context->in_syscall) {
64907 diff -urNp linux-2.6.32.46/kernel/capability.c linux-2.6.32.46/kernel/capability.c
64908 --- linux-2.6.32.46/kernel/capability.c 2011-03-27 14:31:47.000000000 -0400
64909 +++ linux-2.6.32.46/kernel/capability.c 2011-04-17 15:56:46.000000000 -0400
64910 @@ -305,10 +305,26 @@ int capable(int cap)
64911 BUG();
64912 }
64913
64914 - if (security_capable(cap) == 0) {
64915 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
64916 current->flags |= PF_SUPERPRIV;
64917 return 1;
64918 }
64919 return 0;
64920 }
64921 +
64922 +int capable_nolog(int cap)
64923 +{
64924 + if (unlikely(!cap_valid(cap))) {
64925 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
64926 + BUG();
64927 + }
64928 +
64929 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
64930 + current->flags |= PF_SUPERPRIV;
64931 + return 1;
64932 + }
64933 + return 0;
64934 +}
64935 +
64936 EXPORT_SYMBOL(capable);
64937 +EXPORT_SYMBOL(capable_nolog);
64938 diff -urNp linux-2.6.32.46/kernel/cgroup.c linux-2.6.32.46/kernel/cgroup.c
64939 --- linux-2.6.32.46/kernel/cgroup.c 2011-03-27 14:31:47.000000000 -0400
64940 +++ linux-2.6.32.46/kernel/cgroup.c 2011-05-16 21:46:57.000000000 -0400
64941 @@ -536,6 +536,8 @@ static struct css_set *find_css_set(
64942 struct hlist_head *hhead;
64943 struct cg_cgroup_link *link;
64944
64945 + pax_track_stack();
64946 +
64947 /* First see if we already have a cgroup group that matches
64948 * the desired set */
64949 read_lock(&css_set_lock);
64950 diff -urNp linux-2.6.32.46/kernel/configs.c linux-2.6.32.46/kernel/configs.c
64951 --- linux-2.6.32.46/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400
64952 +++ linux-2.6.32.46/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400
64953 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
64954 struct proc_dir_entry *entry;
64955
64956 /* create the current config file */
64957 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
64958 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
64959 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
64960 + &ikconfig_file_ops);
64961 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64962 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
64963 + &ikconfig_file_ops);
64964 +#endif
64965 +#else
64966 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
64967 &ikconfig_file_ops);
64968 +#endif
64969 +
64970 if (!entry)
64971 return -ENOMEM;
64972
64973 diff -urNp linux-2.6.32.46/kernel/cpu.c linux-2.6.32.46/kernel/cpu.c
64974 --- linux-2.6.32.46/kernel/cpu.c 2011-03-27 14:31:47.000000000 -0400
64975 +++ linux-2.6.32.46/kernel/cpu.c 2011-04-17 15:56:46.000000000 -0400
64976 @@ -19,7 +19,7 @@
64977 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
64978 static DEFINE_MUTEX(cpu_add_remove_lock);
64979
64980 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
64981 +static RAW_NOTIFIER_HEAD(cpu_chain);
64982
64983 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
64984 * Should always be manipulated under cpu_add_remove_lock
64985 diff -urNp linux-2.6.32.46/kernel/cred.c linux-2.6.32.46/kernel/cred.c
64986 --- linux-2.6.32.46/kernel/cred.c 2011-03-27 14:31:47.000000000 -0400
64987 +++ linux-2.6.32.46/kernel/cred.c 2011-08-11 19:49:38.000000000 -0400
64988 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
64989 */
64990 void __put_cred(struct cred *cred)
64991 {
64992 + pax_track_stack();
64993 +
64994 kdebug("__put_cred(%p{%d,%d})", cred,
64995 atomic_read(&cred->usage),
64996 read_cred_subscribers(cred));
64997 @@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
64998 {
64999 struct cred *cred;
65000
65001 + pax_track_stack();
65002 +
65003 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
65004 atomic_read(&tsk->cred->usage),
65005 read_cred_subscribers(tsk->cred));
65006 @@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
65007 {
65008 const struct cred *cred;
65009
65010 + pax_track_stack();
65011 +
65012 rcu_read_lock();
65013
65014 do {
65015 @@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
65016 {
65017 struct cred *new;
65018
65019 + pax_track_stack();
65020 +
65021 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
65022 if (!new)
65023 return NULL;
65024 @@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
65025 const struct cred *old;
65026 struct cred *new;
65027
65028 + pax_track_stack();
65029 +
65030 validate_process_creds();
65031
65032 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
65033 @@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
65034 struct thread_group_cred *tgcred = NULL;
65035 struct cred *new;
65036
65037 + pax_track_stack();
65038 +
65039 #ifdef CONFIG_KEYS
65040 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
65041 if (!tgcred)
65042 @@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
65043 struct cred *new;
65044 int ret;
65045
65046 + pax_track_stack();
65047 +
65048 mutex_init(&p->cred_guard_mutex);
65049
65050 if (
65051 @@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
65052 struct task_struct *task = current;
65053 const struct cred *old = task->real_cred;
65054
65055 + pax_track_stack();
65056 +
65057 kdebug("commit_creds(%p{%d,%d})", new,
65058 atomic_read(&new->usage),
65059 read_cred_subscribers(new));
65060 @@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
65061
65062 get_cred(new); /* we will require a ref for the subj creds too */
65063
65064 + gr_set_role_label(task, new->uid, new->gid);
65065 +
65066 /* dumpability changes */
65067 if (old->euid != new->euid ||
65068 old->egid != new->egid ||
65069 @@ -563,10 +581,8 @@ int commit_creds(struct cred *new)
65070 key_fsgid_changed(task);
65071
65072 /* do it
65073 - * - What if a process setreuid()'s and this brings the
65074 - * new uid over his NPROC rlimit? We can check this now
65075 - * cheaply with the new uid cache, so if it matters
65076 - * we should be checking for it. -DaveM
65077 + * RLIMIT_NPROC limits on user->processes have already been checked
65078 + * in set_user().
65079 */
65080 alter_cred_subscribers(new, 2);
65081 if (new->user != old->user)
65082 @@ -606,6 +622,8 @@ EXPORT_SYMBOL(commit_creds);
65083 */
65084 void abort_creds(struct cred *new)
65085 {
65086 + pax_track_stack();
65087 +
65088 kdebug("abort_creds(%p{%d,%d})", new,
65089 atomic_read(&new->usage),
65090 read_cred_subscribers(new));
65091 @@ -629,6 +647,8 @@ const struct cred *override_creds(const
65092 {
65093 const struct cred *old = current->cred;
65094
65095 + pax_track_stack();
65096 +
65097 kdebug("override_creds(%p{%d,%d})", new,
65098 atomic_read(&new->usage),
65099 read_cred_subscribers(new));
65100 @@ -658,6 +678,8 @@ void revert_creds(const struct cred *old
65101 {
65102 const struct cred *override = current->cred;
65103
65104 + pax_track_stack();
65105 +
65106 kdebug("revert_creds(%p{%d,%d})", old,
65107 atomic_read(&old->usage),
65108 read_cred_subscribers(old));
65109 @@ -704,6 +726,8 @@ struct cred *prepare_kernel_cred(struct
65110 const struct cred *old;
65111 struct cred *new;
65112
65113 + pax_track_stack();
65114 +
65115 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
65116 if (!new)
65117 return NULL;
65118 @@ -758,6 +782,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
65119 */
65120 int set_security_override(struct cred *new, u32 secid)
65121 {
65122 + pax_track_stack();
65123 +
65124 return security_kernel_act_as(new, secid);
65125 }
65126 EXPORT_SYMBOL(set_security_override);
65127 @@ -777,6 +803,8 @@ int set_security_override_from_ctx(struc
65128 u32 secid;
65129 int ret;
65130
65131 + pax_track_stack();
65132 +
65133 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
65134 if (ret < 0)
65135 return ret;
65136 diff -urNp linux-2.6.32.46/kernel/exit.c linux-2.6.32.46/kernel/exit.c
65137 --- linux-2.6.32.46/kernel/exit.c 2011-03-27 14:31:47.000000000 -0400
65138 +++ linux-2.6.32.46/kernel/exit.c 2011-08-17 19:19:50.000000000 -0400
65139 @@ -55,6 +55,10 @@
65140 #include <asm/pgtable.h>
65141 #include <asm/mmu_context.h>
65142
65143 +#ifdef CONFIG_GRKERNSEC
65144 +extern rwlock_t grsec_exec_file_lock;
65145 +#endif
65146 +
65147 static void exit_mm(struct task_struct * tsk);
65148
65149 static void __unhash_process(struct task_struct *p)
65150 @@ -174,6 +178,10 @@ void release_task(struct task_struct * p
65151 struct task_struct *leader;
65152 int zap_leader;
65153 repeat:
65154 +#ifdef CONFIG_NET
65155 + gr_del_task_from_ip_table(p);
65156 +#endif
65157 +
65158 tracehook_prepare_release_task(p);
65159 /* don't need to get the RCU readlock here - the process is dead and
65160 * can't be modifying its own credentials */
65161 @@ -341,11 +349,22 @@ static void reparent_to_kthreadd(void)
65162 {
65163 write_lock_irq(&tasklist_lock);
65164
65165 +#ifdef CONFIG_GRKERNSEC
65166 + write_lock(&grsec_exec_file_lock);
65167 + if (current->exec_file) {
65168 + fput(current->exec_file);
65169 + current->exec_file = NULL;
65170 + }
65171 + write_unlock(&grsec_exec_file_lock);
65172 +#endif
65173 +
65174 ptrace_unlink(current);
65175 /* Reparent to init */
65176 current->real_parent = current->parent = kthreadd_task;
65177 list_move_tail(&current->sibling, &current->real_parent->children);
65178
65179 + gr_set_kernel_label(current);
65180 +
65181 /* Set the exit signal to SIGCHLD so we signal init on exit */
65182 current->exit_signal = SIGCHLD;
65183
65184 @@ -397,7 +416,7 @@ int allow_signal(int sig)
65185 * know it'll be handled, so that they don't get converted to
65186 * SIGKILL or just silently dropped.
65187 */
65188 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
65189 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
65190 recalc_sigpending();
65191 spin_unlock_irq(&current->sighand->siglock);
65192 return 0;
65193 @@ -433,6 +452,17 @@ void daemonize(const char *name, ...)
65194 vsnprintf(current->comm, sizeof(current->comm), name, args);
65195 va_end(args);
65196
65197 +#ifdef CONFIG_GRKERNSEC
65198 + write_lock(&grsec_exec_file_lock);
65199 + if (current->exec_file) {
65200 + fput(current->exec_file);
65201 + current->exec_file = NULL;
65202 + }
65203 + write_unlock(&grsec_exec_file_lock);
65204 +#endif
65205 +
65206 + gr_set_kernel_label(current);
65207 +
65208 /*
65209 * If we were started as result of loading a module, close all of the
65210 * user space pages. We don't need them, and if we didn't close them
65211 @@ -897,17 +927,17 @@ NORET_TYPE void do_exit(long code)
65212 struct task_struct *tsk = current;
65213 int group_dead;
65214
65215 - profile_task_exit(tsk);
65216 -
65217 - WARN_ON(atomic_read(&tsk->fs_excl));
65218 -
65219 + /*
65220 + * Check this first since set_fs() below depends on
65221 + * current_thread_info(), which we better not access when we're in
65222 + * interrupt context. Other than that, we want to do the set_fs()
65223 + * as early as possible.
65224 + */
65225 if (unlikely(in_interrupt()))
65226 panic("Aiee, killing interrupt handler!");
65227 - if (unlikely(!tsk->pid))
65228 - panic("Attempted to kill the idle task!");
65229
65230 /*
65231 - * If do_exit is called because this processes oopsed, it's possible
65232 + * If do_exit is called because this processes Oops'ed, it's possible
65233 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
65234 * continuing. Amongst other possible reasons, this is to prevent
65235 * mm_release()->clear_child_tid() from writing to a user-controlled
65236 @@ -915,6 +945,13 @@ NORET_TYPE void do_exit(long code)
65237 */
65238 set_fs(USER_DS);
65239
65240 + profile_task_exit(tsk);
65241 +
65242 + WARN_ON(atomic_read(&tsk->fs_excl));
65243 +
65244 + if (unlikely(!tsk->pid))
65245 + panic("Attempted to kill the idle task!");
65246 +
65247 tracehook_report_exit(&code);
65248
65249 validate_creds_for_do_exit(tsk);
65250 @@ -973,6 +1010,9 @@ NORET_TYPE void do_exit(long code)
65251 tsk->exit_code = code;
65252 taskstats_exit(tsk, group_dead);
65253
65254 + gr_acl_handle_psacct(tsk, code);
65255 + gr_acl_handle_exit();
65256 +
65257 exit_mm(tsk);
65258
65259 if (group_dead)
65260 @@ -1188,7 +1228,7 @@ static int wait_task_zombie(struct wait_
65261
65262 if (unlikely(wo->wo_flags & WNOWAIT)) {
65263 int exit_code = p->exit_code;
65264 - int why, status;
65265 + int why;
65266
65267 get_task_struct(p);
65268 read_unlock(&tasklist_lock);
65269 diff -urNp linux-2.6.32.46/kernel/fork.c linux-2.6.32.46/kernel/fork.c
65270 --- linux-2.6.32.46/kernel/fork.c 2011-03-27 14:31:47.000000000 -0400
65271 +++ linux-2.6.32.46/kernel/fork.c 2011-08-11 19:50:07.000000000 -0400
65272 @@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
65273 *stackend = STACK_END_MAGIC; /* for overflow detection */
65274
65275 #ifdef CONFIG_CC_STACKPROTECTOR
65276 - tsk->stack_canary = get_random_int();
65277 + tsk->stack_canary = pax_get_random_long();
65278 #endif
65279
65280 /* One for us, one for whoever does the "release_task()" (usually parent) */
65281 @@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
65282 mm->locked_vm = 0;
65283 mm->mmap = NULL;
65284 mm->mmap_cache = NULL;
65285 - mm->free_area_cache = oldmm->mmap_base;
65286 - mm->cached_hole_size = ~0UL;
65287 + mm->free_area_cache = oldmm->free_area_cache;
65288 + mm->cached_hole_size = oldmm->cached_hole_size;
65289 mm->map_count = 0;
65290 cpumask_clear(mm_cpumask(mm));
65291 mm->mm_rb = RB_ROOT;
65292 @@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
65293 tmp->vm_flags &= ~VM_LOCKED;
65294 tmp->vm_mm = mm;
65295 tmp->vm_next = tmp->vm_prev = NULL;
65296 + tmp->vm_mirror = NULL;
65297 anon_vma_link(tmp);
65298 file = tmp->vm_file;
65299 if (file) {
65300 @@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
65301 if (retval)
65302 goto out;
65303 }
65304 +
65305 +#ifdef CONFIG_PAX_SEGMEXEC
65306 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
65307 + struct vm_area_struct *mpnt_m;
65308 +
65309 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
65310 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
65311 +
65312 + if (!mpnt->vm_mirror)
65313 + continue;
65314 +
65315 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
65316 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
65317 + mpnt->vm_mirror = mpnt_m;
65318 + } else {
65319 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
65320 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
65321 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
65322 + mpnt->vm_mirror->vm_mirror = mpnt;
65323 + }
65324 + }
65325 + BUG_ON(mpnt_m);
65326 + }
65327 +#endif
65328 +
65329 /* a new mm has just been created */
65330 arch_dup_mmap(oldmm, mm);
65331 retval = 0;
65332 @@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
65333 write_unlock(&fs->lock);
65334 return -EAGAIN;
65335 }
65336 - fs->users++;
65337 + atomic_inc(&fs->users);
65338 write_unlock(&fs->lock);
65339 return 0;
65340 }
65341 tsk->fs = copy_fs_struct(fs);
65342 if (!tsk->fs)
65343 return -ENOMEM;
65344 + gr_set_chroot_entries(tsk, &tsk->fs->root);
65345 return 0;
65346 }
65347
65348 @@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(
65349 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
65350 #endif
65351 retval = -EAGAIN;
65352 +
65353 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
65354 +
65355 if (atomic_read(&p->real_cred->user->processes) >=
65356 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
65357 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
65358 - p->real_cred->user != INIT_USER)
65359 + if (p->real_cred->user != INIT_USER &&
65360 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
65361 goto bad_fork_free;
65362 }
65363 + current->flags &= ~PF_NPROC_EXCEEDED;
65364
65365 retval = copy_creds(p, clone_flags);
65366 if (retval < 0)
65367 @@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(
65368 goto bad_fork_free_pid;
65369 }
65370
65371 + gr_copy_label(p);
65372 +
65373 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
65374 /*
65375 * Clear TID on mm_release()?
65376 @@ -1333,6 +1366,8 @@ bad_fork_cleanup_count:
65377 bad_fork_free:
65378 free_task(p);
65379 fork_out:
65380 + gr_log_forkfail(retval);
65381 +
65382 return ERR_PTR(retval);
65383 }
65384
65385 @@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags,
65386 if (clone_flags & CLONE_PARENT_SETTID)
65387 put_user(nr, parent_tidptr);
65388
65389 + gr_handle_brute_check();
65390 +
65391 if (clone_flags & CLONE_VFORK) {
65392 p->vfork_done = &vfork;
65393 init_completion(&vfork);
65394 @@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unsh
65395 return 0;
65396
65397 /* don't need lock here; in the worst case we'll do useless copy */
65398 - if (fs->users == 1)
65399 + if (atomic_read(&fs->users) == 1)
65400 return 0;
65401
65402 *new_fsp = copy_fs_struct(fs);
65403 @@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
65404 fs = current->fs;
65405 write_lock(&fs->lock);
65406 current->fs = new_fs;
65407 - if (--fs->users)
65408 + gr_set_chroot_entries(current, &current->fs->root);
65409 + if (atomic_dec_return(&fs->users))
65410 new_fs = NULL;
65411 else
65412 new_fs = fs;
65413 diff -urNp linux-2.6.32.46/kernel/futex.c linux-2.6.32.46/kernel/futex.c
65414 --- linux-2.6.32.46/kernel/futex.c 2011-08-29 22:24:44.000000000 -0400
65415 +++ linux-2.6.32.46/kernel/futex.c 2011-08-29 22:25:07.000000000 -0400
65416 @@ -54,6 +54,7 @@
65417 #include <linux/mount.h>
65418 #include <linux/pagemap.h>
65419 #include <linux/syscalls.h>
65420 +#include <linux/ptrace.h>
65421 #include <linux/signal.h>
65422 #include <linux/module.h>
65423 #include <linux/magic.h>
65424 @@ -223,6 +224,11 @@ get_futex_key(u32 __user *uaddr, int fsh
65425 struct page *page;
65426 int err, ro = 0;
65427
65428 +#ifdef CONFIG_PAX_SEGMEXEC
65429 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
65430 + return -EFAULT;
65431 +#endif
65432 +
65433 /*
65434 * The futex address must be "naturally" aligned.
65435 */
65436 @@ -1819,6 +1825,8 @@ static int futex_wait(u32 __user *uaddr,
65437 struct futex_q q;
65438 int ret;
65439
65440 + pax_track_stack();
65441 +
65442 if (!bitset)
65443 return -EINVAL;
65444
65445 @@ -1871,7 +1879,7 @@ retry:
65446
65447 restart = &current_thread_info()->restart_block;
65448 restart->fn = futex_wait_restart;
65449 - restart->futex.uaddr = (u32 *)uaddr;
65450 + restart->futex.uaddr = uaddr;
65451 restart->futex.val = val;
65452 restart->futex.time = abs_time->tv64;
65453 restart->futex.bitset = bitset;
65454 @@ -2233,6 +2241,8 @@ static int futex_wait_requeue_pi(u32 __u
65455 struct futex_q q;
65456 int res, ret;
65457
65458 + pax_track_stack();
65459 +
65460 if (!bitset)
65461 return -EINVAL;
65462
65463 @@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
65464 {
65465 struct robust_list_head __user *head;
65466 unsigned long ret;
65467 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
65468 const struct cred *cred = current_cred(), *pcred;
65469 +#endif
65470
65471 if (!futex_cmpxchg_enabled)
65472 return -ENOSYS;
65473 @@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
65474 if (!p)
65475 goto err_unlock;
65476 ret = -EPERM;
65477 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
65478 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
65479 + goto err_unlock;
65480 +#else
65481 pcred = __task_cred(p);
65482 if (cred->euid != pcred->euid &&
65483 cred->euid != pcred->uid &&
65484 !capable(CAP_SYS_PTRACE))
65485 goto err_unlock;
65486 +#endif
65487 head = p->robust_list;
65488 rcu_read_unlock();
65489 }
65490 @@ -2489,7 +2506,7 @@ retry:
65491 */
65492 static inline int fetch_robust_entry(struct robust_list __user **entry,
65493 struct robust_list __user * __user *head,
65494 - int *pi)
65495 + unsigned int *pi)
65496 {
65497 unsigned long uentry;
65498
65499 @@ -2670,6 +2687,7 @@ static int __init futex_init(void)
65500 {
65501 u32 curval;
65502 int i;
65503 + mm_segment_t oldfs;
65504
65505 /*
65506 * This will fail and we want it. Some arch implementations do
65507 @@ -2681,7 +2699,10 @@ static int __init futex_init(void)
65508 * implementation, the non functional ones will return
65509 * -ENOSYS.
65510 */
65511 + oldfs = get_fs();
65512 + set_fs(USER_DS);
65513 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
65514 + set_fs(oldfs);
65515 if (curval == -EFAULT)
65516 futex_cmpxchg_enabled = 1;
65517
65518 diff -urNp linux-2.6.32.46/kernel/futex_compat.c linux-2.6.32.46/kernel/futex_compat.c
65519 --- linux-2.6.32.46/kernel/futex_compat.c 2011-03-27 14:31:47.000000000 -0400
65520 +++ linux-2.6.32.46/kernel/futex_compat.c 2011-04-17 15:56:46.000000000 -0400
65521 @@ -10,6 +10,7 @@
65522 #include <linux/compat.h>
65523 #include <linux/nsproxy.h>
65524 #include <linux/futex.h>
65525 +#include <linux/ptrace.h>
65526
65527 #include <asm/uaccess.h>
65528
65529 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
65530 {
65531 struct compat_robust_list_head __user *head;
65532 unsigned long ret;
65533 - const struct cred *cred = current_cred(), *pcred;
65534 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
65535 + const struct cred *cred = current_cred();
65536 + const struct cred *pcred;
65537 +#endif
65538
65539 if (!futex_cmpxchg_enabled)
65540 return -ENOSYS;
65541 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
65542 if (!p)
65543 goto err_unlock;
65544 ret = -EPERM;
65545 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
65546 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
65547 + goto err_unlock;
65548 +#else
65549 pcred = __task_cred(p);
65550 if (cred->euid != pcred->euid &&
65551 cred->euid != pcred->uid &&
65552 !capable(CAP_SYS_PTRACE))
65553 goto err_unlock;
65554 +#endif
65555 head = p->compat_robust_list;
65556 read_unlock(&tasklist_lock);
65557 }
65558 diff -urNp linux-2.6.32.46/kernel/gcov/base.c linux-2.6.32.46/kernel/gcov/base.c
65559 --- linux-2.6.32.46/kernel/gcov/base.c 2011-03-27 14:31:47.000000000 -0400
65560 +++ linux-2.6.32.46/kernel/gcov/base.c 2011-04-17 15:56:46.000000000 -0400
65561 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
65562 }
65563
65564 #ifdef CONFIG_MODULES
65565 -static inline int within(void *addr, void *start, unsigned long size)
65566 -{
65567 - return ((addr >= start) && (addr < start + size));
65568 -}
65569 -
65570 /* Update list and generate events when modules are unloaded. */
65571 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
65572 void *data)
65573 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
65574 prev = NULL;
65575 /* Remove entries located in module from linked list. */
65576 for (info = gcov_info_head; info; info = info->next) {
65577 - if (within(info, mod->module_core, mod->core_size)) {
65578 + if (within_module_core_rw((unsigned long)info, mod)) {
65579 if (prev)
65580 prev->next = info->next;
65581 else
65582 diff -urNp linux-2.6.32.46/kernel/hrtimer.c linux-2.6.32.46/kernel/hrtimer.c
65583 --- linux-2.6.32.46/kernel/hrtimer.c 2011-03-27 14:31:47.000000000 -0400
65584 +++ linux-2.6.32.46/kernel/hrtimer.c 2011-04-17 15:56:46.000000000 -0400
65585 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
65586 local_irq_restore(flags);
65587 }
65588
65589 -static void run_hrtimer_softirq(struct softirq_action *h)
65590 +static void run_hrtimer_softirq(void)
65591 {
65592 hrtimer_peek_ahead_timers();
65593 }
65594 diff -urNp linux-2.6.32.46/kernel/kallsyms.c linux-2.6.32.46/kernel/kallsyms.c
65595 --- linux-2.6.32.46/kernel/kallsyms.c 2011-03-27 14:31:47.000000000 -0400
65596 +++ linux-2.6.32.46/kernel/kallsyms.c 2011-04-17 15:56:46.000000000 -0400
65597 @@ -11,6 +11,9 @@
65598 * Changed the compression method from stem compression to "table lookup"
65599 * compression (see scripts/kallsyms.c for a more complete description)
65600 */
65601 +#ifdef CONFIG_GRKERNSEC_HIDESYM
65602 +#define __INCLUDED_BY_HIDESYM 1
65603 +#endif
65604 #include <linux/kallsyms.h>
65605 #include <linux/module.h>
65606 #include <linux/init.h>
65607 @@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
65608
65609 static inline int is_kernel_inittext(unsigned long addr)
65610 {
65611 + if (system_state != SYSTEM_BOOTING)
65612 + return 0;
65613 +
65614 if (addr >= (unsigned long)_sinittext
65615 && addr <= (unsigned long)_einittext)
65616 return 1;
65617 return 0;
65618 }
65619
65620 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65621 +#ifdef CONFIG_MODULES
65622 +static inline int is_module_text(unsigned long addr)
65623 +{
65624 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
65625 + return 1;
65626 +
65627 + addr = ktla_ktva(addr);
65628 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
65629 +}
65630 +#else
65631 +static inline int is_module_text(unsigned long addr)
65632 +{
65633 + return 0;
65634 +}
65635 +#endif
65636 +#endif
65637 +
65638 static inline int is_kernel_text(unsigned long addr)
65639 {
65640 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
65641 @@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
65642
65643 static inline int is_kernel(unsigned long addr)
65644 {
65645 +
65646 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65647 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
65648 + return 1;
65649 +
65650 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
65651 +#else
65652 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
65653 +#endif
65654 +
65655 return 1;
65656 return in_gate_area_no_task(addr);
65657 }
65658
65659 static int is_ksym_addr(unsigned long addr)
65660 {
65661 +
65662 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
65663 + if (is_module_text(addr))
65664 + return 0;
65665 +#endif
65666 +
65667 if (all_var)
65668 return is_kernel(addr);
65669
65670 @@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
65671
65672 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
65673 {
65674 - iter->name[0] = '\0';
65675 iter->nameoff = get_symbol_offset(new_pos);
65676 iter->pos = new_pos;
65677 }
65678 @@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
65679 {
65680 struct kallsym_iter *iter = m->private;
65681
65682 +#ifdef CONFIG_GRKERNSEC_HIDESYM
65683 + if (current_uid())
65684 + return 0;
65685 +#endif
65686 +
65687 /* Some debugging symbols have no name. Ignore them. */
65688 if (!iter->name[0])
65689 return 0;
65690 @@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
65691 struct kallsym_iter *iter;
65692 int ret;
65693
65694 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
65695 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
65696 if (!iter)
65697 return -ENOMEM;
65698 reset_iter(iter, 0);
65699 diff -urNp linux-2.6.32.46/kernel/kgdb.c linux-2.6.32.46/kernel/kgdb.c
65700 --- linux-2.6.32.46/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400
65701 +++ linux-2.6.32.46/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
65702 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
65703 /* Guard for recursive entry */
65704 static int exception_level;
65705
65706 -static struct kgdb_io *kgdb_io_ops;
65707 +static const struct kgdb_io *kgdb_io_ops;
65708 static DEFINE_SPINLOCK(kgdb_registration_lock);
65709
65710 /* kgdb console driver is loaded */
65711 @@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
65712 */
65713 static atomic_t passive_cpu_wait[NR_CPUS];
65714 static atomic_t cpu_in_kgdb[NR_CPUS];
65715 -atomic_t kgdb_setting_breakpoint;
65716 +atomic_unchecked_t kgdb_setting_breakpoint;
65717
65718 struct task_struct *kgdb_usethread;
65719 struct task_struct *kgdb_contthread;
65720 @@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
65721 sizeof(unsigned long)];
65722
65723 /* to keep track of the CPU which is doing the single stepping*/
65724 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
65725 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
65726
65727 /*
65728 * If you are debugging a problem where roundup (the collection of
65729 @@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
65730 return 0;
65731 if (kgdb_connected)
65732 return 1;
65733 - if (atomic_read(&kgdb_setting_breakpoint))
65734 + if (atomic_read_unchecked(&kgdb_setting_breakpoint))
65735 return 1;
65736 if (print_wait)
65737 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
65738 @@ -1426,8 +1426,8 @@ acquirelock:
65739 * instance of the exception handler wanted to come into the
65740 * debugger on a different CPU via a single step
65741 */
65742 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
65743 - atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
65744 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
65745 + atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
65746
65747 atomic_set(&kgdb_active, -1);
65748 touch_softlockup_watchdog();
65749 @@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
65750 *
65751 * Register it with the KGDB core.
65752 */
65753 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
65754 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
65755 {
65756 int err;
65757
65758 @@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
65759 *
65760 * Unregister it with the KGDB core.
65761 */
65762 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
65763 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
65764 {
65765 BUG_ON(kgdb_connected);
65766
65767 @@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
65768 */
65769 void kgdb_breakpoint(void)
65770 {
65771 - atomic_set(&kgdb_setting_breakpoint, 1);
65772 + atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
65773 wmb(); /* Sync point before breakpoint */
65774 arch_kgdb_breakpoint();
65775 wmb(); /* Sync point after breakpoint */
65776 - atomic_set(&kgdb_setting_breakpoint, 0);
65777 + atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
65778 }
65779 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
65780
65781 diff -urNp linux-2.6.32.46/kernel/kmod.c linux-2.6.32.46/kernel/kmod.c
65782 --- linux-2.6.32.46/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400
65783 +++ linux-2.6.32.46/kernel/kmod.c 2011-04-17 15:56:46.000000000 -0400
65784 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
65785 * If module auto-loading support is disabled then this function
65786 * becomes a no-operation.
65787 */
65788 -int __request_module(bool wait, const char *fmt, ...)
65789 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
65790 {
65791 - va_list args;
65792 char module_name[MODULE_NAME_LEN];
65793 unsigned int max_modprobes;
65794 int ret;
65795 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
65796 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
65797 static char *envp[] = { "HOME=/",
65798 "TERM=linux",
65799 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
65800 @@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
65801 if (ret)
65802 return ret;
65803
65804 - va_start(args, fmt);
65805 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
65806 - va_end(args);
65807 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
65808 if (ret >= MODULE_NAME_LEN)
65809 return -ENAMETOOLONG;
65810
65811 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
65812 + if (!current_uid()) {
65813 + /* hack to workaround consolekit/udisks stupidity */
65814 + read_lock(&tasklist_lock);
65815 + if (!strcmp(current->comm, "mount") &&
65816 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
65817 + read_unlock(&tasklist_lock);
65818 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
65819 + return -EPERM;
65820 + }
65821 + read_unlock(&tasklist_lock);
65822 + }
65823 +#endif
65824 +
65825 /* If modprobe needs a service that is in a module, we get a recursive
65826 * loop. Limit the number of running kmod threads to max_threads/2 or
65827 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
65828 @@ -121,6 +132,48 @@ int __request_module(bool wait, const ch
65829 atomic_dec(&kmod_concurrent);
65830 return ret;
65831 }
65832 +
65833 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
65834 +{
65835 + va_list args;
65836 + int ret;
65837 +
65838 + va_start(args, fmt);
65839 + ret = ____request_module(wait, module_param, fmt, args);
65840 + va_end(args);
65841 +
65842 + return ret;
65843 +}
65844 +
65845 +int __request_module(bool wait, const char *fmt, ...)
65846 +{
65847 + va_list args;
65848 + int ret;
65849 +
65850 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
65851 + if (current_uid()) {
65852 + char module_param[MODULE_NAME_LEN];
65853 +
65854 + memset(module_param, 0, sizeof(module_param));
65855 +
65856 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
65857 +
65858 + va_start(args, fmt);
65859 + ret = ____request_module(wait, module_param, fmt, args);
65860 + va_end(args);
65861 +
65862 + return ret;
65863 + }
65864 +#endif
65865 +
65866 + va_start(args, fmt);
65867 + ret = ____request_module(wait, NULL, fmt, args);
65868 + va_end(args);
65869 +
65870 + return ret;
65871 +}
65872 +
65873 +
65874 EXPORT_SYMBOL(__request_module);
65875 #endif /* CONFIG_MODULES */
65876
65877 diff -urNp linux-2.6.32.46/kernel/kprobes.c linux-2.6.32.46/kernel/kprobes.c
65878 --- linux-2.6.32.46/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
65879 +++ linux-2.6.32.46/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
65880 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
65881 * kernel image and loaded module images reside. This is required
65882 * so x86_64 can correctly handle the %rip-relative fixups.
65883 */
65884 - kip->insns = module_alloc(PAGE_SIZE);
65885 + kip->insns = module_alloc_exec(PAGE_SIZE);
65886 if (!kip->insns) {
65887 kfree(kip);
65888 return NULL;
65889 @@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
65890 */
65891 if (!list_is_singular(&kprobe_insn_pages)) {
65892 list_del(&kip->list);
65893 - module_free(NULL, kip->insns);
65894 + module_free_exec(NULL, kip->insns);
65895 kfree(kip);
65896 }
65897 return 1;
65898 @@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
65899 {
65900 int i, err = 0;
65901 unsigned long offset = 0, size = 0;
65902 - char *modname, namebuf[128];
65903 + char *modname, namebuf[KSYM_NAME_LEN];
65904 const char *symbol_name;
65905 void *addr;
65906 struct kprobe_blackpoint *kb;
65907 @@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
65908 const char *sym = NULL;
65909 unsigned int i = *(loff_t *) v;
65910 unsigned long offset = 0;
65911 - char *modname, namebuf[128];
65912 + char *modname, namebuf[KSYM_NAME_LEN];
65913
65914 head = &kprobe_table[i];
65915 preempt_disable();
65916 diff -urNp linux-2.6.32.46/kernel/lockdep.c linux-2.6.32.46/kernel/lockdep.c
65917 --- linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:55:35.000000000 -0400
65918 +++ linux-2.6.32.46/kernel/lockdep.c 2011-06-25 12:56:37.000000000 -0400
65919 @@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
65920 /*
65921 * Various lockdep statistics:
65922 */
65923 -atomic_t chain_lookup_hits;
65924 -atomic_t chain_lookup_misses;
65925 -atomic_t hardirqs_on_events;
65926 -atomic_t hardirqs_off_events;
65927 -atomic_t redundant_hardirqs_on;
65928 -atomic_t redundant_hardirqs_off;
65929 -atomic_t softirqs_on_events;
65930 -atomic_t softirqs_off_events;
65931 -atomic_t redundant_softirqs_on;
65932 -atomic_t redundant_softirqs_off;
65933 -atomic_t nr_unused_locks;
65934 -atomic_t nr_cyclic_checks;
65935 -atomic_t nr_find_usage_forwards_checks;
65936 -atomic_t nr_find_usage_backwards_checks;
65937 +atomic_unchecked_t chain_lookup_hits;
65938 +atomic_unchecked_t chain_lookup_misses;
65939 +atomic_unchecked_t hardirqs_on_events;
65940 +atomic_unchecked_t hardirqs_off_events;
65941 +atomic_unchecked_t redundant_hardirqs_on;
65942 +atomic_unchecked_t redundant_hardirqs_off;
65943 +atomic_unchecked_t softirqs_on_events;
65944 +atomic_unchecked_t softirqs_off_events;
65945 +atomic_unchecked_t redundant_softirqs_on;
65946 +atomic_unchecked_t redundant_softirqs_off;
65947 +atomic_unchecked_t nr_unused_locks;
65948 +atomic_unchecked_t nr_cyclic_checks;
65949 +atomic_unchecked_t nr_find_usage_forwards_checks;
65950 +atomic_unchecked_t nr_find_usage_backwards_checks;
65951 #endif
65952
65953 /*
65954 @@ -577,6 +577,10 @@ static int static_obj(void *obj)
65955 int i;
65956 #endif
65957
65958 +#ifdef CONFIG_PAX_KERNEXEC
65959 + start = ktla_ktva(start);
65960 +#endif
65961 +
65962 /*
65963 * static variable?
65964 */
65965 @@ -592,8 +596,7 @@ static int static_obj(void *obj)
65966 */
65967 for_each_possible_cpu(i) {
65968 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
65969 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
65970 - + per_cpu_offset(i);
65971 + end = start + PERCPU_ENOUGH_ROOM;
65972
65973 if ((addr >= start) && (addr < end))
65974 return 1;
65975 @@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
65976 if (!static_obj(lock->key)) {
65977 debug_locks_off();
65978 printk("INFO: trying to register non-static key.\n");
65979 + printk("lock:%pS key:%pS.\n", lock, lock->key);
65980 printk("the code is fine but needs lockdep annotation.\n");
65981 printk("turning off the locking correctness validator.\n");
65982 dump_stack();
65983 @@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
65984 if (!class)
65985 return 0;
65986 }
65987 - debug_atomic_inc((atomic_t *)&class->ops);
65988 + debug_atomic_inc((atomic_unchecked_t *)&class->ops);
65989 if (very_verbose(class)) {
65990 printk("\nacquire class [%p] %s", class->key, class->name);
65991 if (class->name_version > 1)
65992 diff -urNp linux-2.6.32.46/kernel/lockdep_internals.h linux-2.6.32.46/kernel/lockdep_internals.h
65993 --- linux-2.6.32.46/kernel/lockdep_internals.h 2011-03-27 14:31:47.000000000 -0400
65994 +++ linux-2.6.32.46/kernel/lockdep_internals.h 2011-04-17 15:56:46.000000000 -0400
65995 @@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
65996 /*
65997 * Various lockdep statistics:
65998 */
65999 -extern atomic_t chain_lookup_hits;
66000 -extern atomic_t chain_lookup_misses;
66001 -extern atomic_t hardirqs_on_events;
66002 -extern atomic_t hardirqs_off_events;
66003 -extern atomic_t redundant_hardirqs_on;
66004 -extern atomic_t redundant_hardirqs_off;
66005 -extern atomic_t softirqs_on_events;
66006 -extern atomic_t softirqs_off_events;
66007 -extern atomic_t redundant_softirqs_on;
66008 -extern atomic_t redundant_softirqs_off;
66009 -extern atomic_t nr_unused_locks;
66010 -extern atomic_t nr_cyclic_checks;
66011 -extern atomic_t nr_cyclic_check_recursions;
66012 -extern atomic_t nr_find_usage_forwards_checks;
66013 -extern atomic_t nr_find_usage_forwards_recursions;
66014 -extern atomic_t nr_find_usage_backwards_checks;
66015 -extern atomic_t nr_find_usage_backwards_recursions;
66016 -# define debug_atomic_inc(ptr) atomic_inc(ptr)
66017 -# define debug_atomic_dec(ptr) atomic_dec(ptr)
66018 -# define debug_atomic_read(ptr) atomic_read(ptr)
66019 +extern atomic_unchecked_t chain_lookup_hits;
66020 +extern atomic_unchecked_t chain_lookup_misses;
66021 +extern atomic_unchecked_t hardirqs_on_events;
66022 +extern atomic_unchecked_t hardirqs_off_events;
66023 +extern atomic_unchecked_t redundant_hardirqs_on;
66024 +extern atomic_unchecked_t redundant_hardirqs_off;
66025 +extern atomic_unchecked_t softirqs_on_events;
66026 +extern atomic_unchecked_t softirqs_off_events;
66027 +extern atomic_unchecked_t redundant_softirqs_on;
66028 +extern atomic_unchecked_t redundant_softirqs_off;
66029 +extern atomic_unchecked_t nr_unused_locks;
66030 +extern atomic_unchecked_t nr_cyclic_checks;
66031 +extern atomic_unchecked_t nr_cyclic_check_recursions;
66032 +extern atomic_unchecked_t nr_find_usage_forwards_checks;
66033 +extern atomic_unchecked_t nr_find_usage_forwards_recursions;
66034 +extern atomic_unchecked_t nr_find_usage_backwards_checks;
66035 +extern atomic_unchecked_t nr_find_usage_backwards_recursions;
66036 +# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
66037 +# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
66038 +# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
66039 #else
66040 # define debug_atomic_inc(ptr) do { } while (0)
66041 # define debug_atomic_dec(ptr) do { } while (0)
66042 diff -urNp linux-2.6.32.46/kernel/lockdep_proc.c linux-2.6.32.46/kernel/lockdep_proc.c
66043 --- linux-2.6.32.46/kernel/lockdep_proc.c 2011-03-27 14:31:47.000000000 -0400
66044 +++ linux-2.6.32.46/kernel/lockdep_proc.c 2011-04-17 15:56:46.000000000 -0400
66045 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
66046
66047 static void print_name(struct seq_file *m, struct lock_class *class)
66048 {
66049 - char str[128];
66050 + char str[KSYM_NAME_LEN];
66051 const char *name = class->name;
66052
66053 if (!name) {
66054 diff -urNp linux-2.6.32.46/kernel/module.c linux-2.6.32.46/kernel/module.c
66055 --- linux-2.6.32.46/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
66056 +++ linux-2.6.32.46/kernel/module.c 2011-04-29 18:52:40.000000000 -0400
66057 @@ -55,6 +55,7 @@
66058 #include <linux/async.h>
66059 #include <linux/percpu.h>
66060 #include <linux/kmemleak.h>
66061 +#include <linux/grsecurity.h>
66062
66063 #define CREATE_TRACE_POINTS
66064 #include <trace/events/module.h>
66065 @@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
66066 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
66067
66068 /* Bounds of module allocation, for speeding __module_address */
66069 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
66070 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
66071 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
66072
66073 int register_module_notifier(struct notifier_block * nb)
66074 {
66075 @@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
66076 return true;
66077
66078 list_for_each_entry_rcu(mod, &modules, list) {
66079 - struct symsearch arr[] = {
66080 + struct symsearch modarr[] = {
66081 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
66082 NOT_GPL_ONLY, false },
66083 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
66084 @@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
66085 #endif
66086 };
66087
66088 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
66089 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
66090 return true;
66091 }
66092 return false;
66093 @@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
66094 void *ptr;
66095 int cpu;
66096
66097 - if (align > PAGE_SIZE) {
66098 + if (align-1 >= PAGE_SIZE) {
66099 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
66100 name, align, PAGE_SIZE);
66101 align = PAGE_SIZE;
66102 @@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
66103 * /sys/module/foo/sections stuff
66104 * J. Corbet <corbet@lwn.net>
66105 */
66106 -#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
66107 +#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
66108
66109 static inline bool sect_empty(const Elf_Shdr *sect)
66110 {
66111 @@ -1545,7 +1547,8 @@ static void free_module(struct module *m
66112 destroy_params(mod->kp, mod->num_kp);
66113
66114 /* This may be NULL, but that's OK */
66115 - module_free(mod, mod->module_init);
66116 + module_free(mod, mod->module_init_rw);
66117 + module_free_exec(mod, mod->module_init_rx);
66118 kfree(mod->args);
66119 if (mod->percpu)
66120 percpu_modfree(mod->percpu);
66121 @@ -1554,10 +1557,12 @@ static void free_module(struct module *m
66122 percpu_modfree(mod->refptr);
66123 #endif
66124 /* Free lock-classes: */
66125 - lockdep_free_key_range(mod->module_core, mod->core_size);
66126 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
66127 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
66128
66129 /* Finally, free the core (containing the module structure) */
66130 - module_free(mod, mod->module_core);
66131 + module_free_exec(mod, mod->module_core_rx);
66132 + module_free(mod, mod->module_core_rw);
66133
66134 #ifdef CONFIG_MPU
66135 update_protections(current->mm);
66136 @@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
66137 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66138 int ret = 0;
66139 const struct kernel_symbol *ksym;
66140 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
66141 + int is_fs_load = 0;
66142 + int register_filesystem_found = 0;
66143 + char *p;
66144 +
66145 + p = strstr(mod->args, "grsec_modharden_fs");
66146 +
66147 + if (p) {
66148 + char *endptr = p + strlen("grsec_modharden_fs");
66149 + /* copy \0 as well */
66150 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
66151 + is_fs_load = 1;
66152 + }
66153 +#endif
66154 +
66155
66156 for (i = 1; i < n; i++) {
66157 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
66158 + const char *name = strtab + sym[i].st_name;
66159 +
66160 + /* it's a real shame this will never get ripped and copied
66161 + upstream! ;(
66162 + */
66163 + if (is_fs_load && !strcmp(name, "register_filesystem"))
66164 + register_filesystem_found = 1;
66165 +#endif
66166 switch (sym[i].st_shndx) {
66167 case SHN_COMMON:
66168 /* We compiled with -fno-common. These are not
66169 @@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
66170 strtab + sym[i].st_name, mod);
66171 /* Ok if resolved. */
66172 if (ksym) {
66173 + pax_open_kernel();
66174 sym[i].st_value = ksym->value;
66175 + pax_close_kernel();
66176 break;
66177 }
66178
66179 @@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
66180 secbase = (unsigned long)mod->percpu;
66181 else
66182 secbase = sechdrs[sym[i].st_shndx].sh_addr;
66183 + pax_open_kernel();
66184 sym[i].st_value += secbase;
66185 + pax_close_kernel();
66186 break;
66187 }
66188 }
66189
66190 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
66191 + if (is_fs_load && !register_filesystem_found) {
66192 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
66193 + ret = -EPERM;
66194 + }
66195 +#endif
66196 +
66197 return ret;
66198 }
66199
66200 @@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
66201 || s->sh_entsize != ~0UL
66202 || strstarts(secstrings + s->sh_name, ".init"))
66203 continue;
66204 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
66205 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66206 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
66207 + else
66208 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
66209 DEBUGP("\t%s\n", secstrings + s->sh_name);
66210 }
66211 - if (m == 0)
66212 - mod->core_text_size = mod->core_size;
66213 }
66214
66215 DEBUGP("Init section allocation order:\n");
66216 @@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
66217 || s->sh_entsize != ~0UL
66218 || !strstarts(secstrings + s->sh_name, ".init"))
66219 continue;
66220 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
66221 - | INIT_OFFSET_MASK);
66222 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
66223 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
66224 + else
66225 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
66226 + s->sh_entsize |= INIT_OFFSET_MASK;
66227 DEBUGP("\t%s\n", secstrings + s->sh_name);
66228 }
66229 - if (m == 0)
66230 - mod->init_text_size = mod->init_size;
66231 }
66232 }
66233
66234 @@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
66235
66236 /* As per nm */
66237 static char elf_type(const Elf_Sym *sym,
66238 - Elf_Shdr *sechdrs,
66239 - const char *secstrings,
66240 - struct module *mod)
66241 + const Elf_Shdr *sechdrs,
66242 + const char *secstrings)
66243 {
66244 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
66245 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
66246 @@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
66247
66248 /* Put symbol section at end of init part of module. */
66249 symsect->sh_flags |= SHF_ALLOC;
66250 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
66251 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
66252 symindex) | INIT_OFFSET_MASK;
66253 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
66254
66255 @@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
66256 }
66257
66258 /* Append room for core symbols at end of core part. */
66259 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
66260 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
66261 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
66262 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
66263
66264 /* Put string table section at end of init part of module. */
66265 strsect->sh_flags |= SHF_ALLOC;
66266 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
66267 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
66268 strindex) | INIT_OFFSET_MASK;
66269 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
66270
66271 /* Append room for core symbols' strings at end of core part. */
66272 - *pstroffs = mod->core_size;
66273 + *pstroffs = mod->core_size_rx;
66274 __set_bit(0, strmap);
66275 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
66276 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
66277
66278 return symoffs;
66279 }
66280 @@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
66281 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
66282 mod->strtab = (void *)sechdrs[strindex].sh_addr;
66283
66284 + pax_open_kernel();
66285 +
66286 /* Set types up while we still have access to sections. */
66287 for (i = 0; i < mod->num_symtab; i++)
66288 mod->symtab[i].st_info
66289 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
66290 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
66291
66292 - mod->core_symtab = dst = mod->module_core + symoffs;
66293 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
66294 src = mod->symtab;
66295 *dst = *src;
66296 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
66297 @@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
66298 }
66299 mod->core_num_syms = ndst;
66300
66301 - mod->core_strtab = s = mod->module_core + stroffs;
66302 + mod->core_strtab = s = mod->module_core_rx + stroffs;
66303 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
66304 if (test_bit(i, strmap))
66305 *++s = mod->strtab[i];
66306 +
66307 + pax_close_kernel();
66308 }
66309 #else
66310 static inline unsigned long layout_symtab(struct module *mod,
66311 @@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
66312 #endif
66313 }
66314
66315 -static void *module_alloc_update_bounds(unsigned long size)
66316 +static void *module_alloc_update_bounds_rw(unsigned long size)
66317 {
66318 void *ret = module_alloc(size);
66319
66320 if (ret) {
66321 /* Update module bounds. */
66322 - if ((unsigned long)ret < module_addr_min)
66323 - module_addr_min = (unsigned long)ret;
66324 - if ((unsigned long)ret + size > module_addr_max)
66325 - module_addr_max = (unsigned long)ret + size;
66326 + if ((unsigned long)ret < module_addr_min_rw)
66327 + module_addr_min_rw = (unsigned long)ret;
66328 + if ((unsigned long)ret + size > module_addr_max_rw)
66329 + module_addr_max_rw = (unsigned long)ret + size;
66330 + }
66331 + return ret;
66332 +}
66333 +
66334 +static void *module_alloc_update_bounds_rx(unsigned long size)
66335 +{
66336 + void *ret = module_alloc_exec(size);
66337 +
66338 + if (ret) {
66339 + /* Update module bounds. */
66340 + if ((unsigned long)ret < module_addr_min_rx)
66341 + module_addr_min_rx = (unsigned long)ret;
66342 + if ((unsigned long)ret + size > module_addr_max_rx)
66343 + module_addr_max_rx = (unsigned long)ret + size;
66344 }
66345 return ret;
66346 }
66347 @@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
66348 unsigned int i;
66349
66350 /* only scan the sections containing data */
66351 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
66352 - (unsigned long)mod->module_core,
66353 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
66354 + (unsigned long)mod->module_core_rw,
66355 sizeof(struct module), GFP_KERNEL);
66356
66357 for (i = 1; i < hdr->e_shnum; i++) {
66358 @@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
66359 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
66360 continue;
66361
66362 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
66363 - (unsigned long)mod->module_core,
66364 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
66365 + (unsigned long)mod->module_core_rw,
66366 sechdrs[i].sh_size, GFP_KERNEL);
66367 }
66368 }
66369 @@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
66370 secstrings, &stroffs, strmap);
66371
66372 /* Do the allocs. */
66373 - ptr = module_alloc_update_bounds(mod->core_size);
66374 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
66375 /*
66376 * The pointer to this block is stored in the module structure
66377 * which is inside the block. Just mark it as not being a
66378 @@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
66379 err = -ENOMEM;
66380 goto free_percpu;
66381 }
66382 - memset(ptr, 0, mod->core_size);
66383 - mod->module_core = ptr;
66384 + memset(ptr, 0, mod->core_size_rw);
66385 + mod->module_core_rw = ptr;
66386
66387 - ptr = module_alloc_update_bounds(mod->init_size);
66388 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
66389 /*
66390 * The pointer to this block is stored in the module structure
66391 * which is inside the block. This block doesn't need to be
66392 * scanned as it contains data and code that will be freed
66393 * after the module is initialized.
66394 */
66395 - kmemleak_ignore(ptr);
66396 - if (!ptr && mod->init_size) {
66397 + kmemleak_not_leak(ptr);
66398 + if (!ptr && mod->init_size_rw) {
66399 + err = -ENOMEM;
66400 + goto free_core_rw;
66401 + }
66402 + memset(ptr, 0, mod->init_size_rw);
66403 + mod->module_init_rw = ptr;
66404 +
66405 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
66406 + kmemleak_not_leak(ptr);
66407 + if (!ptr) {
66408 err = -ENOMEM;
66409 - goto free_core;
66410 + goto free_init_rw;
66411 }
66412 - memset(ptr, 0, mod->init_size);
66413 - mod->module_init = ptr;
66414 +
66415 + pax_open_kernel();
66416 + memset(ptr, 0, mod->core_size_rx);
66417 + pax_close_kernel();
66418 + mod->module_core_rx = ptr;
66419 +
66420 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
66421 + kmemleak_not_leak(ptr);
66422 + if (!ptr && mod->init_size_rx) {
66423 + err = -ENOMEM;
66424 + goto free_core_rx;
66425 + }
66426 +
66427 + pax_open_kernel();
66428 + memset(ptr, 0, mod->init_size_rx);
66429 + pax_close_kernel();
66430 + mod->module_init_rx = ptr;
66431
66432 /* Transfer each section which specifies SHF_ALLOC */
66433 DEBUGP("final section addresses:\n");
66434 @@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
66435 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
66436 continue;
66437
66438 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
66439 - dest = mod->module_init
66440 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66441 - else
66442 - dest = mod->module_core + sechdrs[i].sh_entsize;
66443 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
66444 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66445 + dest = mod->module_init_rw
66446 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66447 + else
66448 + dest = mod->module_init_rx
66449 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
66450 + } else {
66451 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
66452 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
66453 + else
66454 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
66455 + }
66456 +
66457 + if (sechdrs[i].sh_type != SHT_NOBITS) {
66458
66459 - if (sechdrs[i].sh_type != SHT_NOBITS)
66460 - memcpy(dest, (void *)sechdrs[i].sh_addr,
66461 - sechdrs[i].sh_size);
66462 +#ifdef CONFIG_PAX_KERNEXEC
66463 +#ifdef CONFIG_X86_64
66464 + if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
66465 + set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
66466 +#endif
66467 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
66468 + pax_open_kernel();
66469 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66470 + pax_close_kernel();
66471 + } else
66472 +#endif
66473 +
66474 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
66475 + }
66476 /* Update sh_addr to point to copy in image. */
66477 - sechdrs[i].sh_addr = (unsigned long)dest;
66478 +
66479 +#ifdef CONFIG_PAX_KERNEXEC
66480 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
66481 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
66482 + else
66483 +#endif
66484 +
66485 + sechdrs[i].sh_addr = (unsigned long)dest;
66486 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
66487 }
66488 /* Module has been moved. */
66489 @@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
66490 mod->name);
66491 if (!mod->refptr) {
66492 err = -ENOMEM;
66493 - goto free_init;
66494 + goto free_init_rx;
66495 }
66496 #endif
66497 /* Now we've moved module, initialize linked lists, etc. */
66498 @@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
66499 /* Set up MODINFO_ATTR fields */
66500 setup_modinfo(mod, sechdrs, infoindex);
66501
66502 + mod->args = args;
66503 +
66504 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
66505 + {
66506 + char *p, *p2;
66507 +
66508 + if (strstr(mod->args, "grsec_modharden_netdev")) {
66509 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
66510 + err = -EPERM;
66511 + goto cleanup;
66512 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
66513 + p += strlen("grsec_modharden_normal");
66514 + p2 = strstr(p, "_");
66515 + if (p2) {
66516 + *p2 = '\0';
66517 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
66518 + *p2 = '_';
66519 + }
66520 + err = -EPERM;
66521 + goto cleanup;
66522 + }
66523 + }
66524 +#endif
66525 +
66526 +
66527 /* Fix up syms, so that st_value is a pointer to location. */
66528 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
66529 mod);
66530 @@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
66531
66532 /* Now do relocations. */
66533 for (i = 1; i < hdr->e_shnum; i++) {
66534 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
66535 unsigned int info = sechdrs[i].sh_info;
66536 + strtab = (char *)sechdrs[strindex].sh_addr;
66537
66538 /* Not a valid relocation section? */
66539 if (info >= hdr->e_shnum)
66540 @@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
66541 * Do it before processing of module parameters, so the module
66542 * can provide parameter accessor functions of its own.
66543 */
66544 - if (mod->module_init)
66545 - flush_icache_range((unsigned long)mod->module_init,
66546 - (unsigned long)mod->module_init
66547 - + mod->init_size);
66548 - flush_icache_range((unsigned long)mod->module_core,
66549 - (unsigned long)mod->module_core + mod->core_size);
66550 + if (mod->module_init_rx)
66551 + flush_icache_range((unsigned long)mod->module_init_rx,
66552 + (unsigned long)mod->module_init_rx
66553 + + mod->init_size_rx);
66554 + flush_icache_range((unsigned long)mod->module_core_rx,
66555 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
66556
66557 set_fs(old_fs);
66558
66559 - mod->args = args;
66560 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
66561 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
66562 mod->name);
66563 @@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
66564 free_unload:
66565 module_unload_free(mod);
66566 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
66567 + free_init_rx:
66568 percpu_modfree(mod->refptr);
66569 - free_init:
66570 #endif
66571 - module_free(mod, mod->module_init);
66572 - free_core:
66573 - module_free(mod, mod->module_core);
66574 + module_free_exec(mod, mod->module_init_rx);
66575 + free_core_rx:
66576 + module_free_exec(mod, mod->module_core_rx);
66577 + free_init_rw:
66578 + module_free(mod, mod->module_init_rw);
66579 + free_core_rw:
66580 + module_free(mod, mod->module_core_rw);
66581 /* mod will be freed with core. Don't access it beyond this line! */
66582 free_percpu:
66583 if (percpu)
66584 @@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
66585 mod->symtab = mod->core_symtab;
66586 mod->strtab = mod->core_strtab;
66587 #endif
66588 - module_free(mod, mod->module_init);
66589 - mod->module_init = NULL;
66590 - mod->init_size = 0;
66591 - mod->init_text_size = 0;
66592 + module_free(mod, mod->module_init_rw);
66593 + module_free_exec(mod, mod->module_init_rx);
66594 + mod->module_init_rw = NULL;
66595 + mod->module_init_rx = NULL;
66596 + mod->init_size_rw = 0;
66597 + mod->init_size_rx = 0;
66598 mutex_unlock(&module_mutex);
66599
66600 return 0;
66601 @@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
66602 unsigned long nextval;
66603
66604 /* At worse, next value is at end of module */
66605 - if (within_module_init(addr, mod))
66606 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
66607 + if (within_module_init_rx(addr, mod))
66608 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
66609 + else if (within_module_init_rw(addr, mod))
66610 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
66611 + else if (within_module_core_rx(addr, mod))
66612 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
66613 + else if (within_module_core_rw(addr, mod))
66614 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
66615 else
66616 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
66617 + return NULL;
66618
66619 /* Scan for closest preceeding symbol, and next symbol. (ELF
66620 starts real symbols at 1). */
66621 @@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
66622 char buf[8];
66623
66624 seq_printf(m, "%s %u",
66625 - mod->name, mod->init_size + mod->core_size);
66626 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
66627 print_unload_info(m, mod);
66628
66629 /* Informative for users. */
66630 @@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
66631 mod->state == MODULE_STATE_COMING ? "Loading":
66632 "Live");
66633 /* Used by oprofile and other similar tools. */
66634 - seq_printf(m, " 0x%p", mod->module_core);
66635 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
66636
66637 /* Taints info */
66638 if (mod->taints)
66639 @@ -2981,7 +3128,17 @@ static const struct file_operations proc
66640
66641 static int __init proc_modules_init(void)
66642 {
66643 +#ifndef CONFIG_GRKERNSEC_HIDESYM
66644 +#ifdef CONFIG_GRKERNSEC_PROC_USER
66645 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
66646 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
66647 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
66648 +#else
66649 proc_create("modules", 0, NULL, &proc_modules_operations);
66650 +#endif
66651 +#else
66652 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
66653 +#endif
66654 return 0;
66655 }
66656 module_init(proc_modules_init);
66657 @@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
66658 {
66659 struct module *mod;
66660
66661 - if (addr < module_addr_min || addr > module_addr_max)
66662 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
66663 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
66664 return NULL;
66665
66666 list_for_each_entry_rcu(mod, &modules, list)
66667 - if (within_module_core(addr, mod)
66668 - || within_module_init(addr, mod))
66669 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
66670 return mod;
66671 return NULL;
66672 }
66673 @@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
66674 */
66675 struct module *__module_text_address(unsigned long addr)
66676 {
66677 - struct module *mod = __module_address(addr);
66678 + struct module *mod;
66679 +
66680 +#ifdef CONFIG_X86_32
66681 + addr = ktla_ktva(addr);
66682 +#endif
66683 +
66684 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
66685 + return NULL;
66686 +
66687 + mod = __module_address(addr);
66688 +
66689 if (mod) {
66690 /* Make sure it's within the text section. */
66691 - if (!within(addr, mod->module_init, mod->init_text_size)
66692 - && !within(addr, mod->module_core, mod->core_text_size))
66693 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
66694 mod = NULL;
66695 }
66696 return mod;
66697 diff -urNp linux-2.6.32.46/kernel/mutex.c linux-2.6.32.46/kernel/mutex.c
66698 --- linux-2.6.32.46/kernel/mutex.c 2011-03-27 14:31:47.000000000 -0400
66699 +++ linux-2.6.32.46/kernel/mutex.c 2011-04-17 15:56:46.000000000 -0400
66700 @@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
66701 */
66702
66703 for (;;) {
66704 - struct thread_info *owner;
66705 + struct task_struct *owner;
66706
66707 /*
66708 * If we own the BKL, then don't spin. The owner of
66709 @@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
66710 spin_lock_mutex(&lock->wait_lock, flags);
66711
66712 debug_mutex_lock_common(lock, &waiter);
66713 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
66714 + debug_mutex_add_waiter(lock, &waiter, task);
66715
66716 /* add waiting tasks to the end of the waitqueue (FIFO): */
66717 list_add_tail(&waiter.list, &lock->wait_list);
66718 @@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
66719 * TASK_UNINTERRUPTIBLE case.)
66720 */
66721 if (unlikely(signal_pending_state(state, task))) {
66722 - mutex_remove_waiter(lock, &waiter,
66723 - task_thread_info(task));
66724 + mutex_remove_waiter(lock, &waiter, task);
66725 mutex_release(&lock->dep_map, 1, ip);
66726 spin_unlock_mutex(&lock->wait_lock, flags);
66727
66728 @@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
66729 done:
66730 lock_acquired(&lock->dep_map, ip);
66731 /* got the lock - rejoice! */
66732 - mutex_remove_waiter(lock, &waiter, current_thread_info());
66733 + mutex_remove_waiter(lock, &waiter, task);
66734 mutex_set_owner(lock);
66735
66736 /* set it to 0 if there are no waiters left: */
66737 diff -urNp linux-2.6.32.46/kernel/mutex-debug.c linux-2.6.32.46/kernel/mutex-debug.c
66738 --- linux-2.6.32.46/kernel/mutex-debug.c 2011-03-27 14:31:47.000000000 -0400
66739 +++ linux-2.6.32.46/kernel/mutex-debug.c 2011-04-17 15:56:46.000000000 -0400
66740 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
66741 }
66742
66743 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
66744 - struct thread_info *ti)
66745 + struct task_struct *task)
66746 {
66747 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
66748
66749 /* Mark the current thread as blocked on the lock: */
66750 - ti->task->blocked_on = waiter;
66751 + task->blocked_on = waiter;
66752 }
66753
66754 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
66755 - struct thread_info *ti)
66756 + struct task_struct *task)
66757 {
66758 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
66759 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
66760 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
66761 - ti->task->blocked_on = NULL;
66762 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
66763 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
66764 + task->blocked_on = NULL;
66765
66766 list_del_init(&waiter->list);
66767 waiter->task = NULL;
66768 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
66769 return;
66770
66771 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
66772 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
66773 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
66774 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
66775 mutex_clear_owner(lock);
66776 }
66777 diff -urNp linux-2.6.32.46/kernel/mutex-debug.h linux-2.6.32.46/kernel/mutex-debug.h
66778 --- linux-2.6.32.46/kernel/mutex-debug.h 2011-03-27 14:31:47.000000000 -0400
66779 +++ linux-2.6.32.46/kernel/mutex-debug.h 2011-04-17 15:56:46.000000000 -0400
66780 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
66781 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
66782 extern void debug_mutex_add_waiter(struct mutex *lock,
66783 struct mutex_waiter *waiter,
66784 - struct thread_info *ti);
66785 + struct task_struct *task);
66786 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
66787 - struct thread_info *ti);
66788 + struct task_struct *task);
66789 extern void debug_mutex_unlock(struct mutex *lock);
66790 extern void debug_mutex_init(struct mutex *lock, const char *name,
66791 struct lock_class_key *key);
66792
66793 static inline void mutex_set_owner(struct mutex *lock)
66794 {
66795 - lock->owner = current_thread_info();
66796 + lock->owner = current;
66797 }
66798
66799 static inline void mutex_clear_owner(struct mutex *lock)
66800 diff -urNp linux-2.6.32.46/kernel/mutex.h linux-2.6.32.46/kernel/mutex.h
66801 --- linux-2.6.32.46/kernel/mutex.h 2011-03-27 14:31:47.000000000 -0400
66802 +++ linux-2.6.32.46/kernel/mutex.h 2011-04-17 15:56:46.000000000 -0400
66803 @@ -19,7 +19,7 @@
66804 #ifdef CONFIG_SMP
66805 static inline void mutex_set_owner(struct mutex *lock)
66806 {
66807 - lock->owner = current_thread_info();
66808 + lock->owner = current;
66809 }
66810
66811 static inline void mutex_clear_owner(struct mutex *lock)
66812 diff -urNp linux-2.6.32.46/kernel/panic.c linux-2.6.32.46/kernel/panic.c
66813 --- linux-2.6.32.46/kernel/panic.c 2011-03-27 14:31:47.000000000 -0400
66814 +++ linux-2.6.32.46/kernel/panic.c 2011-04-17 15:56:46.000000000 -0400
66815 @@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
66816 const char *board;
66817
66818 printk(KERN_WARNING "------------[ cut here ]------------\n");
66819 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
66820 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
66821 board = dmi_get_system_info(DMI_PRODUCT_NAME);
66822 if (board)
66823 printk(KERN_WARNING "Hardware name: %s\n", board);
66824 @@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
66825 */
66826 void __stack_chk_fail(void)
66827 {
66828 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
66829 + dump_stack();
66830 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
66831 __builtin_return_address(0));
66832 }
66833 EXPORT_SYMBOL(__stack_chk_fail);
66834 diff -urNp linux-2.6.32.46/kernel/params.c linux-2.6.32.46/kernel/params.c
66835 --- linux-2.6.32.46/kernel/params.c 2011-03-27 14:31:47.000000000 -0400
66836 +++ linux-2.6.32.46/kernel/params.c 2011-04-17 15:56:46.000000000 -0400
66837 @@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
66838 return ret;
66839 }
66840
66841 -static struct sysfs_ops module_sysfs_ops = {
66842 +static const struct sysfs_ops module_sysfs_ops = {
66843 .show = module_attr_show,
66844 .store = module_attr_store,
66845 };
66846 @@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
66847 return 0;
66848 }
66849
66850 -static struct kset_uevent_ops module_uevent_ops = {
66851 +static const struct kset_uevent_ops module_uevent_ops = {
66852 .filter = uevent_filter,
66853 };
66854
66855 diff -urNp linux-2.6.32.46/kernel/perf_event.c linux-2.6.32.46/kernel/perf_event.c
66856 --- linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:35:30.000000000 -0400
66857 +++ linux-2.6.32.46/kernel/perf_event.c 2011-08-09 18:34:01.000000000 -0400
66858 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
66859 */
66860 int sysctl_perf_event_sample_rate __read_mostly = 100000;
66861
66862 -static atomic64_t perf_event_id;
66863 +static atomic64_unchecked_t perf_event_id;
66864
66865 /*
66866 * Lock for (sysadmin-configurable) event reservations:
66867 @@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
66868 * In order to keep per-task stats reliable we need to flip the event
66869 * values when we flip the contexts.
66870 */
66871 - value = atomic64_read(&next_event->count);
66872 - value = atomic64_xchg(&event->count, value);
66873 - atomic64_set(&next_event->count, value);
66874 + value = atomic64_read_unchecked(&next_event->count);
66875 + value = atomic64_xchg_unchecked(&event->count, value);
66876 + atomic64_set_unchecked(&next_event->count, value);
66877
66878 swap(event->total_time_enabled, next_event->total_time_enabled);
66879 swap(event->total_time_running, next_event->total_time_running);
66880 @@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
66881 update_event_times(event);
66882 }
66883
66884 - return atomic64_read(&event->count);
66885 + return atomic64_read_unchecked(&event->count);
66886 }
66887
66888 /*
66889 @@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
66890 values[n++] = 1 + leader->nr_siblings;
66891 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
66892 values[n++] = leader->total_time_enabled +
66893 - atomic64_read(&leader->child_total_time_enabled);
66894 + atomic64_read_unchecked(&leader->child_total_time_enabled);
66895 }
66896 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
66897 values[n++] = leader->total_time_running +
66898 - atomic64_read(&leader->child_total_time_running);
66899 + atomic64_read_unchecked(&leader->child_total_time_running);
66900 }
66901
66902 size = n * sizeof(u64);
66903 @@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
66904 values[n++] = perf_event_read_value(event);
66905 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
66906 values[n++] = event->total_time_enabled +
66907 - atomic64_read(&event->child_total_time_enabled);
66908 + atomic64_read_unchecked(&event->child_total_time_enabled);
66909 }
66910 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
66911 values[n++] = event->total_time_running +
66912 - atomic64_read(&event->child_total_time_running);
66913 + atomic64_read_unchecked(&event->child_total_time_running);
66914 }
66915 if (read_format & PERF_FORMAT_ID)
66916 values[n++] = primary_event_id(event);
66917 @@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
66918 static void perf_event_reset(struct perf_event *event)
66919 {
66920 (void)perf_event_read(event);
66921 - atomic64_set(&event->count, 0);
66922 + atomic64_set_unchecked(&event->count, 0);
66923 perf_event_update_userpage(event);
66924 }
66925
66926 @@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
66927 ++userpg->lock;
66928 barrier();
66929 userpg->index = perf_event_index(event);
66930 - userpg->offset = atomic64_read(&event->count);
66931 + userpg->offset = atomic64_read_unchecked(&event->count);
66932 if (event->state == PERF_EVENT_STATE_ACTIVE)
66933 - userpg->offset -= atomic64_read(&event->hw.prev_count);
66934 + userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
66935
66936 userpg->time_enabled = event->total_time_enabled +
66937 - atomic64_read(&event->child_total_time_enabled);
66938 + atomic64_read_unchecked(&event->child_total_time_enabled);
66939
66940 userpg->time_running = event->total_time_running +
66941 - atomic64_read(&event->child_total_time_running);
66942 + atomic64_read_unchecked(&event->child_total_time_running);
66943
66944 barrier();
66945 ++userpg->lock;
66946 @@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
66947 u64 values[4];
66948 int n = 0;
66949
66950 - values[n++] = atomic64_read(&event->count);
66951 + values[n++] = atomic64_read_unchecked(&event->count);
66952 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
66953 values[n++] = event->total_time_enabled +
66954 - atomic64_read(&event->child_total_time_enabled);
66955 + atomic64_read_unchecked(&event->child_total_time_enabled);
66956 }
66957 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
66958 values[n++] = event->total_time_running +
66959 - atomic64_read(&event->child_total_time_running);
66960 + atomic64_read_unchecked(&event->child_total_time_running);
66961 }
66962 if (read_format & PERF_FORMAT_ID)
66963 values[n++] = primary_event_id(event);
66964 @@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
66965 if (leader != event)
66966 leader->pmu->read(leader);
66967
66968 - values[n++] = atomic64_read(&leader->count);
66969 + values[n++] = atomic64_read_unchecked(&leader->count);
66970 if (read_format & PERF_FORMAT_ID)
66971 values[n++] = primary_event_id(leader);
66972
66973 @@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
66974 if (sub != event)
66975 sub->pmu->read(sub);
66976
66977 - values[n++] = atomic64_read(&sub->count);
66978 + values[n++] = atomic64_read_unchecked(&sub->count);
66979 if (read_format & PERF_FORMAT_ID)
66980 values[n++] = primary_event_id(sub);
66981
66982 @@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf
66983 {
66984 struct hw_perf_event *hwc = &event->hw;
66985
66986 - atomic64_add(nr, &event->count);
66987 + atomic64_add_unchecked(nr, &event->count);
66988
66989 if (!hwc->sample_period)
66990 return;
66991 @@ -4040,9 +4040,9 @@ static void cpu_clock_perf_event_update(
66992 u64 now;
66993
66994 now = cpu_clock(cpu);
66995 - prev = atomic64_read(&event->hw.prev_count);
66996 - atomic64_set(&event->hw.prev_count, now);
66997 - atomic64_add(now - prev, &event->count);
66998 + prev = atomic64_read_unchecked(&event->hw.prev_count);
66999 + atomic64_set_unchecked(&event->hw.prev_count, now);
67000 + atomic64_add_unchecked(now - prev, &event->count);
67001 }
67002
67003 static int cpu_clock_perf_event_enable(struct perf_event *event)
67004 @@ -4050,7 +4050,7 @@ static int cpu_clock_perf_event_enable(s
67005 struct hw_perf_event *hwc = &event->hw;
67006 int cpu = raw_smp_processor_id();
67007
67008 - atomic64_set(&hwc->prev_count, cpu_clock(cpu));
67009 + atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
67010 perf_swevent_start_hrtimer(event);
67011
67012 return 0;
67013 @@ -4082,9 +4082,9 @@ static void task_clock_perf_event_update
67014 u64 prev;
67015 s64 delta;
67016
67017 - prev = atomic64_xchg(&event->hw.prev_count, now);
67018 + prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
67019 delta = now - prev;
67020 - atomic64_add(delta, &event->count);
67021 + atomic64_add_unchecked(delta, &event->count);
67022 }
67023
67024 static int task_clock_perf_event_enable(struct perf_event *event)
67025 @@ -4094,7 +4094,7 @@ static int task_clock_perf_event_enable(
67026
67027 now = event->ctx->time;
67028
67029 - atomic64_set(&hwc->prev_count, now);
67030 + atomic64_set_unchecked(&hwc->prev_count, now);
67031
67032 perf_swevent_start_hrtimer(event);
67033
67034 @@ -4289,7 +4289,7 @@ perf_event_alloc(struct perf_event_attr
67035 event->parent = parent_event;
67036
67037 event->ns = get_pid_ns(current->nsproxy->pid_ns);
67038 - event->id = atomic64_inc_return(&perf_event_id);
67039 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
67040
67041 event->state = PERF_EVENT_STATE_INACTIVE;
67042
67043 @@ -4720,15 +4720,15 @@ static void sync_child_event(struct perf
67044 if (child_event->attr.inherit_stat)
67045 perf_event_read_event(child_event, child);
67046
67047 - child_val = atomic64_read(&child_event->count);
67048 + child_val = atomic64_read_unchecked(&child_event->count);
67049
67050 /*
67051 * Add back the child's count to the parent's count:
67052 */
67053 - atomic64_add(child_val, &parent_event->count);
67054 - atomic64_add(child_event->total_time_enabled,
67055 + atomic64_add_unchecked(child_val, &parent_event->count);
67056 + atomic64_add_unchecked(child_event->total_time_enabled,
67057 &parent_event->child_total_time_enabled);
67058 - atomic64_add(child_event->total_time_running,
67059 + atomic64_add_unchecked(child_event->total_time_running,
67060 &parent_event->child_total_time_running);
67061
67062 /*
67063 diff -urNp linux-2.6.32.46/kernel/pid.c linux-2.6.32.46/kernel/pid.c
67064 --- linux-2.6.32.46/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400
67065 +++ linux-2.6.32.46/kernel/pid.c 2011-08-21 19:11:29.000000000 -0400
67066 @@ -33,6 +33,7 @@
67067 #include <linux/rculist.h>
67068 #include <linux/bootmem.h>
67069 #include <linux/hash.h>
67070 +#include <linux/security.h>
67071 #include <linux/pid_namespace.h>
67072 #include <linux/init_task.h>
67073 #include <linux/syscalls.h>
67074 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
67075
67076 int pid_max = PID_MAX_DEFAULT;
67077
67078 -#define RESERVED_PIDS 300
67079 +#define RESERVED_PIDS 500
67080
67081 int pid_max_min = RESERVED_PIDS + 1;
67082 int pid_max_max = PID_MAX_LIMIT;
67083 @@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
67084 */
67085 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
67086 {
67087 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
67088 + struct task_struct *task;
67089 +
67090 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
67091 +
67092 + if (gr_pid_is_chrooted(task))
67093 + return NULL;
67094 +
67095 + return task;
67096 }
67097
67098 struct task_struct *find_task_by_vpid(pid_t vnr)
67099 @@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
67100 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
67101 }
67102
67103 +struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
67104 +{
67105 + return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
67106 +}
67107 +
67108 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
67109 {
67110 struct pid *pid;
67111 diff -urNp linux-2.6.32.46/kernel/posix-cpu-timers.c linux-2.6.32.46/kernel/posix-cpu-timers.c
67112 --- linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-03-27 14:31:47.000000000 -0400
67113 +++ linux-2.6.32.46/kernel/posix-cpu-timers.c 2011-08-06 09:33:44.000000000 -0400
67114 @@ -6,6 +6,7 @@
67115 #include <linux/posix-timers.h>
67116 #include <linux/errno.h>
67117 #include <linux/math64.h>
67118 +#include <linux/security.h>
67119 #include <asm/uaccess.h>
67120 #include <linux/kernel_stat.h>
67121 #include <trace/events/timer.h>
67122 @@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(st
67123
67124 static __init int init_posix_cpu_timers(void)
67125 {
67126 - struct k_clock process = {
67127 + static struct k_clock process = {
67128 .clock_getres = process_cpu_clock_getres,
67129 .clock_get = process_cpu_clock_get,
67130 .clock_set = do_posix_clock_nosettime,
67131 @@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(
67132 .nsleep = process_cpu_nsleep,
67133 .nsleep_restart = process_cpu_nsleep_restart,
67134 };
67135 - struct k_clock thread = {
67136 + static struct k_clock thread = {
67137 .clock_getres = thread_cpu_clock_getres,
67138 .clock_get = thread_cpu_clock_get,
67139 .clock_set = do_posix_clock_nosettime,
67140 diff -urNp linux-2.6.32.46/kernel/posix-timers.c linux-2.6.32.46/kernel/posix-timers.c
67141 --- linux-2.6.32.46/kernel/posix-timers.c 2011-03-27 14:31:47.000000000 -0400
67142 +++ linux-2.6.32.46/kernel/posix-timers.c 2011-08-23 20:22:38.000000000 -0400
67143 @@ -42,6 +42,7 @@
67144 #include <linux/compiler.h>
67145 #include <linux/idr.h>
67146 #include <linux/posix-timers.h>
67147 +#include <linux/grsecurity.h>
67148 #include <linux/syscalls.h>
67149 #include <linux/wait.h>
67150 #include <linux/workqueue.h>
67151 @@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
67152 * which we beg off on and pass to do_sys_settimeofday().
67153 */
67154
67155 -static struct k_clock posix_clocks[MAX_CLOCKS];
67156 +static struct k_clock *posix_clocks[MAX_CLOCKS];
67157
67158 /*
67159 * These ones are defined below.
67160 @@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
67161 */
67162 #define CLOCK_DISPATCH(clock, call, arglist) \
67163 ((clock) < 0 ? posix_cpu_##call arglist : \
67164 - (posix_clocks[clock].call != NULL \
67165 - ? (*posix_clocks[clock].call) arglist : common_##call arglist))
67166 + (posix_clocks[clock]->call != NULL \
67167 + ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
67168
67169 /*
67170 * Default clock hook functions when the struct k_clock passed
67171 @@ -172,7 +173,7 @@ static inline int common_clock_getres(co
67172 struct timespec *tp)
67173 {
67174 tp->tv_sec = 0;
67175 - tp->tv_nsec = posix_clocks[which_clock].res;
67176 + tp->tv_nsec = posix_clocks[which_clock]->res;
67177 return 0;
67178 }
67179
67180 @@ -217,9 +218,11 @@ static inline int invalid_clockid(const
67181 return 0;
67182 if ((unsigned) which_clock >= MAX_CLOCKS)
67183 return 1;
67184 - if (posix_clocks[which_clock].clock_getres != NULL)
67185 + if (posix_clocks[which_clock] == NULL)
67186 return 0;
67187 - if (posix_clocks[which_clock].res != 0)
67188 + if (posix_clocks[which_clock]->clock_getres != NULL)
67189 + return 0;
67190 + if (posix_clocks[which_clock]->res != 0)
67191 return 0;
67192 return 1;
67193 }
67194 @@ -266,29 +269,29 @@ int posix_get_coarse_res(const clockid_t
67195 */
67196 static __init int init_posix_timers(void)
67197 {
67198 - struct k_clock clock_realtime = {
67199 + static struct k_clock clock_realtime = {
67200 .clock_getres = hrtimer_get_res,
67201 };
67202 - struct k_clock clock_monotonic = {
67203 + static struct k_clock clock_monotonic = {
67204 .clock_getres = hrtimer_get_res,
67205 .clock_get = posix_ktime_get_ts,
67206 .clock_set = do_posix_clock_nosettime,
67207 };
67208 - struct k_clock clock_monotonic_raw = {
67209 + static struct k_clock clock_monotonic_raw = {
67210 .clock_getres = hrtimer_get_res,
67211 .clock_get = posix_get_monotonic_raw,
67212 .clock_set = do_posix_clock_nosettime,
67213 .timer_create = no_timer_create,
67214 .nsleep = no_nsleep,
67215 };
67216 - struct k_clock clock_realtime_coarse = {
67217 + static struct k_clock clock_realtime_coarse = {
67218 .clock_getres = posix_get_coarse_res,
67219 .clock_get = posix_get_realtime_coarse,
67220 .clock_set = do_posix_clock_nosettime,
67221 .timer_create = no_timer_create,
67222 .nsleep = no_nsleep,
67223 };
67224 - struct k_clock clock_monotonic_coarse = {
67225 + static struct k_clock clock_monotonic_coarse = {
67226 .clock_getres = posix_get_coarse_res,
67227 .clock_get = posix_get_monotonic_coarse,
67228 .clock_set = do_posix_clock_nosettime,
67229 @@ -296,6 +299,8 @@ static __init int init_posix_timers(void
67230 .nsleep = no_nsleep,
67231 };
67232
67233 + pax_track_stack();
67234 +
67235 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
67236 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
67237 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
67238 @@ -484,7 +489,7 @@ void register_posix_clock(const clockid_
67239 return;
67240 }
67241
67242 - posix_clocks[clock_id] = *new_clock;
67243 + posix_clocks[clock_id] = new_clock;
67244 }
67245 EXPORT_SYMBOL_GPL(register_posix_clock);
67246
67247 @@ -948,6 +953,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
67248 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
67249 return -EFAULT;
67250
67251 + /* only the CLOCK_REALTIME clock can be set, all other clocks
67252 + have their clock_set fptr set to a nosettime dummy function
67253 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
67254 + call common_clock_set, which calls do_sys_settimeofday, which
67255 + we hook
67256 + */
67257 +
67258 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
67259 }
67260
67261 diff -urNp linux-2.6.32.46/kernel/power/hibernate.c linux-2.6.32.46/kernel/power/hibernate.c
67262 --- linux-2.6.32.46/kernel/power/hibernate.c 2011-03-27 14:31:47.000000000 -0400
67263 +++ linux-2.6.32.46/kernel/power/hibernate.c 2011-04-17 15:56:46.000000000 -0400
67264 @@ -48,14 +48,14 @@ enum {
67265
67266 static int hibernation_mode = HIBERNATION_SHUTDOWN;
67267
67268 -static struct platform_hibernation_ops *hibernation_ops;
67269 +static const struct platform_hibernation_ops *hibernation_ops;
67270
67271 /**
67272 * hibernation_set_ops - set the global hibernate operations
67273 * @ops: the hibernation operations to use in subsequent hibernation transitions
67274 */
67275
67276 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
67277 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
67278 {
67279 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
67280 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
67281 diff -urNp linux-2.6.32.46/kernel/power/poweroff.c linux-2.6.32.46/kernel/power/poweroff.c
67282 --- linux-2.6.32.46/kernel/power/poweroff.c 2011-03-27 14:31:47.000000000 -0400
67283 +++ linux-2.6.32.46/kernel/power/poweroff.c 2011-04-17 15:56:46.000000000 -0400
67284 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
67285 .enable_mask = SYSRQ_ENABLE_BOOT,
67286 };
67287
67288 -static int pm_sysrq_init(void)
67289 +static int __init pm_sysrq_init(void)
67290 {
67291 register_sysrq_key('o', &sysrq_poweroff_op);
67292 return 0;
67293 diff -urNp linux-2.6.32.46/kernel/power/process.c linux-2.6.32.46/kernel/power/process.c
67294 --- linux-2.6.32.46/kernel/power/process.c 2011-03-27 14:31:47.000000000 -0400
67295 +++ linux-2.6.32.46/kernel/power/process.c 2011-04-17 15:56:46.000000000 -0400
67296 @@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
67297 struct timeval start, end;
67298 u64 elapsed_csecs64;
67299 unsigned int elapsed_csecs;
67300 + bool timedout = false;
67301
67302 do_gettimeofday(&start);
67303
67304 end_time = jiffies + TIMEOUT;
67305 do {
67306 todo = 0;
67307 + if (time_after(jiffies, end_time))
67308 + timedout = true;
67309 read_lock(&tasklist_lock);
67310 do_each_thread(g, p) {
67311 if (frozen(p) || !freezeable(p))
67312 @@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
67313 * It is "frozen enough". If the task does wake
67314 * up, it will immediately call try_to_freeze.
67315 */
67316 - if (!task_is_stopped_or_traced(p) &&
67317 - !freezer_should_skip(p))
67318 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
67319 todo++;
67320 + if (timedout) {
67321 + printk(KERN_ERR "Task refusing to freeze:\n");
67322 + sched_show_task(p);
67323 + }
67324 + }
67325 } while_each_thread(g, p);
67326 read_unlock(&tasklist_lock);
67327 yield(); /* Yield is okay here */
67328 - if (time_after(jiffies, end_time))
67329 - break;
67330 - } while (todo);
67331 + } while (todo && !timedout);
67332
67333 do_gettimeofday(&end);
67334 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
67335 diff -urNp linux-2.6.32.46/kernel/power/suspend.c linux-2.6.32.46/kernel/power/suspend.c
67336 --- linux-2.6.32.46/kernel/power/suspend.c 2011-03-27 14:31:47.000000000 -0400
67337 +++ linux-2.6.32.46/kernel/power/suspend.c 2011-04-17 15:56:46.000000000 -0400
67338 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
67339 [PM_SUSPEND_MEM] = "mem",
67340 };
67341
67342 -static struct platform_suspend_ops *suspend_ops;
67343 +static const struct platform_suspend_ops *suspend_ops;
67344
67345 /**
67346 * suspend_set_ops - Set the global suspend method table.
67347 * @ops: Pointer to ops structure.
67348 */
67349 -void suspend_set_ops(struct platform_suspend_ops *ops)
67350 +void suspend_set_ops(const struct platform_suspend_ops *ops)
67351 {
67352 mutex_lock(&pm_mutex);
67353 suspend_ops = ops;
67354 diff -urNp linux-2.6.32.46/kernel/printk.c linux-2.6.32.46/kernel/printk.c
67355 --- linux-2.6.32.46/kernel/printk.c 2011-03-27 14:31:47.000000000 -0400
67356 +++ linux-2.6.32.46/kernel/printk.c 2011-04-17 15:56:46.000000000 -0400
67357 @@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
67358 char c;
67359 int error = 0;
67360
67361 +#ifdef CONFIG_GRKERNSEC_DMESG
67362 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
67363 + return -EPERM;
67364 +#endif
67365 +
67366 error = security_syslog(type);
67367 if (error)
67368 return error;
67369 diff -urNp linux-2.6.32.46/kernel/profile.c linux-2.6.32.46/kernel/profile.c
67370 --- linux-2.6.32.46/kernel/profile.c 2011-03-27 14:31:47.000000000 -0400
67371 +++ linux-2.6.32.46/kernel/profile.c 2011-05-04 17:56:28.000000000 -0400
67372 @@ -39,7 +39,7 @@ struct profile_hit {
67373 /* Oprofile timer tick hook */
67374 static int (*timer_hook)(struct pt_regs *) __read_mostly;
67375
67376 -static atomic_t *prof_buffer;
67377 +static atomic_unchecked_t *prof_buffer;
67378 static unsigned long prof_len, prof_shift;
67379
67380 int prof_on __read_mostly;
67381 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
67382 hits[i].pc = 0;
67383 continue;
67384 }
67385 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
67386 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
67387 hits[i].hits = hits[i].pc = 0;
67388 }
67389 }
67390 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
67391 * Add the current hit(s) and flush the write-queue out
67392 * to the global buffer:
67393 */
67394 - atomic_add(nr_hits, &prof_buffer[pc]);
67395 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
67396 for (i = 0; i < NR_PROFILE_HIT; ++i) {
67397 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
67398 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
67399 hits[i].pc = hits[i].hits = 0;
67400 }
67401 out:
67402 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
67403 if (prof_on != type || !prof_buffer)
67404 return;
67405 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
67406 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
67407 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
67408 }
67409 #endif /* !CONFIG_SMP */
67410 EXPORT_SYMBOL_GPL(profile_hits);
67411 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
67412 return -EFAULT;
67413 buf++; p++; count--; read++;
67414 }
67415 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
67416 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
67417 if (copy_to_user(buf, (void *)pnt, count))
67418 return -EFAULT;
67419 read += count;
67420 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
67421 }
67422 #endif
67423 profile_discard_flip_buffers();
67424 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
67425 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
67426 return count;
67427 }
67428
67429 diff -urNp linux-2.6.32.46/kernel/ptrace.c linux-2.6.32.46/kernel/ptrace.c
67430 --- linux-2.6.32.46/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
67431 +++ linux-2.6.32.46/kernel/ptrace.c 2011-05-22 23:02:06.000000000 -0400
67432 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
67433 return ret;
67434 }
67435
67436 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
67437 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
67438 + unsigned int log)
67439 {
67440 const struct cred *cred = current_cred(), *tcred;
67441
67442 @@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
67443 cred->gid != tcred->egid ||
67444 cred->gid != tcred->sgid ||
67445 cred->gid != tcred->gid) &&
67446 - !capable(CAP_SYS_PTRACE)) {
67447 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
67448 + (log && !capable(CAP_SYS_PTRACE)))
67449 + ) {
67450 rcu_read_unlock();
67451 return -EPERM;
67452 }
67453 @@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
67454 smp_rmb();
67455 if (task->mm)
67456 dumpable = get_dumpable(task->mm);
67457 - if (!dumpable && !capable(CAP_SYS_PTRACE))
67458 + if (!dumpable &&
67459 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
67460 + (log && !capable(CAP_SYS_PTRACE))))
67461 return -EPERM;
67462
67463 return security_ptrace_access_check(task, mode);
67464 @@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
67465 {
67466 int err;
67467 task_lock(task);
67468 - err = __ptrace_may_access(task, mode);
67469 + err = __ptrace_may_access(task, mode, 0);
67470 + task_unlock(task);
67471 + return !err;
67472 +}
67473 +
67474 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
67475 +{
67476 + int err;
67477 + task_lock(task);
67478 + err = __ptrace_may_access(task, mode, 1);
67479 task_unlock(task);
67480 return !err;
67481 }
67482 @@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
67483 goto out;
67484
67485 task_lock(task);
67486 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
67487 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
67488 task_unlock(task);
67489 if (retval)
67490 goto unlock_creds;
67491 @@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
67492 goto unlock_tasklist;
67493
67494 task->ptrace = PT_PTRACED;
67495 - if (capable(CAP_SYS_PTRACE))
67496 + if (capable_nolog(CAP_SYS_PTRACE))
67497 task->ptrace |= PT_PTRACE_CAP;
67498
67499 __ptrace_link(task, current);
67500 @@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
67501 {
67502 int copied = 0;
67503
67504 + pax_track_stack();
67505 +
67506 while (len > 0) {
67507 char buf[128];
67508 int this_len, retval;
67509 @@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
67510 {
67511 int copied = 0;
67512
67513 + pax_track_stack();
67514 +
67515 while (len > 0) {
67516 char buf[128];
67517 int this_len, retval;
67518 @@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
67519 int ret = -EIO;
67520 siginfo_t siginfo;
67521
67522 + pax_track_stack();
67523 +
67524 switch (request) {
67525 case PTRACE_PEEKTEXT:
67526 case PTRACE_PEEKDATA:
67527 @@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
67528 ret = ptrace_setoptions(child, data);
67529 break;
67530 case PTRACE_GETEVENTMSG:
67531 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
67532 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
67533 break;
67534
67535 case PTRACE_GETSIGINFO:
67536 ret = ptrace_getsiginfo(child, &siginfo);
67537 if (!ret)
67538 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
67539 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
67540 &siginfo);
67541 break;
67542
67543 case PTRACE_SETSIGINFO:
67544 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
67545 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
67546 sizeof siginfo))
67547 ret = -EFAULT;
67548 else
67549 @@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
67550 goto out;
67551 }
67552
67553 + if (gr_handle_ptrace(child, request)) {
67554 + ret = -EPERM;
67555 + goto out_put_task_struct;
67556 + }
67557 +
67558 if (request == PTRACE_ATTACH) {
67559 ret = ptrace_attach(child);
67560 /*
67561 * Some architectures need to do book-keeping after
67562 * a ptrace attach.
67563 */
67564 - if (!ret)
67565 + if (!ret) {
67566 arch_ptrace_attach(child);
67567 + gr_audit_ptrace(child);
67568 + }
67569 goto out_put_task_struct;
67570 }
67571
67572 @@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
67573 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
67574 if (copied != sizeof(tmp))
67575 return -EIO;
67576 - return put_user(tmp, (unsigned long __user *)data);
67577 + return put_user(tmp, (__force unsigned long __user *)data);
67578 }
67579
67580 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
67581 @@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
67582 siginfo_t siginfo;
67583 int ret;
67584
67585 + pax_track_stack();
67586 +
67587 switch (request) {
67588 case PTRACE_PEEKTEXT:
67589 case PTRACE_PEEKDATA:
67590 @@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
67591 goto out;
67592 }
67593
67594 + if (gr_handle_ptrace(child, request)) {
67595 + ret = -EPERM;
67596 + goto out_put_task_struct;
67597 + }
67598 +
67599 if (request == PTRACE_ATTACH) {
67600 ret = ptrace_attach(child);
67601 /*
67602 * Some architectures need to do book-keeping after
67603 * a ptrace attach.
67604 */
67605 - if (!ret)
67606 + if (!ret) {
67607 arch_ptrace_attach(child);
67608 + gr_audit_ptrace(child);
67609 + }
67610 goto out_put_task_struct;
67611 }
67612
67613 diff -urNp linux-2.6.32.46/kernel/rcutorture.c linux-2.6.32.46/kernel/rcutorture.c
67614 --- linux-2.6.32.46/kernel/rcutorture.c 2011-03-27 14:31:47.000000000 -0400
67615 +++ linux-2.6.32.46/kernel/rcutorture.c 2011-05-04 17:56:28.000000000 -0400
67616 @@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
67617 { 0 };
67618 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
67619 { 0 };
67620 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
67621 -static atomic_t n_rcu_torture_alloc;
67622 -static atomic_t n_rcu_torture_alloc_fail;
67623 -static atomic_t n_rcu_torture_free;
67624 -static atomic_t n_rcu_torture_mberror;
67625 -static atomic_t n_rcu_torture_error;
67626 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
67627 +static atomic_unchecked_t n_rcu_torture_alloc;
67628 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
67629 +static atomic_unchecked_t n_rcu_torture_free;
67630 +static atomic_unchecked_t n_rcu_torture_mberror;
67631 +static atomic_unchecked_t n_rcu_torture_error;
67632 static long n_rcu_torture_timers;
67633 static struct list_head rcu_torture_removed;
67634 static cpumask_var_t shuffle_tmp_mask;
67635 @@ -187,11 +187,11 @@ rcu_torture_alloc(void)
67636
67637 spin_lock_bh(&rcu_torture_lock);
67638 if (list_empty(&rcu_torture_freelist)) {
67639 - atomic_inc(&n_rcu_torture_alloc_fail);
67640 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
67641 spin_unlock_bh(&rcu_torture_lock);
67642 return NULL;
67643 }
67644 - atomic_inc(&n_rcu_torture_alloc);
67645 + atomic_inc_unchecked(&n_rcu_torture_alloc);
67646 p = rcu_torture_freelist.next;
67647 list_del_init(p);
67648 spin_unlock_bh(&rcu_torture_lock);
67649 @@ -204,7 +204,7 @@ rcu_torture_alloc(void)
67650 static void
67651 rcu_torture_free(struct rcu_torture *p)
67652 {
67653 - atomic_inc(&n_rcu_torture_free);
67654 + atomic_inc_unchecked(&n_rcu_torture_free);
67655 spin_lock_bh(&rcu_torture_lock);
67656 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
67657 spin_unlock_bh(&rcu_torture_lock);
67658 @@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
67659 i = rp->rtort_pipe_count;
67660 if (i > RCU_TORTURE_PIPE_LEN)
67661 i = RCU_TORTURE_PIPE_LEN;
67662 - atomic_inc(&rcu_torture_wcount[i]);
67663 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
67664 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
67665 rp->rtort_mbtest = 0;
67666 rcu_torture_free(rp);
67667 @@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
67668 i = rp->rtort_pipe_count;
67669 if (i > RCU_TORTURE_PIPE_LEN)
67670 i = RCU_TORTURE_PIPE_LEN;
67671 - atomic_inc(&rcu_torture_wcount[i]);
67672 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
67673 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
67674 rp->rtort_mbtest = 0;
67675 list_del(&rp->rtort_free);
67676 @@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
67677 i = old_rp->rtort_pipe_count;
67678 if (i > RCU_TORTURE_PIPE_LEN)
67679 i = RCU_TORTURE_PIPE_LEN;
67680 - atomic_inc(&rcu_torture_wcount[i]);
67681 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
67682 old_rp->rtort_pipe_count++;
67683 cur_ops->deferred_free(old_rp);
67684 }
67685 @@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
67686 return;
67687 }
67688 if (p->rtort_mbtest == 0)
67689 - atomic_inc(&n_rcu_torture_mberror);
67690 + atomic_inc_unchecked(&n_rcu_torture_mberror);
67691 spin_lock(&rand_lock);
67692 cur_ops->read_delay(&rand);
67693 n_rcu_torture_timers++;
67694 @@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
67695 continue;
67696 }
67697 if (p->rtort_mbtest == 0)
67698 - atomic_inc(&n_rcu_torture_mberror);
67699 + atomic_inc_unchecked(&n_rcu_torture_mberror);
67700 cur_ops->read_delay(&rand);
67701 preempt_disable();
67702 pipe_count = p->rtort_pipe_count;
67703 @@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
67704 rcu_torture_current,
67705 rcu_torture_current_version,
67706 list_empty(&rcu_torture_freelist),
67707 - atomic_read(&n_rcu_torture_alloc),
67708 - atomic_read(&n_rcu_torture_alloc_fail),
67709 - atomic_read(&n_rcu_torture_free),
67710 - atomic_read(&n_rcu_torture_mberror),
67711 + atomic_read_unchecked(&n_rcu_torture_alloc),
67712 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
67713 + atomic_read_unchecked(&n_rcu_torture_free),
67714 + atomic_read_unchecked(&n_rcu_torture_mberror),
67715 n_rcu_torture_timers);
67716 - if (atomic_read(&n_rcu_torture_mberror) != 0)
67717 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
67718 cnt += sprintf(&page[cnt], " !!!");
67719 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
67720 if (i > 1) {
67721 cnt += sprintf(&page[cnt], "!!! ");
67722 - atomic_inc(&n_rcu_torture_error);
67723 + atomic_inc_unchecked(&n_rcu_torture_error);
67724 WARN_ON_ONCE(1);
67725 }
67726 cnt += sprintf(&page[cnt], "Reader Pipe: ");
67727 @@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
67728 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
67729 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
67730 cnt += sprintf(&page[cnt], " %d",
67731 - atomic_read(&rcu_torture_wcount[i]));
67732 + atomic_read_unchecked(&rcu_torture_wcount[i]));
67733 }
67734 cnt += sprintf(&page[cnt], "\n");
67735 if (cur_ops->stats)
67736 @@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
67737
67738 if (cur_ops->cleanup)
67739 cur_ops->cleanup();
67740 - if (atomic_read(&n_rcu_torture_error))
67741 + if (atomic_read_unchecked(&n_rcu_torture_error))
67742 rcu_torture_print_module_parms("End of test: FAILURE");
67743 else
67744 rcu_torture_print_module_parms("End of test: SUCCESS");
67745 @@ -1138,13 +1138,13 @@ rcu_torture_init(void)
67746
67747 rcu_torture_current = NULL;
67748 rcu_torture_current_version = 0;
67749 - atomic_set(&n_rcu_torture_alloc, 0);
67750 - atomic_set(&n_rcu_torture_alloc_fail, 0);
67751 - atomic_set(&n_rcu_torture_free, 0);
67752 - atomic_set(&n_rcu_torture_mberror, 0);
67753 - atomic_set(&n_rcu_torture_error, 0);
67754 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
67755 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
67756 + atomic_set_unchecked(&n_rcu_torture_free, 0);
67757 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
67758 + atomic_set_unchecked(&n_rcu_torture_error, 0);
67759 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
67760 - atomic_set(&rcu_torture_wcount[i], 0);
67761 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
67762 for_each_possible_cpu(cpu) {
67763 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
67764 per_cpu(rcu_torture_count, cpu)[i] = 0;
67765 diff -urNp linux-2.6.32.46/kernel/rcutree.c linux-2.6.32.46/kernel/rcutree.c
67766 --- linux-2.6.32.46/kernel/rcutree.c 2011-03-27 14:31:47.000000000 -0400
67767 +++ linux-2.6.32.46/kernel/rcutree.c 2011-04-17 15:56:46.000000000 -0400
67768 @@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
67769 /*
67770 * Do softirq processing for the current CPU.
67771 */
67772 -static void rcu_process_callbacks(struct softirq_action *unused)
67773 +static void rcu_process_callbacks(void)
67774 {
67775 /*
67776 * Memory references from any prior RCU read-side critical sections
67777 diff -urNp linux-2.6.32.46/kernel/rcutree_plugin.h linux-2.6.32.46/kernel/rcutree_plugin.h
67778 --- linux-2.6.32.46/kernel/rcutree_plugin.h 2011-03-27 14:31:47.000000000 -0400
67779 +++ linux-2.6.32.46/kernel/rcutree_plugin.h 2011-04-17 15:56:46.000000000 -0400
67780 @@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
67781 */
67782 void __rcu_read_lock(void)
67783 {
67784 - ACCESS_ONCE(current->rcu_read_lock_nesting)++;
67785 + ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
67786 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
67787 }
67788 EXPORT_SYMBOL_GPL(__rcu_read_lock);
67789 @@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
67790 struct task_struct *t = current;
67791
67792 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
67793 - if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
67794 + if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
67795 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
67796 rcu_read_unlock_special(t);
67797 }
67798 diff -urNp linux-2.6.32.46/kernel/relay.c linux-2.6.32.46/kernel/relay.c
67799 --- linux-2.6.32.46/kernel/relay.c 2011-03-27 14:31:47.000000000 -0400
67800 +++ linux-2.6.32.46/kernel/relay.c 2011-05-16 21:46:57.000000000 -0400
67801 @@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
67802 unsigned int flags,
67803 int *nonpad_ret)
67804 {
67805 - unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
67806 + unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
67807 struct rchan_buf *rbuf = in->private_data;
67808 unsigned int subbuf_size = rbuf->chan->subbuf_size;
67809 uint64_t pos = (uint64_t) *ppos;
67810 @@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
67811 .ops = &relay_pipe_buf_ops,
67812 .spd_release = relay_page_release,
67813 };
67814 + ssize_t ret;
67815 +
67816 + pax_track_stack();
67817
67818 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
67819 return 0;
67820 diff -urNp linux-2.6.32.46/kernel/resource.c linux-2.6.32.46/kernel/resource.c
67821 --- linux-2.6.32.46/kernel/resource.c 2011-03-27 14:31:47.000000000 -0400
67822 +++ linux-2.6.32.46/kernel/resource.c 2011-04-17 15:56:46.000000000 -0400
67823 @@ -132,8 +132,18 @@ static const struct file_operations proc
67824
67825 static int __init ioresources_init(void)
67826 {
67827 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
67828 +#ifdef CONFIG_GRKERNSEC_PROC_USER
67829 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
67830 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
67831 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
67832 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
67833 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
67834 +#endif
67835 +#else
67836 proc_create("ioports", 0, NULL, &proc_ioports_operations);
67837 proc_create("iomem", 0, NULL, &proc_iomem_operations);
67838 +#endif
67839 return 0;
67840 }
67841 __initcall(ioresources_init);
67842 diff -urNp linux-2.6.32.46/kernel/rtmutex.c linux-2.6.32.46/kernel/rtmutex.c
67843 --- linux-2.6.32.46/kernel/rtmutex.c 2011-03-27 14:31:47.000000000 -0400
67844 +++ linux-2.6.32.46/kernel/rtmutex.c 2011-04-17 15:56:46.000000000 -0400
67845 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
67846 */
67847 spin_lock_irqsave(&pendowner->pi_lock, flags);
67848
67849 - WARN_ON(!pendowner->pi_blocked_on);
67850 + BUG_ON(!pendowner->pi_blocked_on);
67851 WARN_ON(pendowner->pi_blocked_on != waiter);
67852 WARN_ON(pendowner->pi_blocked_on->lock != lock);
67853
67854 diff -urNp linux-2.6.32.46/kernel/rtmutex-tester.c linux-2.6.32.46/kernel/rtmutex-tester.c
67855 --- linux-2.6.32.46/kernel/rtmutex-tester.c 2011-03-27 14:31:47.000000000 -0400
67856 +++ linux-2.6.32.46/kernel/rtmutex-tester.c 2011-05-04 17:56:28.000000000 -0400
67857 @@ -21,7 +21,7 @@
67858 #define MAX_RT_TEST_MUTEXES 8
67859
67860 static spinlock_t rttest_lock;
67861 -static atomic_t rttest_event;
67862 +static atomic_unchecked_t rttest_event;
67863
67864 struct test_thread_data {
67865 int opcode;
67866 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
67867
67868 case RTTEST_LOCKCONT:
67869 td->mutexes[td->opdata] = 1;
67870 - td->event = atomic_add_return(1, &rttest_event);
67871 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67872 return 0;
67873
67874 case RTTEST_RESET:
67875 @@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
67876 return 0;
67877
67878 case RTTEST_RESETEVENT:
67879 - atomic_set(&rttest_event, 0);
67880 + atomic_set_unchecked(&rttest_event, 0);
67881 return 0;
67882
67883 default:
67884 @@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
67885 return ret;
67886
67887 td->mutexes[id] = 1;
67888 - td->event = atomic_add_return(1, &rttest_event);
67889 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67890 rt_mutex_lock(&mutexes[id]);
67891 - td->event = atomic_add_return(1, &rttest_event);
67892 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67893 td->mutexes[id] = 4;
67894 return 0;
67895
67896 @@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
67897 return ret;
67898
67899 td->mutexes[id] = 1;
67900 - td->event = atomic_add_return(1, &rttest_event);
67901 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67902 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
67903 - td->event = atomic_add_return(1, &rttest_event);
67904 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67905 td->mutexes[id] = ret ? 0 : 4;
67906 return ret ? -EINTR : 0;
67907
67908 @@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
67909 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
67910 return ret;
67911
67912 - td->event = atomic_add_return(1, &rttest_event);
67913 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67914 rt_mutex_unlock(&mutexes[id]);
67915 - td->event = atomic_add_return(1, &rttest_event);
67916 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67917 td->mutexes[id] = 0;
67918 return 0;
67919
67920 @@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
67921 break;
67922
67923 td->mutexes[dat] = 2;
67924 - td->event = atomic_add_return(1, &rttest_event);
67925 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67926 break;
67927
67928 case RTTEST_LOCKBKL:
67929 @@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
67930 return;
67931
67932 td->mutexes[dat] = 3;
67933 - td->event = atomic_add_return(1, &rttest_event);
67934 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67935 break;
67936
67937 case RTTEST_LOCKNOWAIT:
67938 @@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
67939 return;
67940
67941 td->mutexes[dat] = 1;
67942 - td->event = atomic_add_return(1, &rttest_event);
67943 + td->event = atomic_add_return_unchecked(1, &rttest_event);
67944 return;
67945
67946 case RTTEST_LOCKBKL:
67947 diff -urNp linux-2.6.32.46/kernel/sched.c linux-2.6.32.46/kernel/sched.c
67948 --- linux-2.6.32.46/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400
67949 +++ linux-2.6.32.46/kernel/sched.c 2011-08-21 19:29:25.000000000 -0400
67950 @@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
67951 {
67952 unsigned long flags;
67953 struct rq *rq;
67954 - int cpu = get_cpu();
67955
67956 #ifdef CONFIG_SMP
67957 + int cpu = get_cpu();
67958 +
67959 rq = task_rq_lock(p, &flags);
67960 p->state = TASK_WAKING;
67961
67962 @@ -5043,7 +5044,7 @@ out:
67963 * In CONFIG_NO_HZ case, the idle load balance owner will do the
67964 * rebalancing for all the cpus for whom scheduler ticks are stopped.
67965 */
67966 -static void run_rebalance_domains(struct softirq_action *h)
67967 +static void run_rebalance_domains(void)
67968 {
67969 int this_cpu = smp_processor_id();
67970 struct rq *this_rq = cpu_rq(this_cpu);
67971 @@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
67972 struct rq *rq;
67973 int cpu;
67974
67975 + pax_track_stack();
67976 +
67977 need_resched:
67978 preempt_disable();
67979 cpu = smp_processor_id();
67980 @@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
67981 * Look out! "owner" is an entirely speculative pointer
67982 * access and not reliable.
67983 */
67984 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
67985 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
67986 {
67987 unsigned int cpu;
67988 struct rq *rq;
67989 @@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
67990 * DEBUG_PAGEALLOC could have unmapped it if
67991 * the mutex owner just released it and exited.
67992 */
67993 - if (probe_kernel_address(&owner->cpu, cpu))
67994 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
67995 return 0;
67996 #else
67997 - cpu = owner->cpu;
67998 + cpu = task_thread_info(owner)->cpu;
67999 #endif
68000
68001 /*
68002 @@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
68003 /*
68004 * Is that owner really running on that cpu?
68005 */
68006 - if (task_thread_info(rq->curr) != owner || need_resched())
68007 + if (rq->curr != owner || need_resched())
68008 return 0;
68009
68010 cpu_relax();
68011 @@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
68012 /* convert nice value [19,-20] to rlimit style value [1,40] */
68013 int nice_rlim = 20 - nice;
68014
68015 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
68016 +
68017 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
68018 capable(CAP_SYS_NICE));
68019 }
68020 @@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
68021 if (nice > 19)
68022 nice = 19;
68023
68024 - if (increment < 0 && !can_nice(current, nice))
68025 + if (increment < 0 && (!can_nice(current, nice) ||
68026 + gr_handle_chroot_nice()))
68027 return -EPERM;
68028
68029 retval = security_task_setnice(current, nice);
68030 @@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int
68031 long power;
68032 int weight;
68033
68034 - WARN_ON(!sd || !sd->groups);
68035 + BUG_ON(!sd || !sd->groups);
68036
68037 if (cpu != group_first_cpu(sd->groups))
68038 return;
68039 diff -urNp linux-2.6.32.46/kernel/signal.c linux-2.6.32.46/kernel/signal.c
68040 --- linux-2.6.32.46/kernel/signal.c 2011-04-17 17:00:52.000000000 -0400
68041 +++ linux-2.6.32.46/kernel/signal.c 2011-08-16 21:15:58.000000000 -0400
68042 @@ -41,12 +41,12 @@
68043
68044 static struct kmem_cache *sigqueue_cachep;
68045
68046 -static void __user *sig_handler(struct task_struct *t, int sig)
68047 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
68048 {
68049 return t->sighand->action[sig - 1].sa.sa_handler;
68050 }
68051
68052 -static int sig_handler_ignored(void __user *handler, int sig)
68053 +static int sig_handler_ignored(__sighandler_t handler, int sig)
68054 {
68055 /* Is it explicitly or implicitly ignored? */
68056 return handler == SIG_IGN ||
68057 @@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
68058 static int sig_task_ignored(struct task_struct *t, int sig,
68059 int from_ancestor_ns)
68060 {
68061 - void __user *handler;
68062 + __sighandler_t handler;
68063
68064 handler = sig_handler(t, sig);
68065
68066 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
68067 */
68068 user = get_uid(__task_cred(t)->user);
68069 atomic_inc(&user->sigpending);
68070 +
68071 + if (!override_rlimit)
68072 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
68073 if (override_rlimit ||
68074 atomic_read(&user->sigpending) <=
68075 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
68076 @@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
68077
68078 int unhandled_signal(struct task_struct *tsk, int sig)
68079 {
68080 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
68081 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
68082 if (is_global_init(tsk))
68083 return 1;
68084 if (handler != SIG_IGN && handler != SIG_DFL)
68085 @@ -627,6 +630,13 @@ static int check_kill_permission(int sig
68086 }
68087 }
68088
68089 + /* allow glibc communication via tgkill to other threads in our
68090 + thread group */
68091 + if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
68092 + sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
68093 + && gr_handle_signal(t, sig))
68094 + return -EPERM;
68095 +
68096 return security_task_kill(t, info, sig, 0);
68097 }
68098
68099 @@ -968,7 +978,7 @@ __group_send_sig_info(int sig, struct si
68100 return send_signal(sig, info, p, 1);
68101 }
68102
68103 -static int
68104 +int
68105 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
68106 {
68107 return send_signal(sig, info, t, 0);
68108 @@ -1005,6 +1015,7 @@ force_sig_info(int sig, struct siginfo *
68109 unsigned long int flags;
68110 int ret, blocked, ignored;
68111 struct k_sigaction *action;
68112 + int is_unhandled = 0;
68113
68114 spin_lock_irqsave(&t->sighand->siglock, flags);
68115 action = &t->sighand->action[sig-1];
68116 @@ -1019,9 +1030,18 @@ force_sig_info(int sig, struct siginfo *
68117 }
68118 if (action->sa.sa_handler == SIG_DFL)
68119 t->signal->flags &= ~SIGNAL_UNKILLABLE;
68120 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
68121 + is_unhandled = 1;
68122 ret = specific_send_sig_info(sig, info, t);
68123 spin_unlock_irqrestore(&t->sighand->siglock, flags);
68124
68125 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
68126 + normal operation */
68127 + if (is_unhandled) {
68128 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
68129 + gr_handle_crash(t, sig);
68130 + }
68131 +
68132 return ret;
68133 }
68134
68135 @@ -1081,8 +1101,11 @@ int group_send_sig_info(int sig, struct
68136 {
68137 int ret = check_kill_permission(sig, info, p);
68138
68139 - if (!ret && sig)
68140 + if (!ret && sig) {
68141 ret = do_send_sig_info(sig, info, p, true);
68142 + if (!ret)
68143 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
68144 + }
68145
68146 return ret;
68147 }
68148 @@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
68149 {
68150 siginfo_t info;
68151
68152 + pax_track_stack();
68153 +
68154 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
68155
68156 memset(&info, 0, sizeof info);
68157 @@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid,
68158 int error = -ESRCH;
68159
68160 rcu_read_lock();
68161 - p = find_task_by_vpid(pid);
68162 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
68163 + /* allow glibc communication via tgkill to other threads in our
68164 + thread group */
68165 + if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
68166 + sig == (SIGRTMIN+1) && tgid == info->si_pid)
68167 + p = find_task_by_vpid_unrestricted(pid);
68168 + else
68169 +#endif
68170 + p = find_task_by_vpid(pid);
68171 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
68172 error = check_kill_permission(sig, info, p);
68173 /*
68174 diff -urNp linux-2.6.32.46/kernel/smp.c linux-2.6.32.46/kernel/smp.c
68175 --- linux-2.6.32.46/kernel/smp.c 2011-03-27 14:31:47.000000000 -0400
68176 +++ linux-2.6.32.46/kernel/smp.c 2011-04-17 15:56:46.000000000 -0400
68177 @@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
68178 }
68179 EXPORT_SYMBOL(smp_call_function);
68180
68181 -void ipi_call_lock(void)
68182 +void ipi_call_lock(void) __acquires(call_function.lock)
68183 {
68184 spin_lock(&call_function.lock);
68185 }
68186
68187 -void ipi_call_unlock(void)
68188 +void ipi_call_unlock(void) __releases(call_function.lock)
68189 {
68190 spin_unlock(&call_function.lock);
68191 }
68192
68193 -void ipi_call_lock_irq(void)
68194 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
68195 {
68196 spin_lock_irq(&call_function.lock);
68197 }
68198
68199 -void ipi_call_unlock_irq(void)
68200 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
68201 {
68202 spin_unlock_irq(&call_function.lock);
68203 }
68204 diff -urNp linux-2.6.32.46/kernel/softirq.c linux-2.6.32.46/kernel/softirq.c
68205 --- linux-2.6.32.46/kernel/softirq.c 2011-03-27 14:31:47.000000000 -0400
68206 +++ linux-2.6.32.46/kernel/softirq.c 2011-08-05 20:33:55.000000000 -0400
68207 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
68208
68209 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
68210
68211 -char *softirq_to_name[NR_SOFTIRQS] = {
68212 +const char * const softirq_to_name[NR_SOFTIRQS] = {
68213 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
68214 "TASKLET", "SCHED", "HRTIMER", "RCU"
68215 };
68216 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
68217
68218 asmlinkage void __do_softirq(void)
68219 {
68220 - struct softirq_action *h;
68221 + const struct softirq_action *h;
68222 __u32 pending;
68223 int max_restart = MAX_SOFTIRQ_RESTART;
68224 int cpu;
68225 @@ -233,7 +233,7 @@ restart:
68226 kstat_incr_softirqs_this_cpu(h - softirq_vec);
68227
68228 trace_softirq_entry(h, softirq_vec);
68229 - h->action(h);
68230 + h->action();
68231 trace_softirq_exit(h, softirq_vec);
68232 if (unlikely(prev_count != preempt_count())) {
68233 printk(KERN_ERR "huh, entered softirq %td %s %p"
68234 @@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
68235 local_irq_restore(flags);
68236 }
68237
68238 -void open_softirq(int nr, void (*action)(struct softirq_action *))
68239 +void open_softirq(int nr, void (*action)(void))
68240 {
68241 - softirq_vec[nr].action = action;
68242 + pax_open_kernel();
68243 + *(void **)&softirq_vec[nr].action = action;
68244 + pax_close_kernel();
68245 }
68246
68247 /*
68248 @@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
68249
68250 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
68251
68252 -static void tasklet_action(struct softirq_action *a)
68253 +static void tasklet_action(void)
68254 {
68255 struct tasklet_struct *list;
68256
68257 @@ -454,7 +456,7 @@ static void tasklet_action(struct softir
68258 }
68259 }
68260
68261 -static void tasklet_hi_action(struct softirq_action *a)
68262 +static void tasklet_hi_action(void)
68263 {
68264 struct tasklet_struct *list;
68265
68266 diff -urNp linux-2.6.32.46/kernel/sys.c linux-2.6.32.46/kernel/sys.c
68267 --- linux-2.6.32.46/kernel/sys.c 2011-03-27 14:31:47.000000000 -0400
68268 +++ linux-2.6.32.46/kernel/sys.c 2011-08-11 19:51:54.000000000 -0400
68269 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
68270 error = -EACCES;
68271 goto out;
68272 }
68273 +
68274 + if (gr_handle_chroot_setpriority(p, niceval)) {
68275 + error = -EACCES;
68276 + goto out;
68277 + }
68278 +
68279 no_nice = security_task_setnice(p, niceval);
68280 if (no_nice) {
68281 error = no_nice;
68282 @@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
68283 !(user = find_user(who)))
68284 goto out_unlock; /* No processes for this user */
68285
68286 - do_each_thread(g, p)
68287 + do_each_thread(g, p) {
68288 if (__task_cred(p)->uid == who)
68289 error = set_one_prio(p, niceval, error);
68290 - while_each_thread(g, p);
68291 + } while_each_thread(g, p);
68292 if (who != cred->uid)
68293 free_uid(user); /* For find_user() */
68294 break;
68295 @@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
68296 !(user = find_user(who)))
68297 goto out_unlock; /* No processes for this user */
68298
68299 - do_each_thread(g, p)
68300 + do_each_thread(g, p) {
68301 if (__task_cred(p)->uid == who) {
68302 niceval = 20 - task_nice(p);
68303 if (niceval > retval)
68304 retval = niceval;
68305 }
68306 - while_each_thread(g, p);
68307 + } while_each_thread(g, p);
68308 if (who != cred->uid)
68309 free_uid(user); /* for find_user() */
68310 break;
68311 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
68312 goto error;
68313 }
68314
68315 + if (gr_check_group_change(new->gid, new->egid, -1))
68316 + goto error;
68317 +
68318 if (rgid != (gid_t) -1 ||
68319 (egid != (gid_t) -1 && egid != old->gid))
68320 new->sgid = new->egid;
68321 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
68322 goto error;
68323
68324 retval = -EPERM;
68325 +
68326 + if (gr_check_group_change(gid, gid, gid))
68327 + goto error;
68328 +
68329 if (capable(CAP_SETGID))
68330 new->gid = new->egid = new->sgid = new->fsgid = gid;
68331 else if (gid == old->gid || gid == old->sgid)
68332 @@ -567,12 +580,19 @@ static int set_user(struct cred *new)
68333 if (!new_user)
68334 return -EAGAIN;
68335
68336 + /*
68337 + * We don't fail in case of NPROC limit excess here because too many
68338 + * poorly written programs don't check set*uid() return code, assuming
68339 + * it never fails if called by root. We may still enforce NPROC limit
68340 + * for programs doing set*uid()+execve() by harmlessly deferring the
68341 + * failure to the execve() stage.
68342 + */
68343 if (atomic_read(&new_user->processes) >=
68344 current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
68345 - new_user != INIT_USER) {
68346 - free_uid(new_user);
68347 - return -EAGAIN;
68348 - }
68349 + new_user != INIT_USER)
68350 + current->flags |= PF_NPROC_EXCEEDED;
68351 + else
68352 + current->flags &= ~PF_NPROC_EXCEEDED;
68353
68354 free_uid(new->user);
68355 new->user = new_user;
68356 @@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
68357 goto error;
68358 }
68359
68360 + if (gr_check_user_change(new->uid, new->euid, -1))
68361 + goto error;
68362 +
68363 if (new->uid != old->uid) {
68364 retval = set_user(new);
68365 if (retval < 0)
68366 @@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
68367 goto error;
68368
68369 retval = -EPERM;
68370 +
68371 + if (gr_check_crash_uid(uid))
68372 + goto error;
68373 + if (gr_check_user_change(uid, uid, uid))
68374 + goto error;
68375 +
68376 if (capable(CAP_SETUID)) {
68377 new->suid = new->uid = uid;
68378 if (uid != old->uid) {
68379 @@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
68380 goto error;
68381 }
68382
68383 + if (gr_check_user_change(ruid, euid, -1))
68384 + goto error;
68385 +
68386 if (ruid != (uid_t) -1) {
68387 new->uid = ruid;
68388 if (ruid != old->uid) {
68389 @@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
68390 goto error;
68391 }
68392
68393 + if (gr_check_group_change(rgid, egid, -1))
68394 + goto error;
68395 +
68396 if (rgid != (gid_t) -1)
68397 new->gid = rgid;
68398 if (egid != (gid_t) -1)
68399 @@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
68400 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
68401 goto error;
68402
68403 + if (gr_check_user_change(-1, -1, uid))
68404 + goto error;
68405 +
68406 if (uid == old->uid || uid == old->euid ||
68407 uid == old->suid || uid == old->fsuid ||
68408 capable(CAP_SETUID)) {
68409 @@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
68410 if (gid == old->gid || gid == old->egid ||
68411 gid == old->sgid || gid == old->fsgid ||
68412 capable(CAP_SETGID)) {
68413 + if (gr_check_group_change(-1, -1, gid))
68414 + goto error;
68415 +
68416 if (gid != old_fsgid) {
68417 new->fsgid = gid;
68418 goto change_okay;
68419 @@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
68420 error = get_dumpable(me->mm);
68421 break;
68422 case PR_SET_DUMPABLE:
68423 - if (arg2 < 0 || arg2 > 1) {
68424 + if (arg2 > 1) {
68425 error = -EINVAL;
68426 break;
68427 }
68428 diff -urNp linux-2.6.32.46/kernel/sysctl.c linux-2.6.32.46/kernel/sysctl.c
68429 --- linux-2.6.32.46/kernel/sysctl.c 2011-03-27 14:31:47.000000000 -0400
68430 +++ linux-2.6.32.46/kernel/sysctl.c 2011-04-17 15:56:46.000000000 -0400
68431 @@ -63,6 +63,13 @@
68432 static int deprecated_sysctl_warning(struct __sysctl_args *args);
68433
68434 #if defined(CONFIG_SYSCTL)
68435 +#include <linux/grsecurity.h>
68436 +#include <linux/grinternal.h>
68437 +
68438 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
68439 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
68440 + const int op);
68441 +extern int gr_handle_chroot_sysctl(const int op);
68442
68443 /* External variables not in a header file. */
68444 extern int C_A_D;
68445 @@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
68446 static int proc_taint(struct ctl_table *table, int write,
68447 void __user *buffer, size_t *lenp, loff_t *ppos);
68448 #endif
68449 +extern ctl_table grsecurity_table[];
68450
68451 static struct ctl_table root_table[];
68452 static struct ctl_table_root sysctl_table_root;
68453 @@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
68454 int sysctl_legacy_va_layout;
68455 #endif
68456
68457 +#ifdef CONFIG_PAX_SOFTMODE
68458 +static ctl_table pax_table[] = {
68459 + {
68460 + .ctl_name = CTL_UNNUMBERED,
68461 + .procname = "softmode",
68462 + .data = &pax_softmode,
68463 + .maxlen = sizeof(unsigned int),
68464 + .mode = 0600,
68465 + .proc_handler = &proc_dointvec,
68466 + },
68467 +
68468 + { .ctl_name = 0 }
68469 +};
68470 +#endif
68471 +
68472 extern int prove_locking;
68473 extern int lock_stat;
68474
68475 @@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
68476 #endif
68477
68478 static struct ctl_table kern_table[] = {
68479 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
68480 + {
68481 + .ctl_name = CTL_UNNUMBERED,
68482 + .procname = "grsecurity",
68483 + .mode = 0500,
68484 + .child = grsecurity_table,
68485 + },
68486 +#endif
68487 +
68488 +#ifdef CONFIG_PAX_SOFTMODE
68489 + {
68490 + .ctl_name = CTL_UNNUMBERED,
68491 + .procname = "pax",
68492 + .mode = 0500,
68493 + .child = pax_table,
68494 + },
68495 +#endif
68496 +
68497 {
68498 .ctl_name = CTL_UNNUMBERED,
68499 .procname = "sched_child_runs_first",
68500 @@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
68501 .data = &modprobe_path,
68502 .maxlen = KMOD_PATH_LEN,
68503 .mode = 0644,
68504 - .proc_handler = &proc_dostring,
68505 - .strategy = &sysctl_string,
68506 + .proc_handler = &proc_dostring_modpriv,
68507 + .strategy = &sysctl_string_modpriv,
68508 },
68509 {
68510 .ctl_name = CTL_UNNUMBERED,
68511 @@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
68512 .mode = 0644,
68513 .proc_handler = &proc_dointvec
68514 },
68515 + {
68516 + .procname = "heap_stack_gap",
68517 + .data = &sysctl_heap_stack_gap,
68518 + .maxlen = sizeof(sysctl_heap_stack_gap),
68519 + .mode = 0644,
68520 + .proc_handler = proc_doulongvec_minmax,
68521 + },
68522 #else
68523 {
68524 .ctl_name = CTL_UNNUMBERED,
68525 @@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
68526 return 0;
68527 }
68528
68529 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
68530 +
68531 static int parse_table(int __user *name, int nlen,
68532 void __user *oldval, size_t __user *oldlenp,
68533 void __user *newval, size_t newlen,
68534 @@ -1821,7 +1871,7 @@ repeat:
68535 if (n == table->ctl_name) {
68536 int error;
68537 if (table->child) {
68538 - if (sysctl_perm(root, table, MAY_EXEC))
68539 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
68540 return -EPERM;
68541 name++;
68542 nlen--;
68543 @@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
68544 int error;
68545 int mode;
68546
68547 + if (table->parent != NULL && table->parent->procname != NULL &&
68548 + table->procname != NULL &&
68549 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
68550 + return -EACCES;
68551 + if (gr_handle_chroot_sysctl(op))
68552 + return -EACCES;
68553 + error = gr_handle_sysctl(table, op);
68554 + if (error)
68555 + return error;
68556 +
68557 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
68558 + if (error)
68559 + return error;
68560 +
68561 + if (root->permissions)
68562 + mode = root->permissions(root, current->nsproxy, table);
68563 + else
68564 + mode = table->mode;
68565 +
68566 + return test_perm(mode, op);
68567 +}
68568 +
68569 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
68570 +{
68571 + int error;
68572 + int mode;
68573 +
68574 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
68575 if (error)
68576 return error;
68577 @@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
68578 buffer, lenp, ppos);
68579 }
68580
68581 +int proc_dostring_modpriv(struct ctl_table *table, int write,
68582 + void __user *buffer, size_t *lenp, loff_t *ppos)
68583 +{
68584 + if (write && !capable(CAP_SYS_MODULE))
68585 + return -EPERM;
68586 +
68587 + return _proc_do_string(table->data, table->maxlen, write,
68588 + buffer, lenp, ppos);
68589 +}
68590 +
68591
68592 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
68593 int *valp,
68594 @@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
68595 vleft = table->maxlen / sizeof(unsigned long);
68596 left = *lenp;
68597
68598 - for (; left && vleft--; i++, min++, max++, first=0) {
68599 + for (; left && vleft--; i++, first=0) {
68600 if (write) {
68601 while (left) {
68602 char c;
68603 @@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
68604 return -ENOSYS;
68605 }
68606
68607 +int proc_dostring_modpriv(struct ctl_table *table, int write,
68608 + void __user *buffer, size_t *lenp, loff_t *ppos)
68609 +{
68610 + return -ENOSYS;
68611 +}
68612 +
68613 int proc_dointvec(struct ctl_table *table, int write,
68614 void __user *buffer, size_t *lenp, loff_t *ppos)
68615 {
68616 @@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
68617 return 1;
68618 }
68619
68620 +int sysctl_string_modpriv(struct ctl_table *table,
68621 + void __user *oldval, size_t __user *oldlenp,
68622 + void __user *newval, size_t newlen)
68623 +{
68624 + if (newval && newlen && !capable(CAP_SYS_MODULE))
68625 + return -EPERM;
68626 +
68627 + return sysctl_string(table, oldval, oldlenp, newval, newlen);
68628 +}
68629 +
68630 /*
68631 * This function makes sure that all of the integers in the vector
68632 * are between the minimum and maximum values given in the arrays
68633 @@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
68634 return -ENOSYS;
68635 }
68636
68637 +int sysctl_string_modpriv(struct ctl_table *table,
68638 + void __user *oldval, size_t __user *oldlenp,
68639 + void __user *newval, size_t newlen)
68640 +{
68641 + return -ENOSYS;
68642 +}
68643 +
68644 int sysctl_intvec(struct ctl_table *table,
68645 void __user *oldval, size_t __user *oldlenp,
68646 void __user *newval, size_t newlen)
68647 @@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
68648 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
68649 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
68650 EXPORT_SYMBOL(proc_dostring);
68651 +EXPORT_SYMBOL(proc_dostring_modpriv);
68652 EXPORT_SYMBOL(proc_doulongvec_minmax);
68653 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
68654 EXPORT_SYMBOL(register_sysctl_table);
68655 @@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
68656 EXPORT_SYMBOL(sysctl_jiffies);
68657 EXPORT_SYMBOL(sysctl_ms_jiffies);
68658 EXPORT_SYMBOL(sysctl_string);
68659 +EXPORT_SYMBOL(sysctl_string_modpriv);
68660 EXPORT_SYMBOL(sysctl_data);
68661 EXPORT_SYMBOL(unregister_sysctl_table);
68662 diff -urNp linux-2.6.32.46/kernel/sysctl_check.c linux-2.6.32.46/kernel/sysctl_check.c
68663 --- linux-2.6.32.46/kernel/sysctl_check.c 2011-03-27 14:31:47.000000000 -0400
68664 +++ linux-2.6.32.46/kernel/sysctl_check.c 2011-04-17 15:56:46.000000000 -0400
68665 @@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
68666 } else {
68667 if ((table->strategy == sysctl_data) ||
68668 (table->strategy == sysctl_string) ||
68669 + (table->strategy == sysctl_string_modpriv) ||
68670 (table->strategy == sysctl_intvec) ||
68671 (table->strategy == sysctl_jiffies) ||
68672 (table->strategy == sysctl_ms_jiffies) ||
68673 (table->proc_handler == proc_dostring) ||
68674 + (table->proc_handler == proc_dostring_modpriv) ||
68675 (table->proc_handler == proc_dointvec) ||
68676 (table->proc_handler == proc_dointvec_minmax) ||
68677 (table->proc_handler == proc_dointvec_jiffies) ||
68678 diff -urNp linux-2.6.32.46/kernel/taskstats.c linux-2.6.32.46/kernel/taskstats.c
68679 --- linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:04.000000000 -0400
68680 +++ linux-2.6.32.46/kernel/taskstats.c 2011-07-13 17:23:19.000000000 -0400
68681 @@ -26,9 +26,12 @@
68682 #include <linux/cgroup.h>
68683 #include <linux/fs.h>
68684 #include <linux/file.h>
68685 +#include <linux/grsecurity.h>
68686 #include <net/genetlink.h>
68687 #include <asm/atomic.h>
68688
68689 +extern int gr_is_taskstats_denied(int pid);
68690 +
68691 /*
68692 * Maximum length of a cpumask that can be specified in
68693 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
68694 @@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
68695 size_t size;
68696 cpumask_var_t mask;
68697
68698 + if (gr_is_taskstats_denied(current->pid))
68699 + return -EACCES;
68700 +
68701 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
68702 return -ENOMEM;
68703
68704 diff -urNp linux-2.6.32.46/kernel/time/tick-broadcast.c linux-2.6.32.46/kernel/time/tick-broadcast.c
68705 --- linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:56:59.000000000 -0400
68706 +++ linux-2.6.32.46/kernel/time/tick-broadcast.c 2011-05-23 16:57:13.000000000 -0400
68707 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
68708 * then clear the broadcast bit.
68709 */
68710 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
68711 - int cpu = smp_processor_id();
68712 + cpu = smp_processor_id();
68713
68714 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
68715 tick_broadcast_clear_oneshot(cpu);
68716 diff -urNp linux-2.6.32.46/kernel/time/timekeeping.c linux-2.6.32.46/kernel/time/timekeeping.c
68717 --- linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:55:35.000000000 -0400
68718 +++ linux-2.6.32.46/kernel/time/timekeeping.c 2011-06-25 12:56:37.000000000 -0400
68719 @@ -14,6 +14,7 @@
68720 #include <linux/init.h>
68721 #include <linux/mm.h>
68722 #include <linux/sched.h>
68723 +#include <linux/grsecurity.h>
68724 #include <linux/sysdev.h>
68725 #include <linux/clocksource.h>
68726 #include <linux/jiffies.h>
68727 @@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
68728 */
68729 struct timespec ts = xtime;
68730 timespec_add_ns(&ts, nsec);
68731 - ACCESS_ONCE(xtime_cache) = ts;
68732 + ACCESS_ONCE_RW(xtime_cache) = ts;
68733 }
68734
68735 /* must hold xtime_lock */
68736 @@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
68737 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
68738 return -EINVAL;
68739
68740 + gr_log_timechange();
68741 +
68742 write_seqlock_irqsave(&xtime_lock, flags);
68743
68744 timekeeping_forward_now();
68745 diff -urNp linux-2.6.32.46/kernel/time/timer_list.c linux-2.6.32.46/kernel/time/timer_list.c
68746 --- linux-2.6.32.46/kernel/time/timer_list.c 2011-03-27 14:31:47.000000000 -0400
68747 +++ linux-2.6.32.46/kernel/time/timer_list.c 2011-04-17 15:56:46.000000000 -0400
68748 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
68749
68750 static void print_name_offset(struct seq_file *m, void *sym)
68751 {
68752 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68753 + SEQ_printf(m, "<%p>", NULL);
68754 +#else
68755 char symname[KSYM_NAME_LEN];
68756
68757 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
68758 SEQ_printf(m, "<%p>", sym);
68759 else
68760 SEQ_printf(m, "%s", symname);
68761 +#endif
68762 }
68763
68764 static void
68765 @@ -112,7 +116,11 @@ next_one:
68766 static void
68767 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
68768 {
68769 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68770 + SEQ_printf(m, " .base: %p\n", NULL);
68771 +#else
68772 SEQ_printf(m, " .base: %p\n", base);
68773 +#endif
68774 SEQ_printf(m, " .index: %d\n",
68775 base->index);
68776 SEQ_printf(m, " .resolution: %Lu nsecs\n",
68777 @@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
68778 {
68779 struct proc_dir_entry *pe;
68780
68781 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
68782 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
68783 +#else
68784 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
68785 +#endif
68786 if (!pe)
68787 return -ENOMEM;
68788 return 0;
68789 diff -urNp linux-2.6.32.46/kernel/time/timer_stats.c linux-2.6.32.46/kernel/time/timer_stats.c
68790 --- linux-2.6.32.46/kernel/time/timer_stats.c 2011-03-27 14:31:47.000000000 -0400
68791 +++ linux-2.6.32.46/kernel/time/timer_stats.c 2011-05-04 17:56:28.000000000 -0400
68792 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
68793 static unsigned long nr_entries;
68794 static struct entry entries[MAX_ENTRIES];
68795
68796 -static atomic_t overflow_count;
68797 +static atomic_unchecked_t overflow_count;
68798
68799 /*
68800 * The entries are in a hash-table, for fast lookup:
68801 @@ -140,7 +140,7 @@ static void reset_entries(void)
68802 nr_entries = 0;
68803 memset(entries, 0, sizeof(entries));
68804 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
68805 - atomic_set(&overflow_count, 0);
68806 + atomic_set_unchecked(&overflow_count, 0);
68807 }
68808
68809 static struct entry *alloc_entry(void)
68810 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
68811 if (likely(entry))
68812 entry->count++;
68813 else
68814 - atomic_inc(&overflow_count);
68815 + atomic_inc_unchecked(&overflow_count);
68816
68817 out_unlock:
68818 spin_unlock_irqrestore(lock, flags);
68819 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
68820
68821 static void print_name_offset(struct seq_file *m, unsigned long addr)
68822 {
68823 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68824 + seq_printf(m, "<%p>", NULL);
68825 +#else
68826 char symname[KSYM_NAME_LEN];
68827
68828 if (lookup_symbol_name(addr, symname) < 0)
68829 seq_printf(m, "<%p>", (void *)addr);
68830 else
68831 seq_printf(m, "%s", symname);
68832 +#endif
68833 }
68834
68835 static int tstats_show(struct seq_file *m, void *v)
68836 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
68837
68838 seq_puts(m, "Timer Stats Version: v0.2\n");
68839 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
68840 - if (atomic_read(&overflow_count))
68841 + if (atomic_read_unchecked(&overflow_count))
68842 seq_printf(m, "Overflow: %d entries\n",
68843 - atomic_read(&overflow_count));
68844 + atomic_read_unchecked(&overflow_count));
68845
68846 for (i = 0; i < nr_entries; i++) {
68847 entry = entries + i;
68848 @@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
68849 {
68850 struct proc_dir_entry *pe;
68851
68852 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
68853 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
68854 +#else
68855 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
68856 +#endif
68857 if (!pe)
68858 return -ENOMEM;
68859 return 0;
68860 diff -urNp linux-2.6.32.46/kernel/time.c linux-2.6.32.46/kernel/time.c
68861 --- linux-2.6.32.46/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
68862 +++ linux-2.6.32.46/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
68863 @@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
68864 return error;
68865
68866 if (tz) {
68867 + /* we log in do_settimeofday called below, so don't log twice
68868 + */
68869 + if (!tv)
68870 + gr_log_timechange();
68871 +
68872 /* SMP safe, global irq locking makes it work. */
68873 sys_tz = *tz;
68874 update_vsyscall_tz();
68875 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
68876 * Avoid unnecessary multiplications/divisions in the
68877 * two most common HZ cases:
68878 */
68879 -unsigned int inline jiffies_to_msecs(const unsigned long j)
68880 +inline unsigned int jiffies_to_msecs(const unsigned long j)
68881 {
68882 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
68883 return (MSEC_PER_SEC / HZ) * j;
68884 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
68885 }
68886 EXPORT_SYMBOL(jiffies_to_msecs);
68887
68888 -unsigned int inline jiffies_to_usecs(const unsigned long j)
68889 +inline unsigned int jiffies_to_usecs(const unsigned long j)
68890 {
68891 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
68892 return (USEC_PER_SEC / HZ) * j;
68893 diff -urNp linux-2.6.32.46/kernel/timer.c linux-2.6.32.46/kernel/timer.c
68894 --- linux-2.6.32.46/kernel/timer.c 2011-03-27 14:31:47.000000000 -0400
68895 +++ linux-2.6.32.46/kernel/timer.c 2011-04-17 15:56:46.000000000 -0400
68896 @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
68897 /*
68898 * This function runs timers and the timer-tq in bottom half context.
68899 */
68900 -static void run_timer_softirq(struct softirq_action *h)
68901 +static void run_timer_softirq(void)
68902 {
68903 struct tvec_base *base = __get_cpu_var(tvec_bases);
68904
68905 diff -urNp linux-2.6.32.46/kernel/trace/blktrace.c linux-2.6.32.46/kernel/trace/blktrace.c
68906 --- linux-2.6.32.46/kernel/trace/blktrace.c 2011-03-27 14:31:47.000000000 -0400
68907 +++ linux-2.6.32.46/kernel/trace/blktrace.c 2011-05-04 17:56:28.000000000 -0400
68908 @@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
68909 struct blk_trace *bt = filp->private_data;
68910 char buf[16];
68911
68912 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
68913 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
68914
68915 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
68916 }
68917 @@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
68918 return 1;
68919
68920 bt = buf->chan->private_data;
68921 - atomic_inc(&bt->dropped);
68922 + atomic_inc_unchecked(&bt->dropped);
68923 return 0;
68924 }
68925
68926 @@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
68927
68928 bt->dir = dir;
68929 bt->dev = dev;
68930 - atomic_set(&bt->dropped, 0);
68931 + atomic_set_unchecked(&bt->dropped, 0);
68932
68933 ret = -EIO;
68934 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
68935 diff -urNp linux-2.6.32.46/kernel/trace/ftrace.c linux-2.6.32.46/kernel/trace/ftrace.c
68936 --- linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:55:35.000000000 -0400
68937 +++ linux-2.6.32.46/kernel/trace/ftrace.c 2011-06-25 12:56:37.000000000 -0400
68938 @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
68939
68940 ip = rec->ip;
68941
68942 + ret = ftrace_arch_code_modify_prepare();
68943 + FTRACE_WARN_ON(ret);
68944 + if (ret)
68945 + return 0;
68946 +
68947 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
68948 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
68949 if (ret) {
68950 ftrace_bug(ret, ip);
68951 rec->flags |= FTRACE_FL_FAILED;
68952 - return 0;
68953 }
68954 - return 1;
68955 + return ret ? 0 : 1;
68956 }
68957
68958 /*
68959 diff -urNp linux-2.6.32.46/kernel/trace/ring_buffer.c linux-2.6.32.46/kernel/trace/ring_buffer.c
68960 --- linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-03-27 14:31:47.000000000 -0400
68961 +++ linux-2.6.32.46/kernel/trace/ring_buffer.c 2011-04-17 15:56:46.000000000 -0400
68962 @@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
68963 * the reader page). But if the next page is a header page,
68964 * its flags will be non zero.
68965 */
68966 -static int inline
68967 +static inline int
68968 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
68969 struct buffer_page *page, struct list_head *list)
68970 {
68971 diff -urNp linux-2.6.32.46/kernel/trace/trace.c linux-2.6.32.46/kernel/trace/trace.c
68972 --- linux-2.6.32.46/kernel/trace/trace.c 2011-03-27 14:31:47.000000000 -0400
68973 +++ linux-2.6.32.46/kernel/trace/trace.c 2011-05-16 21:46:57.000000000 -0400
68974 @@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
68975 size_t rem;
68976 unsigned int i;
68977
68978 + pax_track_stack();
68979 +
68980 /* copy the tracer to avoid using a global lock all around */
68981 mutex_lock(&trace_types_lock);
68982 if (unlikely(old_tracer != current_trace && current_trace)) {
68983 @@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
68984 int entries, size, i;
68985 size_t ret;
68986
68987 + pax_track_stack();
68988 +
68989 if (*ppos & (PAGE_SIZE - 1)) {
68990 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
68991 return -EINVAL;
68992 @@ -3816,10 +3820,9 @@ static const struct file_operations trac
68993 };
68994 #endif
68995
68996 -static struct dentry *d_tracer;
68997 -
68998 struct dentry *tracing_init_dentry(void)
68999 {
69000 + static struct dentry *d_tracer;
69001 static int once;
69002
69003 if (d_tracer)
69004 @@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
69005 return d_tracer;
69006 }
69007
69008 -static struct dentry *d_percpu;
69009 -
69010 struct dentry *tracing_dentry_percpu(void)
69011 {
69012 + static struct dentry *d_percpu;
69013 static int once;
69014 struct dentry *d_tracer;
69015
69016 diff -urNp linux-2.6.32.46/kernel/trace/trace_events.c linux-2.6.32.46/kernel/trace/trace_events.c
69017 --- linux-2.6.32.46/kernel/trace/trace_events.c 2011-03-27 14:31:47.000000000 -0400
69018 +++ linux-2.6.32.46/kernel/trace/trace_events.c 2011-08-05 20:33:55.000000000 -0400
69019 @@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
69020 * Modules must own their file_operations to keep up with
69021 * reference counting.
69022 */
69023 +
69024 struct ftrace_module_file_ops {
69025 struct list_head list;
69026 struct module *mod;
69027 - struct file_operations id;
69028 - struct file_operations enable;
69029 - struct file_operations format;
69030 - struct file_operations filter;
69031 };
69032
69033 static void remove_subsystem_dir(const char *name)
69034 @@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
69035
69036 file_ops->mod = mod;
69037
69038 - file_ops->id = ftrace_event_id_fops;
69039 - file_ops->id.owner = mod;
69040 -
69041 - file_ops->enable = ftrace_enable_fops;
69042 - file_ops->enable.owner = mod;
69043 -
69044 - file_ops->filter = ftrace_event_filter_fops;
69045 - file_ops->filter.owner = mod;
69046 -
69047 - file_ops->format = ftrace_event_format_fops;
69048 - file_ops->format.owner = mod;
69049 + pax_open_kernel();
69050 + *(void **)&mod->trace_id.owner = mod;
69051 + *(void **)&mod->trace_enable.owner = mod;
69052 + *(void **)&mod->trace_filter.owner = mod;
69053 + *(void **)&mod->trace_format.owner = mod;
69054 + pax_close_kernel();
69055
69056 list_add(&file_ops->list, &ftrace_module_file_list);
69057
69058 @@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
69059 call->mod = mod;
69060 list_add(&call->list, &ftrace_events);
69061 event_create_dir(call, d_events,
69062 - &file_ops->id, &file_ops->enable,
69063 - &file_ops->filter, &file_ops->format);
69064 + &mod->trace_id, &mod->trace_enable,
69065 + &mod->trace_filter, &mod->trace_format);
69066 }
69067 }
69068
69069 diff -urNp linux-2.6.32.46/kernel/trace/trace_mmiotrace.c linux-2.6.32.46/kernel/trace/trace_mmiotrace.c
69070 --- linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-03-27 14:31:47.000000000 -0400
69071 +++ linux-2.6.32.46/kernel/trace/trace_mmiotrace.c 2011-05-04 17:56:28.000000000 -0400
69072 @@ -23,7 +23,7 @@ struct header_iter {
69073 static struct trace_array *mmio_trace_array;
69074 static bool overrun_detected;
69075 static unsigned long prev_overruns;
69076 -static atomic_t dropped_count;
69077 +static atomic_unchecked_t dropped_count;
69078
69079 static void mmio_reset_data(struct trace_array *tr)
69080 {
69081 @@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
69082
69083 static unsigned long count_overruns(struct trace_iterator *iter)
69084 {
69085 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
69086 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
69087 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
69088
69089 if (over > prev_overruns)
69090 @@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
69091 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
69092 sizeof(*entry), 0, pc);
69093 if (!event) {
69094 - atomic_inc(&dropped_count);
69095 + atomic_inc_unchecked(&dropped_count);
69096 return;
69097 }
69098 entry = ring_buffer_event_data(event);
69099 @@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
69100 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
69101 sizeof(*entry), 0, pc);
69102 if (!event) {
69103 - atomic_inc(&dropped_count);
69104 + atomic_inc_unchecked(&dropped_count);
69105 return;
69106 }
69107 entry = ring_buffer_event_data(event);
69108 diff -urNp linux-2.6.32.46/kernel/trace/trace_output.c linux-2.6.32.46/kernel/trace/trace_output.c
69109 --- linux-2.6.32.46/kernel/trace/trace_output.c 2011-03-27 14:31:47.000000000 -0400
69110 +++ linux-2.6.32.46/kernel/trace/trace_output.c 2011-04-17 15:56:46.000000000 -0400
69111 @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
69112 return 0;
69113 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
69114 if (!IS_ERR(p)) {
69115 - p = mangle_path(s->buffer + s->len, p, "\n");
69116 + p = mangle_path(s->buffer + s->len, p, "\n\\");
69117 if (p) {
69118 s->len = p - s->buffer;
69119 return 1;
69120 diff -urNp linux-2.6.32.46/kernel/trace/trace_stack.c linux-2.6.32.46/kernel/trace/trace_stack.c
69121 --- linux-2.6.32.46/kernel/trace/trace_stack.c 2011-03-27 14:31:47.000000000 -0400
69122 +++ linux-2.6.32.46/kernel/trace/trace_stack.c 2011-04-17 15:56:46.000000000 -0400
69123 @@ -50,7 +50,7 @@ static inline void check_stack(void)
69124 return;
69125
69126 /* we do not handle interrupt stacks yet */
69127 - if (!object_is_on_stack(&this_size))
69128 + if (!object_starts_on_stack(&this_size))
69129 return;
69130
69131 local_irq_save(flags);
69132 diff -urNp linux-2.6.32.46/kernel/trace/trace_workqueue.c linux-2.6.32.46/kernel/trace/trace_workqueue.c
69133 --- linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-03-27 14:31:47.000000000 -0400
69134 +++ linux-2.6.32.46/kernel/trace/trace_workqueue.c 2011-04-17 15:56:46.000000000 -0400
69135 @@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
69136 int cpu;
69137 pid_t pid;
69138 /* Can be inserted from interrupt or user context, need to be atomic */
69139 - atomic_t inserted;
69140 + atomic_unchecked_t inserted;
69141 /*
69142 * Don't need to be atomic, works are serialized in a single workqueue thread
69143 * on a single CPU.
69144 @@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
69145 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
69146 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
69147 if (node->pid == wq_thread->pid) {
69148 - atomic_inc(&node->inserted);
69149 + atomic_inc_unchecked(&node->inserted);
69150 goto found;
69151 }
69152 }
69153 @@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
69154 tsk = get_pid_task(pid, PIDTYPE_PID);
69155 if (tsk) {
69156 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
69157 - atomic_read(&cws->inserted), cws->executed,
69158 + atomic_read_unchecked(&cws->inserted), cws->executed,
69159 tsk->comm);
69160 put_task_struct(tsk);
69161 }
69162 diff -urNp linux-2.6.32.46/kernel/user.c linux-2.6.32.46/kernel/user.c
69163 --- linux-2.6.32.46/kernel/user.c 2011-03-27 14:31:47.000000000 -0400
69164 +++ linux-2.6.32.46/kernel/user.c 2011-04-17 15:56:46.000000000 -0400
69165 @@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
69166 spin_lock_irq(&uidhash_lock);
69167 up = uid_hash_find(uid, hashent);
69168 if (up) {
69169 + put_user_ns(ns);
69170 key_put(new->uid_keyring);
69171 key_put(new->session_keyring);
69172 kmem_cache_free(uid_cachep, new);
69173 diff -urNp linux-2.6.32.46/lib/bug.c linux-2.6.32.46/lib/bug.c
69174 --- linux-2.6.32.46/lib/bug.c 2011-03-27 14:31:47.000000000 -0400
69175 +++ linux-2.6.32.46/lib/bug.c 2011-04-17 15:56:46.000000000 -0400
69176 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
69177 return BUG_TRAP_TYPE_NONE;
69178
69179 bug = find_bug(bugaddr);
69180 + if (!bug)
69181 + return BUG_TRAP_TYPE_NONE;
69182
69183 printk(KERN_EMERG "------------[ cut here ]------------\n");
69184
69185 diff -urNp linux-2.6.32.46/lib/debugobjects.c linux-2.6.32.46/lib/debugobjects.c
69186 --- linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:04.000000000 -0400
69187 +++ linux-2.6.32.46/lib/debugobjects.c 2011-07-13 17:23:19.000000000 -0400
69188 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
69189 if (limit > 4)
69190 return;
69191
69192 - is_on_stack = object_is_on_stack(addr);
69193 + is_on_stack = object_starts_on_stack(addr);
69194 if (is_on_stack == onstack)
69195 return;
69196
69197 diff -urNp linux-2.6.32.46/lib/dma-debug.c linux-2.6.32.46/lib/dma-debug.c
69198 --- linux-2.6.32.46/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400
69199 +++ linux-2.6.32.46/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400
69200 @@ -861,7 +861,7 @@ out:
69201
69202 static void check_for_stack(struct device *dev, void *addr)
69203 {
69204 - if (object_is_on_stack(addr))
69205 + if (object_starts_on_stack(addr))
69206 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
69207 "stack [addr=%p]\n", addr);
69208 }
69209 diff -urNp linux-2.6.32.46/lib/idr.c linux-2.6.32.46/lib/idr.c
69210 --- linux-2.6.32.46/lib/idr.c 2011-03-27 14:31:47.000000000 -0400
69211 +++ linux-2.6.32.46/lib/idr.c 2011-04-17 15:56:46.000000000 -0400
69212 @@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
69213 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
69214
69215 /* if already at the top layer, we need to grow */
69216 - if (id >= 1 << (idp->layers * IDR_BITS)) {
69217 + if (id >= (1 << (idp->layers * IDR_BITS))) {
69218 *starting_id = id;
69219 return IDR_NEED_TO_GROW;
69220 }
69221 diff -urNp linux-2.6.32.46/lib/inflate.c linux-2.6.32.46/lib/inflate.c
69222 --- linux-2.6.32.46/lib/inflate.c 2011-03-27 14:31:47.000000000 -0400
69223 +++ linux-2.6.32.46/lib/inflate.c 2011-04-17 15:56:46.000000000 -0400
69224 @@ -266,7 +266,7 @@ static void free(void *where)
69225 malloc_ptr = free_mem_ptr;
69226 }
69227 #else
69228 -#define malloc(a) kmalloc(a, GFP_KERNEL)
69229 +#define malloc(a) kmalloc((a), GFP_KERNEL)
69230 #define free(a) kfree(a)
69231 #endif
69232
69233 diff -urNp linux-2.6.32.46/lib/Kconfig.debug linux-2.6.32.46/lib/Kconfig.debug
69234 --- linux-2.6.32.46/lib/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
69235 +++ linux-2.6.32.46/lib/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
69236 @@ -905,7 +905,7 @@ config LATENCYTOP
69237 select STACKTRACE
69238 select SCHEDSTATS
69239 select SCHED_DEBUG
69240 - depends on HAVE_LATENCYTOP_SUPPORT
69241 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
69242 help
69243 Enable this option if you want to use the LatencyTOP tool
69244 to find out which userspace is blocking on what kernel operations.
69245 diff -urNp linux-2.6.32.46/lib/kobject.c linux-2.6.32.46/lib/kobject.c
69246 --- linux-2.6.32.46/lib/kobject.c 2011-03-27 14:31:47.000000000 -0400
69247 +++ linux-2.6.32.46/lib/kobject.c 2011-04-17 15:56:46.000000000 -0400
69248 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
69249 return ret;
69250 }
69251
69252 -struct sysfs_ops kobj_sysfs_ops = {
69253 +const struct sysfs_ops kobj_sysfs_ops = {
69254 .show = kobj_attr_show,
69255 .store = kobj_attr_store,
69256 };
69257 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
69258 * If the kset was not able to be created, NULL will be returned.
69259 */
69260 static struct kset *kset_create(const char *name,
69261 - struct kset_uevent_ops *uevent_ops,
69262 + const struct kset_uevent_ops *uevent_ops,
69263 struct kobject *parent_kobj)
69264 {
69265 struct kset *kset;
69266 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
69267 * If the kset was not able to be created, NULL will be returned.
69268 */
69269 struct kset *kset_create_and_add(const char *name,
69270 - struct kset_uevent_ops *uevent_ops,
69271 + const struct kset_uevent_ops *uevent_ops,
69272 struct kobject *parent_kobj)
69273 {
69274 struct kset *kset;
69275 diff -urNp linux-2.6.32.46/lib/kobject_uevent.c linux-2.6.32.46/lib/kobject_uevent.c
69276 --- linux-2.6.32.46/lib/kobject_uevent.c 2011-03-27 14:31:47.000000000 -0400
69277 +++ linux-2.6.32.46/lib/kobject_uevent.c 2011-04-17 15:56:46.000000000 -0400
69278 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
69279 const char *subsystem;
69280 struct kobject *top_kobj;
69281 struct kset *kset;
69282 - struct kset_uevent_ops *uevent_ops;
69283 + const struct kset_uevent_ops *uevent_ops;
69284 u64 seq;
69285 int i = 0;
69286 int retval = 0;
69287 diff -urNp linux-2.6.32.46/lib/kref.c linux-2.6.32.46/lib/kref.c
69288 --- linux-2.6.32.46/lib/kref.c 2011-03-27 14:31:47.000000000 -0400
69289 +++ linux-2.6.32.46/lib/kref.c 2011-04-17 15:56:46.000000000 -0400
69290 @@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
69291 */
69292 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
69293 {
69294 - WARN_ON(release == NULL);
69295 + BUG_ON(release == NULL);
69296 WARN_ON(release == (void (*)(struct kref *))kfree);
69297
69298 if (atomic_dec_and_test(&kref->refcount)) {
69299 diff -urNp linux-2.6.32.46/lib/parser.c linux-2.6.32.46/lib/parser.c
69300 --- linux-2.6.32.46/lib/parser.c 2011-03-27 14:31:47.000000000 -0400
69301 +++ linux-2.6.32.46/lib/parser.c 2011-04-17 15:56:46.000000000 -0400
69302 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
69303 char *buf;
69304 int ret;
69305
69306 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
69307 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
69308 if (!buf)
69309 return -ENOMEM;
69310 memcpy(buf, s->from, s->to - s->from);
69311 diff -urNp linux-2.6.32.46/lib/radix-tree.c linux-2.6.32.46/lib/radix-tree.c
69312 --- linux-2.6.32.46/lib/radix-tree.c 2011-03-27 14:31:47.000000000 -0400
69313 +++ linux-2.6.32.46/lib/radix-tree.c 2011-04-17 15:56:46.000000000 -0400
69314 @@ -81,7 +81,7 @@ struct radix_tree_preload {
69315 int nr;
69316 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
69317 };
69318 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
69319 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
69320
69321 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
69322 {
69323 diff -urNp linux-2.6.32.46/lib/random32.c linux-2.6.32.46/lib/random32.c
69324 --- linux-2.6.32.46/lib/random32.c 2011-03-27 14:31:47.000000000 -0400
69325 +++ linux-2.6.32.46/lib/random32.c 2011-04-17 15:56:46.000000000 -0400
69326 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
69327 */
69328 static inline u32 __seed(u32 x, u32 m)
69329 {
69330 - return (x < m) ? x + m : x;
69331 + return (x <= m) ? x + m + 1 : x;
69332 }
69333
69334 /**
69335 diff -urNp linux-2.6.32.46/lib/vsprintf.c linux-2.6.32.46/lib/vsprintf.c
69336 --- linux-2.6.32.46/lib/vsprintf.c 2011-03-27 14:31:47.000000000 -0400
69337 +++ linux-2.6.32.46/lib/vsprintf.c 2011-04-17 15:56:46.000000000 -0400
69338 @@ -16,6 +16,9 @@
69339 * - scnprintf and vscnprintf
69340 */
69341
69342 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69343 +#define __INCLUDED_BY_HIDESYM 1
69344 +#endif
69345 #include <stdarg.h>
69346 #include <linux/module.h>
69347 #include <linux/types.h>
69348 @@ -546,12 +549,12 @@ static char *number(char *buf, char *end
69349 return buf;
69350 }
69351
69352 -static char *string(char *buf, char *end, char *s, struct printf_spec spec)
69353 +static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
69354 {
69355 int len, i;
69356
69357 if ((unsigned long)s < PAGE_SIZE)
69358 - s = "<NULL>";
69359 + s = "(null)";
69360
69361 len = strnlen(s, spec.precision);
69362
69363 @@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
69364 unsigned long value = (unsigned long) ptr;
69365 #ifdef CONFIG_KALLSYMS
69366 char sym[KSYM_SYMBOL_LEN];
69367 - if (ext != 'f' && ext != 's')
69368 + if (ext != 'f' && ext != 's' && ext != 'a')
69369 sprint_symbol(sym, value);
69370 else
69371 kallsyms_lookup(value, NULL, NULL, NULL, sym);
69372 @@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
69373 * - 'f' For simple symbolic function names without offset
69374 * - 'S' For symbolic direct pointers with offset
69375 * - 's' For symbolic direct pointers without offset
69376 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
69377 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
69378 * - 'R' For a struct resource pointer, it prints the range of
69379 * addresses (not the name nor the flags)
69380 * - 'M' For a 6-byte MAC address, it prints the address in the
69381 @@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
69382 struct printf_spec spec)
69383 {
69384 if (!ptr)
69385 - return string(buf, end, "(null)", spec);
69386 + return string(buf, end, "(nil)", spec);
69387
69388 switch (*fmt) {
69389 case 'F':
69390 @@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
69391 case 's':
69392 /* Fallthrough */
69393 case 'S':
69394 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69395 + break;
69396 +#else
69397 + return symbol_string(buf, end, ptr, spec, *fmt);
69398 +#endif
69399 + case 'a':
69400 + /* Fallthrough */
69401 + case 'A':
69402 return symbol_string(buf, end, ptr, spec, *fmt);
69403 case 'R':
69404 return resource_string(buf, end, ptr, spec);
69405 @@ -1445,7 +1458,7 @@ do { \
69406 size_t len;
69407 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
69408 || (unsigned long)save_str < PAGE_SIZE)
69409 - save_str = "<NULL>";
69410 + save_str = "(null)";
69411 len = strlen(save_str);
69412 if (str + len + 1 < end)
69413 memcpy(str, save_str, len + 1);
69414 @@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
69415 typeof(type) value; \
69416 if (sizeof(type) == 8) { \
69417 args = PTR_ALIGN(args, sizeof(u32)); \
69418 - *(u32 *)&value = *(u32 *)args; \
69419 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
69420 + *(u32 *)&value = *(const u32 *)args; \
69421 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
69422 } else { \
69423 args = PTR_ALIGN(args, sizeof(type)); \
69424 - value = *(typeof(type) *)args; \
69425 + value = *(const typeof(type) *)args; \
69426 } \
69427 args += sizeof(type); \
69428 value; \
69429 @@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
69430 const char *str_arg = args;
69431 size_t len = strlen(str_arg);
69432 args += len + 1;
69433 - str = string(str, end, (char *)str_arg, spec);
69434 + str = string(str, end, str_arg, spec);
69435 break;
69436 }
69437
69438 diff -urNp linux-2.6.32.46/localversion-grsec linux-2.6.32.46/localversion-grsec
69439 --- linux-2.6.32.46/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
69440 +++ linux-2.6.32.46/localversion-grsec 2011-04-17 15:56:46.000000000 -0400
69441 @@ -0,0 +1 @@
69442 +-grsec
69443 diff -urNp linux-2.6.32.46/Makefile linux-2.6.32.46/Makefile
69444 --- linux-2.6.32.46/Makefile 2011-08-29 22:24:44.000000000 -0400
69445 +++ linux-2.6.32.46/Makefile 2011-08-29 22:25:07.000000000 -0400
69446 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
69447
69448 HOSTCC = gcc
69449 HOSTCXX = g++
69450 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
69451 -HOSTCXXFLAGS = -O2
69452 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
69453 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
69454 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
69455
69456 # Decide whether to build built-in, modular, or both.
69457 # Normally, just do built-in.
69458 @@ -342,10 +343,12 @@ LINUXINCLUDE := -Iinclude \
69459 KBUILD_CPPFLAGS := -D__KERNEL__
69460
69461 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
69462 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
69463 -fno-strict-aliasing -fno-common \
69464 -Werror-implicit-function-declaration \
69465 -Wno-format-security \
69466 -fno-delete-null-pointer-checks
69467 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
69468 KBUILD_AFLAGS := -D__ASSEMBLY__
69469
69470 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
69471 @@ -376,9 +379,10 @@ export RCS_TAR_IGNORE := --exclude SCCS
69472 # Rules shared between *config targets and build targets
69473
69474 # Basic helpers built in scripts/
69475 -PHONY += scripts_basic
69476 -scripts_basic:
69477 +PHONY += scripts_basic0 scripts_basic gcc-plugins
69478 +scripts_basic0:
69479 $(Q)$(MAKE) $(build)=scripts/basic
69480 +scripts_basic: scripts_basic0 gcc-plugins
69481
69482 # To avoid any implicit rule to kick in, define an empty command.
69483 scripts/basic/%: scripts_basic ;
69484 @@ -403,7 +407,7 @@ endif
69485 # of make so .config is not included in this case either (for *config).
69486
69487 no-dot-config-targets := clean mrproper distclean \
69488 - cscope TAGS tags help %docs check% \
69489 + cscope gtags TAGS tags help %docs check% \
69490 include/linux/version.h headers_% \
69491 kernelrelease kernelversion
69492
69493 @@ -526,6 +530,24 @@ else
69494 KBUILD_CFLAGS += -O2
69495 endif
69496
69497 +ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh $(HOSTCC)), y)
69498 +CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
69499 +ifdef CONFIG_PAX_MEMORY_STACKLEAK
69500 +STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -fplugin-arg-stackleak_plugin-track-lowest-sp=100
69501 +endif
69502 +export CONSTIFY_PLUGIN STACKLEAK_PLUGIN
69503 +gcc-plugins:
69504 + $(Q)$(MAKE) $(build)=tools/gcc
69505 +else
69506 +gcc-plugins:
69507 +ifeq ($(call cc-ifversion, -ge, 0405, y), y)
69508 + $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
69509 +else
69510 + $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
69511 +endif
69512 + $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
69513 +endif
69514 +
69515 include $(srctree)/arch/$(SRCARCH)/Makefile
69516
69517 ifneq ($(CONFIG_FRAME_WARN),0)
69518 @@ -644,7 +666,7 @@ export mod_strip_cmd
69519
69520
69521 ifeq ($(KBUILD_EXTMOD),)
69522 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
69523 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
69524
69525 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
69526 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
69527 @@ -840,6 +862,7 @@ define rule_vmlinux-modpost
69528 endef
69529
69530 # vmlinux image - including updated kernel symbols
69531 +vmlinux: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
69532 vmlinux: $(vmlinux-lds) $(vmlinux-init) $(vmlinux-main) vmlinux.o $(kallsyms.o) FORCE
69533 ifdef CONFIG_HEADERS_CHECK
69534 $(Q)$(MAKE) -f $(srctree)/Makefile headers_check
69535 @@ -970,7 +993,7 @@ ifneq ($(KBUILD_SRC),)
69536 endif
69537
69538 # prepare2 creates a makefile if using a separate output directory
69539 -prepare2: prepare3 outputmakefile
69540 +prepare2: prepare3 outputmakefile gcc-plugins
69541
69542 prepare1: prepare2 include/linux/version.h include/linux/utsrelease.h \
69543 include/asm include/config/auto.conf
69544 @@ -1124,6 +1147,7 @@ all: modules
69545 # using awk while concatenating to the final file.
69546
69547 PHONY += modules
69548 +modules: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
69549 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
69550 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
69551 @$(kecho) ' Building modules, stage 2.';
69552 @@ -1198,7 +1222,7 @@ MRPROPER_FILES += .config .config.old in
69553 include/linux/autoconf.h include/linux/version.h \
69554 include/linux/utsrelease.h \
69555 include/linux/bounds.h include/asm*/asm-offsets.h \
69556 - Module.symvers Module.markers tags TAGS cscope*
69557 + Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
69558
69559 # clean - Delete most, but leave enough to build external modules
69560 #
69561 @@ -1214,7 +1238,7 @@ clean: archclean $(clean-dirs)
69562 $(call cmd,rmdirs)
69563 $(call cmd,rmfiles)
69564 @find . $(RCS_FIND_IGNORE) \
69565 - \( -name '*.[oas]' -o -name '*.ko' -o -name '.*.cmd' \
69566 + \( -name '*.[oas]' -o -name '*.[ks]o' -o -name '.*.cmd' \
69567 -o -name '.*.d' -o -name '.*.tmp' -o -name '*.mod.c' \
69568 -o -name '*.symtypes' -o -name 'modules.order' \
69569 -o -name 'Module.markers' -o -name '.tmp_*.o.*' \
69570 @@ -1289,6 +1313,7 @@ help:
69571 @echo ' modules_prepare - Set up for building external modules'
69572 @echo ' tags/TAGS - Generate tags file for editors'
69573 @echo ' cscope - Generate cscope index'
69574 + @echo ' gtags - Generate GNU GLOBAL index'
69575 @echo ' kernelrelease - Output the release version string'
69576 @echo ' kernelversion - Output the version stored in Makefile'
69577 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
69578 @@ -1390,6 +1415,7 @@ PHONY += $(module-dirs) modules
69579 $(module-dirs): crmodverdir $(objtree)/Module.symvers
69580 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
69581
69582 +modules: KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN)
69583 modules: $(module-dirs)
69584 @$(kecho) ' Building modules, stage 2.';
69585 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
69586 @@ -1445,7 +1471,7 @@ endif # KBUILD_EXTMOD
69587 quiet_cmd_tags = GEN $@
69588 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
69589
69590 -tags TAGS cscope: FORCE
69591 +tags TAGS cscope gtags: FORCE
69592 $(call cmd,tags)
69593
69594 # Scripts to check various things for consistency
69595 diff -urNp linux-2.6.32.46/mm/backing-dev.c linux-2.6.32.46/mm/backing-dev.c
69596 --- linux-2.6.32.46/mm/backing-dev.c 2011-03-27 14:31:47.000000000 -0400
69597 +++ linux-2.6.32.46/mm/backing-dev.c 2011-08-11 19:48:17.000000000 -0400
69598 @@ -272,7 +272,7 @@ static void bdi_task_init(struct backing
69599 list_add_tail_rcu(&wb->list, &bdi->wb_list);
69600 spin_unlock(&bdi->wb_lock);
69601
69602 - tsk->flags |= PF_FLUSHER | PF_SWAPWRITE;
69603 + tsk->flags |= PF_SWAPWRITE;
69604 set_freezable();
69605
69606 /*
69607 @@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
69608 * Add the default flusher task that gets created for any bdi
69609 * that has dirty data pending writeout
69610 */
69611 -void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
69612 +static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
69613 {
69614 if (!bdi_cap_writeback_dirty(bdi))
69615 return;
69616 diff -urNp linux-2.6.32.46/mm/filemap.c linux-2.6.32.46/mm/filemap.c
69617 --- linux-2.6.32.46/mm/filemap.c 2011-03-27 14:31:47.000000000 -0400
69618 +++ linux-2.6.32.46/mm/filemap.c 2011-04-17 15:56:46.000000000 -0400
69619 @@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
69620 struct address_space *mapping = file->f_mapping;
69621
69622 if (!mapping->a_ops->readpage)
69623 - return -ENOEXEC;
69624 + return -ENODEV;
69625 file_accessed(file);
69626 vma->vm_ops = &generic_file_vm_ops;
69627 vma->vm_flags |= VM_CAN_NONLINEAR;
69628 @@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
69629 *pos = i_size_read(inode);
69630
69631 if (limit != RLIM_INFINITY) {
69632 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
69633 if (*pos >= limit) {
69634 send_sig(SIGXFSZ, current, 0);
69635 return -EFBIG;
69636 diff -urNp linux-2.6.32.46/mm/fremap.c linux-2.6.32.46/mm/fremap.c
69637 --- linux-2.6.32.46/mm/fremap.c 2011-03-27 14:31:47.000000000 -0400
69638 +++ linux-2.6.32.46/mm/fremap.c 2011-04-17 15:56:46.000000000 -0400
69639 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
69640 retry:
69641 vma = find_vma(mm, start);
69642
69643 +#ifdef CONFIG_PAX_SEGMEXEC
69644 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
69645 + goto out;
69646 +#endif
69647 +
69648 /*
69649 * Make sure the vma is shared, that it supports prefaulting,
69650 * and that the remapped range is valid and fully within
69651 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
69652 /*
69653 * drop PG_Mlocked flag for over-mapped range
69654 */
69655 - unsigned int saved_flags = vma->vm_flags;
69656 + unsigned long saved_flags = vma->vm_flags;
69657 munlock_vma_pages_range(vma, start, start + size);
69658 vma->vm_flags = saved_flags;
69659 }
69660 diff -urNp linux-2.6.32.46/mm/highmem.c linux-2.6.32.46/mm/highmem.c
69661 --- linux-2.6.32.46/mm/highmem.c 2011-03-27 14:31:47.000000000 -0400
69662 +++ linux-2.6.32.46/mm/highmem.c 2011-04-17 15:56:46.000000000 -0400
69663 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
69664 * So no dangers, even with speculative execution.
69665 */
69666 page = pte_page(pkmap_page_table[i]);
69667 + pax_open_kernel();
69668 pte_clear(&init_mm, (unsigned long)page_address(page),
69669 &pkmap_page_table[i]);
69670 -
69671 + pax_close_kernel();
69672 set_page_address(page, NULL);
69673 need_flush = 1;
69674 }
69675 @@ -177,9 +178,11 @@ start:
69676 }
69677 }
69678 vaddr = PKMAP_ADDR(last_pkmap_nr);
69679 +
69680 + pax_open_kernel();
69681 set_pte_at(&init_mm, vaddr,
69682 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
69683 -
69684 + pax_close_kernel();
69685 pkmap_count[last_pkmap_nr] = 1;
69686 set_page_address(page, (void *)vaddr);
69687
69688 diff -urNp linux-2.6.32.46/mm/hugetlb.c linux-2.6.32.46/mm/hugetlb.c
69689 --- linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:04.000000000 -0400
69690 +++ linux-2.6.32.46/mm/hugetlb.c 2011-07-13 17:23:19.000000000 -0400
69691 @@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
69692 return 1;
69693 }
69694
69695 +#ifdef CONFIG_PAX_SEGMEXEC
69696 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
69697 +{
69698 + struct mm_struct *mm = vma->vm_mm;
69699 + struct vm_area_struct *vma_m;
69700 + unsigned long address_m;
69701 + pte_t *ptep_m;
69702 +
69703 + vma_m = pax_find_mirror_vma(vma);
69704 + if (!vma_m)
69705 + return;
69706 +
69707 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
69708 + address_m = address + SEGMEXEC_TASK_SIZE;
69709 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
69710 + get_page(page_m);
69711 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
69712 +}
69713 +#endif
69714 +
69715 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
69716 unsigned long address, pte_t *ptep, pte_t pte,
69717 struct page *pagecache_page)
69718 @@ -2004,6 +2024,11 @@ retry_avoidcopy:
69719 huge_ptep_clear_flush(vma, address, ptep);
69720 set_huge_pte_at(mm, address, ptep,
69721 make_huge_pte(vma, new_page, 1));
69722 +
69723 +#ifdef CONFIG_PAX_SEGMEXEC
69724 + pax_mirror_huge_pte(vma, address, new_page);
69725 +#endif
69726 +
69727 /* Make the old page be freed below */
69728 new_page = old_page;
69729 }
69730 @@ -2135,6 +2160,10 @@ retry:
69731 && (vma->vm_flags & VM_SHARED)));
69732 set_huge_pte_at(mm, address, ptep, new_pte);
69733
69734 +#ifdef CONFIG_PAX_SEGMEXEC
69735 + pax_mirror_huge_pte(vma, address, page);
69736 +#endif
69737 +
69738 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
69739 /* Optimization, do the COW without a second fault */
69740 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
69741 @@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
69742 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
69743 struct hstate *h = hstate_vma(vma);
69744
69745 +#ifdef CONFIG_PAX_SEGMEXEC
69746 + struct vm_area_struct *vma_m;
69747 +
69748 + vma_m = pax_find_mirror_vma(vma);
69749 + if (vma_m) {
69750 + unsigned long address_m;
69751 +
69752 + if (vma->vm_start > vma_m->vm_start) {
69753 + address_m = address;
69754 + address -= SEGMEXEC_TASK_SIZE;
69755 + vma = vma_m;
69756 + h = hstate_vma(vma);
69757 + } else
69758 + address_m = address + SEGMEXEC_TASK_SIZE;
69759 +
69760 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
69761 + return VM_FAULT_OOM;
69762 + address_m &= HPAGE_MASK;
69763 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
69764 + }
69765 +#endif
69766 +
69767 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
69768 if (!ptep)
69769 return VM_FAULT_OOM;
69770 diff -urNp linux-2.6.32.46/mm/internal.h linux-2.6.32.46/mm/internal.h
69771 --- linux-2.6.32.46/mm/internal.h 2011-03-27 14:31:47.000000000 -0400
69772 +++ linux-2.6.32.46/mm/internal.h 2011-07-09 09:13:08.000000000 -0400
69773 @@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
69774 * in mm/page_alloc.c
69775 */
69776 extern void __free_pages_bootmem(struct page *page, unsigned int order);
69777 +extern void free_compound_page(struct page *page);
69778 extern void prep_compound_page(struct page *page, unsigned long order);
69779
69780
69781 diff -urNp linux-2.6.32.46/mm/Kconfig linux-2.6.32.46/mm/Kconfig
69782 --- linux-2.6.32.46/mm/Kconfig 2011-03-27 14:31:47.000000000 -0400
69783 +++ linux-2.6.32.46/mm/Kconfig 2011-04-17 15:56:46.000000000 -0400
69784 @@ -228,7 +228,7 @@ config KSM
69785 config DEFAULT_MMAP_MIN_ADDR
69786 int "Low address space to protect from user allocation"
69787 depends on MMU
69788 - default 4096
69789 + default 65536
69790 help
69791 This is the portion of low virtual memory which should be protected
69792 from userspace allocation. Keeping a user from writing to low pages
69793 diff -urNp linux-2.6.32.46/mm/kmemleak.c linux-2.6.32.46/mm/kmemleak.c
69794 --- linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:55:35.000000000 -0400
69795 +++ linux-2.6.32.46/mm/kmemleak.c 2011-06-25 12:56:37.000000000 -0400
69796 @@ -358,7 +358,7 @@ static void print_unreferenced(struct se
69797
69798 for (i = 0; i < object->trace_len; i++) {
69799 void *ptr = (void *)object->trace[i];
69800 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
69801 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
69802 }
69803 }
69804
69805 diff -urNp linux-2.6.32.46/mm/maccess.c linux-2.6.32.46/mm/maccess.c
69806 --- linux-2.6.32.46/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400
69807 +++ linux-2.6.32.46/mm/maccess.c 2011-04-17 15:56:46.000000000 -0400
69808 @@ -14,7 +14,7 @@
69809 * Safely read from address @src to the buffer at @dst. If a kernel fault
69810 * happens, handle that and return -EFAULT.
69811 */
69812 -long probe_kernel_read(void *dst, void *src, size_t size)
69813 +long probe_kernel_read(void *dst, const void *src, size_t size)
69814 {
69815 long ret;
69816 mm_segment_t old_fs = get_fs();
69817 @@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
69818 * Safely write to address @dst from the buffer at @src. If a kernel fault
69819 * happens, handle that and return -EFAULT.
69820 */
69821 -long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
69822 +long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
69823 {
69824 long ret;
69825 mm_segment_t old_fs = get_fs();
69826 diff -urNp linux-2.6.32.46/mm/madvise.c linux-2.6.32.46/mm/madvise.c
69827 --- linux-2.6.32.46/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400
69828 +++ linux-2.6.32.46/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400
69829 @@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
69830 pgoff_t pgoff;
69831 unsigned long new_flags = vma->vm_flags;
69832
69833 +#ifdef CONFIG_PAX_SEGMEXEC
69834 + struct vm_area_struct *vma_m;
69835 +#endif
69836 +
69837 switch (behavior) {
69838 case MADV_NORMAL:
69839 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
69840 @@ -103,6 +107,13 @@ success:
69841 /*
69842 * vm_flags is protected by the mmap_sem held in write mode.
69843 */
69844 +
69845 +#ifdef CONFIG_PAX_SEGMEXEC
69846 + vma_m = pax_find_mirror_vma(vma);
69847 + if (vma_m)
69848 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
69849 +#endif
69850 +
69851 vma->vm_flags = new_flags;
69852
69853 out:
69854 @@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
69855 struct vm_area_struct ** prev,
69856 unsigned long start, unsigned long end)
69857 {
69858 +
69859 +#ifdef CONFIG_PAX_SEGMEXEC
69860 + struct vm_area_struct *vma_m;
69861 +#endif
69862 +
69863 *prev = vma;
69864 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
69865 return -EINVAL;
69866 @@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
69867 zap_page_range(vma, start, end - start, &details);
69868 } else
69869 zap_page_range(vma, start, end - start, NULL);
69870 +
69871 +#ifdef CONFIG_PAX_SEGMEXEC
69872 + vma_m = pax_find_mirror_vma(vma);
69873 + if (vma_m) {
69874 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
69875 + struct zap_details details = {
69876 + .nonlinear_vma = vma_m,
69877 + .last_index = ULONG_MAX,
69878 + };
69879 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
69880 + } else
69881 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
69882 + }
69883 +#endif
69884 +
69885 return 0;
69886 }
69887
69888 @@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
69889 if (end < start)
69890 goto out;
69891
69892 +#ifdef CONFIG_PAX_SEGMEXEC
69893 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
69894 + if (end > SEGMEXEC_TASK_SIZE)
69895 + goto out;
69896 + } else
69897 +#endif
69898 +
69899 + if (end > TASK_SIZE)
69900 + goto out;
69901 +
69902 error = 0;
69903 if (end == start)
69904 goto out;
69905 diff -urNp linux-2.6.32.46/mm/memory.c linux-2.6.32.46/mm/memory.c
69906 --- linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:04.000000000 -0400
69907 +++ linux-2.6.32.46/mm/memory.c 2011-07-13 17:23:23.000000000 -0400
69908 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
69909 return;
69910
69911 pmd = pmd_offset(pud, start);
69912 +
69913 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
69914 pud_clear(pud);
69915 pmd_free_tlb(tlb, pmd, start);
69916 +#endif
69917 +
69918 }
69919
69920 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
69921 @@ -219,9 +223,12 @@ static inline void free_pud_range(struct
69922 if (end - 1 > ceiling - 1)
69923 return;
69924
69925 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
69926 pud = pud_offset(pgd, start);
69927 pgd_clear(pgd);
69928 pud_free_tlb(tlb, pud, start);
69929 +#endif
69930 +
69931 }
69932
69933 /*
69934 @@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
69935 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
69936 i = 0;
69937
69938 - do {
69939 + while (nr_pages) {
69940 struct vm_area_struct *vma;
69941
69942 - vma = find_extend_vma(mm, start);
69943 + vma = find_vma(mm, start);
69944 if (!vma && in_gate_area(tsk, start)) {
69945 unsigned long pg = start & PAGE_MASK;
69946 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
69947 @@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
69948 continue;
69949 }
69950
69951 - if (!vma ||
69952 + if (!vma || start < vma->vm_start ||
69953 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
69954 !(vm_flags & vma->vm_flags))
69955 return i ? : -EFAULT;
69956 @@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
69957 start += PAGE_SIZE;
69958 nr_pages--;
69959 } while (nr_pages && start < vma->vm_end);
69960 - } while (nr_pages);
69961 + }
69962 return i;
69963 }
69964
69965 @@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
69966 page_add_file_rmap(page);
69967 set_pte_at(mm, addr, pte, mk_pte(page, prot));
69968
69969 +#ifdef CONFIG_PAX_SEGMEXEC
69970 + pax_mirror_file_pte(vma, addr, page, ptl);
69971 +#endif
69972 +
69973 retval = 0;
69974 pte_unmap_unlock(pte, ptl);
69975 return retval;
69976 @@ -1560,10 +1571,22 @@ out:
69977 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
69978 struct page *page)
69979 {
69980 +
69981 +#ifdef CONFIG_PAX_SEGMEXEC
69982 + struct vm_area_struct *vma_m;
69983 +#endif
69984 +
69985 if (addr < vma->vm_start || addr >= vma->vm_end)
69986 return -EFAULT;
69987 if (!page_count(page))
69988 return -EINVAL;
69989 +
69990 +#ifdef CONFIG_PAX_SEGMEXEC
69991 + vma_m = pax_find_mirror_vma(vma);
69992 + if (vma_m)
69993 + vma_m->vm_flags |= VM_INSERTPAGE;
69994 +#endif
69995 +
69996 vma->vm_flags |= VM_INSERTPAGE;
69997 return insert_page(vma, addr, page, vma->vm_page_prot);
69998 }
69999 @@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
70000 unsigned long pfn)
70001 {
70002 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
70003 + BUG_ON(vma->vm_mirror);
70004
70005 if (addr < vma->vm_start || addr >= vma->vm_end)
70006 return -EFAULT;
70007 @@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
70008 copy_user_highpage(dst, src, va, vma);
70009 }
70010
70011 +#ifdef CONFIG_PAX_SEGMEXEC
70012 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
70013 +{
70014 + struct mm_struct *mm = vma->vm_mm;
70015 + spinlock_t *ptl;
70016 + pte_t *pte, entry;
70017 +
70018 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
70019 + entry = *pte;
70020 + if (!pte_present(entry)) {
70021 + if (!pte_none(entry)) {
70022 + BUG_ON(pte_file(entry));
70023 + free_swap_and_cache(pte_to_swp_entry(entry));
70024 + pte_clear_not_present_full(mm, address, pte, 0);
70025 + }
70026 + } else {
70027 + struct page *page;
70028 +
70029 + flush_cache_page(vma, address, pte_pfn(entry));
70030 + entry = ptep_clear_flush(vma, address, pte);
70031 + BUG_ON(pte_dirty(entry));
70032 + page = vm_normal_page(vma, address, entry);
70033 + if (page) {
70034 + update_hiwater_rss(mm);
70035 + if (PageAnon(page))
70036 + dec_mm_counter(mm, anon_rss);
70037 + else
70038 + dec_mm_counter(mm, file_rss);
70039 + page_remove_rmap(page);
70040 + page_cache_release(page);
70041 + }
70042 + }
70043 + pte_unmap_unlock(pte, ptl);
70044 +}
70045 +
70046 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
70047 + *
70048 + * the ptl of the lower mapped page is held on entry and is not released on exit
70049 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
70050 + */
70051 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
70052 +{
70053 + struct mm_struct *mm = vma->vm_mm;
70054 + unsigned long address_m;
70055 + spinlock_t *ptl_m;
70056 + struct vm_area_struct *vma_m;
70057 + pmd_t *pmd_m;
70058 + pte_t *pte_m, entry_m;
70059 +
70060 + BUG_ON(!page_m || !PageAnon(page_m));
70061 +
70062 + vma_m = pax_find_mirror_vma(vma);
70063 + if (!vma_m)
70064 + return;
70065 +
70066 + BUG_ON(!PageLocked(page_m));
70067 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
70068 + address_m = address + SEGMEXEC_TASK_SIZE;
70069 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
70070 + pte_m = pte_offset_map_nested(pmd_m, address_m);
70071 + ptl_m = pte_lockptr(mm, pmd_m);
70072 + if (ptl != ptl_m) {
70073 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
70074 + if (!pte_none(*pte_m))
70075 + goto out;
70076 + }
70077 +
70078 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
70079 + page_cache_get(page_m);
70080 + page_add_anon_rmap(page_m, vma_m, address_m);
70081 + inc_mm_counter(mm, anon_rss);
70082 + set_pte_at(mm, address_m, pte_m, entry_m);
70083 + update_mmu_cache(vma_m, address_m, entry_m);
70084 +out:
70085 + if (ptl != ptl_m)
70086 + spin_unlock(ptl_m);
70087 + pte_unmap_nested(pte_m);
70088 + unlock_page(page_m);
70089 +}
70090 +
70091 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
70092 +{
70093 + struct mm_struct *mm = vma->vm_mm;
70094 + unsigned long address_m;
70095 + spinlock_t *ptl_m;
70096 + struct vm_area_struct *vma_m;
70097 + pmd_t *pmd_m;
70098 + pte_t *pte_m, entry_m;
70099 +
70100 + BUG_ON(!page_m || PageAnon(page_m));
70101 +
70102 + vma_m = pax_find_mirror_vma(vma);
70103 + if (!vma_m)
70104 + return;
70105 +
70106 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
70107 + address_m = address + SEGMEXEC_TASK_SIZE;
70108 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
70109 + pte_m = pte_offset_map_nested(pmd_m, address_m);
70110 + ptl_m = pte_lockptr(mm, pmd_m);
70111 + if (ptl != ptl_m) {
70112 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
70113 + if (!pte_none(*pte_m))
70114 + goto out;
70115 + }
70116 +
70117 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
70118 + page_cache_get(page_m);
70119 + page_add_file_rmap(page_m);
70120 + inc_mm_counter(mm, file_rss);
70121 + set_pte_at(mm, address_m, pte_m, entry_m);
70122 + update_mmu_cache(vma_m, address_m, entry_m);
70123 +out:
70124 + if (ptl != ptl_m)
70125 + spin_unlock(ptl_m);
70126 + pte_unmap_nested(pte_m);
70127 +}
70128 +
70129 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
70130 +{
70131 + struct mm_struct *mm = vma->vm_mm;
70132 + unsigned long address_m;
70133 + spinlock_t *ptl_m;
70134 + struct vm_area_struct *vma_m;
70135 + pmd_t *pmd_m;
70136 + pte_t *pte_m, entry_m;
70137 +
70138 + vma_m = pax_find_mirror_vma(vma);
70139 + if (!vma_m)
70140 + return;
70141 +
70142 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
70143 + address_m = address + SEGMEXEC_TASK_SIZE;
70144 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
70145 + pte_m = pte_offset_map_nested(pmd_m, address_m);
70146 + ptl_m = pte_lockptr(mm, pmd_m);
70147 + if (ptl != ptl_m) {
70148 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
70149 + if (!pte_none(*pte_m))
70150 + goto out;
70151 + }
70152 +
70153 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
70154 + set_pte_at(mm, address_m, pte_m, entry_m);
70155 +out:
70156 + if (ptl != ptl_m)
70157 + spin_unlock(ptl_m);
70158 + pte_unmap_nested(pte_m);
70159 +}
70160 +
70161 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
70162 +{
70163 + struct page *page_m;
70164 + pte_t entry;
70165 +
70166 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
70167 + goto out;
70168 +
70169 + entry = *pte;
70170 + page_m = vm_normal_page(vma, address, entry);
70171 + if (!page_m)
70172 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
70173 + else if (PageAnon(page_m)) {
70174 + if (pax_find_mirror_vma(vma)) {
70175 + pte_unmap_unlock(pte, ptl);
70176 + lock_page(page_m);
70177 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
70178 + if (pte_same(entry, *pte))
70179 + pax_mirror_anon_pte(vma, address, page_m, ptl);
70180 + else
70181 + unlock_page(page_m);
70182 + }
70183 + } else
70184 + pax_mirror_file_pte(vma, address, page_m, ptl);
70185 +
70186 +out:
70187 + pte_unmap_unlock(pte, ptl);
70188 +}
70189 +#endif
70190 +
70191 /*
70192 * This routine handles present pages, when users try to write
70193 * to a shared page. It is done by copying the page to a new address
70194 @@ -2156,6 +2360,12 @@ gotten:
70195 */
70196 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
70197 if (likely(pte_same(*page_table, orig_pte))) {
70198 +
70199 +#ifdef CONFIG_PAX_SEGMEXEC
70200 + if (pax_find_mirror_vma(vma))
70201 + BUG_ON(!trylock_page(new_page));
70202 +#endif
70203 +
70204 if (old_page) {
70205 if (!PageAnon(old_page)) {
70206 dec_mm_counter(mm, file_rss);
70207 @@ -2207,6 +2417,10 @@ gotten:
70208 page_remove_rmap(old_page);
70209 }
70210
70211 +#ifdef CONFIG_PAX_SEGMEXEC
70212 + pax_mirror_anon_pte(vma, address, new_page, ptl);
70213 +#endif
70214 +
70215 /* Free the old page.. */
70216 new_page = old_page;
70217 ret |= VM_FAULT_WRITE;
70218 @@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
70219 swap_free(entry);
70220 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
70221 try_to_free_swap(page);
70222 +
70223 +#ifdef CONFIG_PAX_SEGMEXEC
70224 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
70225 +#endif
70226 +
70227 unlock_page(page);
70228
70229 if (flags & FAULT_FLAG_WRITE) {
70230 @@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
70231
70232 /* No need to invalidate - it was non-present before */
70233 update_mmu_cache(vma, address, pte);
70234 +
70235 +#ifdef CONFIG_PAX_SEGMEXEC
70236 + pax_mirror_anon_pte(vma, address, page, ptl);
70237 +#endif
70238 +
70239 unlock:
70240 pte_unmap_unlock(page_table, ptl);
70241 out:
70242 @@ -2632,40 +2856,6 @@ out_release:
70243 }
70244
70245 /*
70246 - * This is like a special single-page "expand_{down|up}wards()",
70247 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
70248 - * doesn't hit another vma.
70249 - */
70250 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
70251 -{
70252 - address &= PAGE_MASK;
70253 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
70254 - struct vm_area_struct *prev = vma->vm_prev;
70255 -
70256 - /*
70257 - * Is there a mapping abutting this one below?
70258 - *
70259 - * That's only ok if it's the same stack mapping
70260 - * that has gotten split..
70261 - */
70262 - if (prev && prev->vm_end == address)
70263 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
70264 -
70265 - expand_stack(vma, address - PAGE_SIZE);
70266 - }
70267 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
70268 - struct vm_area_struct *next = vma->vm_next;
70269 -
70270 - /* As VM_GROWSDOWN but s/below/above/ */
70271 - if (next && next->vm_start == address + PAGE_SIZE)
70272 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
70273 -
70274 - expand_upwards(vma, address + PAGE_SIZE);
70275 - }
70276 - return 0;
70277 -}
70278 -
70279 -/*
70280 * We enter with non-exclusive mmap_sem (to exclude vma changes,
70281 * but allow concurrent faults), and pte mapped but not yet locked.
70282 * We return with mmap_sem still held, but pte unmapped and unlocked.
70283 @@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
70284 unsigned long address, pte_t *page_table, pmd_t *pmd,
70285 unsigned int flags)
70286 {
70287 - struct page *page;
70288 + struct page *page = NULL;
70289 spinlock_t *ptl;
70290 pte_t entry;
70291
70292 - pte_unmap(page_table);
70293 -
70294 - /* Check if we need to add a guard page to the stack */
70295 - if (check_stack_guard_page(vma, address) < 0)
70296 - return VM_FAULT_SIGBUS;
70297 -
70298 - /* Use the zero-page for reads */
70299 if (!(flags & FAULT_FLAG_WRITE)) {
70300 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
70301 vma->vm_page_prot));
70302 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
70303 + ptl = pte_lockptr(mm, pmd);
70304 + spin_lock(ptl);
70305 if (!pte_none(*page_table))
70306 goto unlock;
70307 goto setpte;
70308 }
70309
70310 /* Allocate our own private page. */
70311 + pte_unmap(page_table);
70312 +
70313 if (unlikely(anon_vma_prepare(vma)))
70314 goto oom;
70315 page = alloc_zeroed_user_highpage_movable(vma, address);
70316 @@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
70317 if (!pte_none(*page_table))
70318 goto release;
70319
70320 +#ifdef CONFIG_PAX_SEGMEXEC
70321 + if (pax_find_mirror_vma(vma))
70322 + BUG_ON(!trylock_page(page));
70323 +#endif
70324 +
70325 inc_mm_counter(mm, anon_rss);
70326 page_add_new_anon_rmap(page, vma, address);
70327 setpte:
70328 @@ -2720,6 +2911,12 @@ setpte:
70329
70330 /* No need to invalidate - it was non-present before */
70331 update_mmu_cache(vma, address, entry);
70332 +
70333 +#ifdef CONFIG_PAX_SEGMEXEC
70334 + if (page)
70335 + pax_mirror_anon_pte(vma, address, page, ptl);
70336 +#endif
70337 +
70338 unlock:
70339 pte_unmap_unlock(page_table, ptl);
70340 return 0;
70341 @@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
70342 */
70343 /* Only go through if we didn't race with anybody else... */
70344 if (likely(pte_same(*page_table, orig_pte))) {
70345 +
70346 +#ifdef CONFIG_PAX_SEGMEXEC
70347 + if (anon && pax_find_mirror_vma(vma))
70348 + BUG_ON(!trylock_page(page));
70349 +#endif
70350 +
70351 flush_icache_page(vma, page);
70352 entry = mk_pte(page, vma->vm_page_prot);
70353 if (flags & FAULT_FLAG_WRITE)
70354 @@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
70355
70356 /* no need to invalidate: a not-present page won't be cached */
70357 update_mmu_cache(vma, address, entry);
70358 +
70359 +#ifdef CONFIG_PAX_SEGMEXEC
70360 + if (anon)
70361 + pax_mirror_anon_pte(vma, address, page, ptl);
70362 + else
70363 + pax_mirror_file_pte(vma, address, page, ptl);
70364 +#endif
70365 +
70366 } else {
70367 if (charged)
70368 mem_cgroup_uncharge_page(page);
70369 @@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
70370 if (flags & FAULT_FLAG_WRITE)
70371 flush_tlb_page(vma, address);
70372 }
70373 +
70374 +#ifdef CONFIG_PAX_SEGMEXEC
70375 + pax_mirror_pte(vma, address, pte, pmd, ptl);
70376 + return 0;
70377 +#endif
70378 +
70379 unlock:
70380 pte_unmap_unlock(pte, ptl);
70381 return 0;
70382 @@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
70383 pmd_t *pmd;
70384 pte_t *pte;
70385
70386 +#ifdef CONFIG_PAX_SEGMEXEC
70387 + struct vm_area_struct *vma_m;
70388 +#endif
70389 +
70390 __set_current_state(TASK_RUNNING);
70391
70392 count_vm_event(PGFAULT);
70393 @@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
70394 if (unlikely(is_vm_hugetlb_page(vma)))
70395 return hugetlb_fault(mm, vma, address, flags);
70396
70397 +#ifdef CONFIG_PAX_SEGMEXEC
70398 + vma_m = pax_find_mirror_vma(vma);
70399 + if (vma_m) {
70400 + unsigned long address_m;
70401 + pgd_t *pgd_m;
70402 + pud_t *pud_m;
70403 + pmd_t *pmd_m;
70404 +
70405 + if (vma->vm_start > vma_m->vm_start) {
70406 + address_m = address;
70407 + address -= SEGMEXEC_TASK_SIZE;
70408 + vma = vma_m;
70409 + } else
70410 + address_m = address + SEGMEXEC_TASK_SIZE;
70411 +
70412 + pgd_m = pgd_offset(mm, address_m);
70413 + pud_m = pud_alloc(mm, pgd_m, address_m);
70414 + if (!pud_m)
70415 + return VM_FAULT_OOM;
70416 + pmd_m = pmd_alloc(mm, pud_m, address_m);
70417 + if (!pmd_m)
70418 + return VM_FAULT_OOM;
70419 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
70420 + return VM_FAULT_OOM;
70421 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
70422 + }
70423 +#endif
70424 +
70425 pgd = pgd_offset(mm, address);
70426 pud = pud_alloc(mm, pgd, address);
70427 if (!pud)
70428 @@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
70429 gate_vma.vm_start = FIXADDR_USER_START;
70430 gate_vma.vm_end = FIXADDR_USER_END;
70431 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
70432 - gate_vma.vm_page_prot = __P101;
70433 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
70434 /*
70435 * Make sure the vDSO gets into every core dump.
70436 * Dumping its contents makes post-mortem fully interpretable later
70437 diff -urNp linux-2.6.32.46/mm/memory-failure.c linux-2.6.32.46/mm/memory-failure.c
70438 --- linux-2.6.32.46/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400
70439 +++ linux-2.6.32.46/mm/memory-failure.c 2011-04-17 15:56:46.000000000 -0400
70440 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
70441
70442 int sysctl_memory_failure_recovery __read_mostly = 1;
70443
70444 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
70445 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
70446
70447 /*
70448 * Send all the processes who have the page mapped an ``action optional''
70449 @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
70450 return 0;
70451 }
70452
70453 - atomic_long_add(1, &mce_bad_pages);
70454 + atomic_long_add_unchecked(1, &mce_bad_pages);
70455
70456 /*
70457 * We need/can do nothing about count=0 pages.
70458 diff -urNp linux-2.6.32.46/mm/mempolicy.c linux-2.6.32.46/mm/mempolicy.c
70459 --- linux-2.6.32.46/mm/mempolicy.c 2011-03-27 14:31:47.000000000 -0400
70460 +++ linux-2.6.32.46/mm/mempolicy.c 2011-04-17 15:56:46.000000000 -0400
70461 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
70462 struct vm_area_struct *next;
70463 int err;
70464
70465 +#ifdef CONFIG_PAX_SEGMEXEC
70466 + struct vm_area_struct *vma_m;
70467 +#endif
70468 +
70469 err = 0;
70470 for (; vma && vma->vm_start < end; vma = next) {
70471 next = vma->vm_next;
70472 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
70473 err = policy_vma(vma, new);
70474 if (err)
70475 break;
70476 +
70477 +#ifdef CONFIG_PAX_SEGMEXEC
70478 + vma_m = pax_find_mirror_vma(vma);
70479 + if (vma_m) {
70480 + err = policy_vma(vma_m, new);
70481 + if (err)
70482 + break;
70483 + }
70484 +#endif
70485 +
70486 }
70487 return err;
70488 }
70489 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
70490
70491 if (end < start)
70492 return -EINVAL;
70493 +
70494 +#ifdef CONFIG_PAX_SEGMEXEC
70495 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
70496 + if (end > SEGMEXEC_TASK_SIZE)
70497 + return -EINVAL;
70498 + } else
70499 +#endif
70500 +
70501 + if (end > TASK_SIZE)
70502 + return -EINVAL;
70503 +
70504 if (end == start)
70505 return 0;
70506
70507 @@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
70508 if (!mm)
70509 return -EINVAL;
70510
70511 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
70512 + if (mm != current->mm &&
70513 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
70514 + err = -EPERM;
70515 + goto out;
70516 + }
70517 +#endif
70518 +
70519 /*
70520 * Check if this process has the right to modify the specified
70521 * process. The right exists if the process has administrative
70522 @@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
70523 rcu_read_lock();
70524 tcred = __task_cred(task);
70525 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
70526 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
70527 - !capable(CAP_SYS_NICE)) {
70528 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
70529 rcu_read_unlock();
70530 err = -EPERM;
70531 goto out;
70532 @@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
70533
70534 if (file) {
70535 seq_printf(m, " file=");
70536 - seq_path(m, &file->f_path, "\n\t= ");
70537 + seq_path(m, &file->f_path, "\n\t\\= ");
70538 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
70539 seq_printf(m, " heap");
70540 } else if (vma->vm_start <= mm->start_stack &&
70541 diff -urNp linux-2.6.32.46/mm/migrate.c linux-2.6.32.46/mm/migrate.c
70542 --- linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:04.000000000 -0400
70543 +++ linux-2.6.32.46/mm/migrate.c 2011-07-13 17:23:23.000000000 -0400
70544 @@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
70545 unsigned long chunk_start;
70546 int err;
70547
70548 + pax_track_stack();
70549 +
70550 task_nodes = cpuset_mems_allowed(task);
70551
70552 err = -ENOMEM;
70553 @@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
70554 if (!mm)
70555 return -EINVAL;
70556
70557 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
70558 + if (mm != current->mm &&
70559 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
70560 + err = -EPERM;
70561 + goto out;
70562 + }
70563 +#endif
70564 +
70565 /*
70566 * Check if this process has the right to modify the specified
70567 * process. The right exists if the process has administrative
70568 @@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
70569 rcu_read_lock();
70570 tcred = __task_cred(task);
70571 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
70572 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
70573 - !capable(CAP_SYS_NICE)) {
70574 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
70575 rcu_read_unlock();
70576 err = -EPERM;
70577 goto out;
70578 diff -urNp linux-2.6.32.46/mm/mlock.c linux-2.6.32.46/mm/mlock.c
70579 --- linux-2.6.32.46/mm/mlock.c 2011-03-27 14:31:47.000000000 -0400
70580 +++ linux-2.6.32.46/mm/mlock.c 2011-04-17 15:56:46.000000000 -0400
70581 @@ -13,6 +13,7 @@
70582 #include <linux/pagemap.h>
70583 #include <linux/mempolicy.h>
70584 #include <linux/syscalls.h>
70585 +#include <linux/security.h>
70586 #include <linux/sched.h>
70587 #include <linux/module.h>
70588 #include <linux/rmap.h>
70589 @@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
70590 }
70591 }
70592
70593 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
70594 -{
70595 - return (vma->vm_flags & VM_GROWSDOWN) &&
70596 - (vma->vm_start == addr) &&
70597 - !vma_stack_continue(vma->vm_prev, addr);
70598 -}
70599 -
70600 /**
70601 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
70602 * @vma: target vma
70603 @@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
70604 if (vma->vm_flags & VM_WRITE)
70605 gup_flags |= FOLL_WRITE;
70606
70607 - /* We don't try to access the guard page of a stack vma */
70608 - if (stack_guard_page(vma, start)) {
70609 - addr += PAGE_SIZE;
70610 - nr_pages--;
70611 - }
70612 -
70613 while (nr_pages > 0) {
70614 int i;
70615
70616 @@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
70617 {
70618 unsigned long nstart, end, tmp;
70619 struct vm_area_struct * vma, * prev;
70620 - int error;
70621 + int error = -EINVAL;
70622
70623 len = PAGE_ALIGN(len);
70624 end = start + len;
70625 @@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
70626 return -EINVAL;
70627 if (end == start)
70628 return 0;
70629 + if (end > TASK_SIZE)
70630 + return -EINVAL;
70631 +
70632 vma = find_vma_prev(current->mm, start, &prev);
70633 if (!vma || vma->vm_start > start)
70634 return -ENOMEM;
70635 @@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
70636 for (nstart = start ; ; ) {
70637 unsigned int newflags;
70638
70639 +#ifdef CONFIG_PAX_SEGMEXEC
70640 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
70641 + break;
70642 +#endif
70643 +
70644 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
70645
70646 newflags = vma->vm_flags | VM_LOCKED;
70647 @@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
70648 lock_limit >>= PAGE_SHIFT;
70649
70650 /* check against resource limits */
70651 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
70652 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
70653 error = do_mlock(start, len, 1);
70654 up_write(&current->mm->mmap_sem);
70655 @@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
70656 static int do_mlockall(int flags)
70657 {
70658 struct vm_area_struct * vma, * prev = NULL;
70659 - unsigned int def_flags = 0;
70660
70661 if (flags & MCL_FUTURE)
70662 - def_flags = VM_LOCKED;
70663 - current->mm->def_flags = def_flags;
70664 + current->mm->def_flags |= VM_LOCKED;
70665 + else
70666 + current->mm->def_flags &= ~VM_LOCKED;
70667 if (flags == MCL_FUTURE)
70668 goto out;
70669
70670 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
70671 - unsigned int newflags;
70672 + unsigned long newflags;
70673 +
70674 +#ifdef CONFIG_PAX_SEGMEXEC
70675 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
70676 + break;
70677 +#endif
70678
70679 + BUG_ON(vma->vm_end > TASK_SIZE);
70680 newflags = vma->vm_flags | VM_LOCKED;
70681 if (!(flags & MCL_CURRENT))
70682 newflags &= ~VM_LOCKED;
70683 @@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
70684 lock_limit >>= PAGE_SHIFT;
70685
70686 ret = -ENOMEM;
70687 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
70688 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
70689 capable(CAP_IPC_LOCK))
70690 ret = do_mlockall(flags);
70691 diff -urNp linux-2.6.32.46/mm/mmap.c linux-2.6.32.46/mm/mmap.c
70692 --- linux-2.6.32.46/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
70693 +++ linux-2.6.32.46/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
70694 @@ -45,6 +45,16 @@
70695 #define arch_rebalance_pgtables(addr, len) (addr)
70696 #endif
70697
70698 +static inline void verify_mm_writelocked(struct mm_struct *mm)
70699 +{
70700 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
70701 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
70702 + up_read(&mm->mmap_sem);
70703 + BUG();
70704 + }
70705 +#endif
70706 +}
70707 +
70708 static void unmap_region(struct mm_struct *mm,
70709 struct vm_area_struct *vma, struct vm_area_struct *prev,
70710 unsigned long start, unsigned long end);
70711 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
70712 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
70713 *
70714 */
70715 -pgprot_t protection_map[16] = {
70716 +pgprot_t protection_map[16] __read_only = {
70717 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
70718 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
70719 };
70720
70721 pgprot_t vm_get_page_prot(unsigned long vm_flags)
70722 {
70723 - return __pgprot(pgprot_val(protection_map[vm_flags &
70724 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
70725 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
70726 pgprot_val(arch_vm_get_page_prot(vm_flags)));
70727 +
70728 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
70729 + if (!nx_enabled &&
70730 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
70731 + (vm_flags & (VM_READ | VM_WRITE)))
70732 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
70733 +#endif
70734 +
70735 + return prot;
70736 }
70737 EXPORT_SYMBOL(vm_get_page_prot);
70738
70739 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
70740 int sysctl_overcommit_ratio = 50; /* default is 50% */
70741 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
70742 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
70743 struct percpu_counter vm_committed_as;
70744
70745 /*
70746 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
70747 struct vm_area_struct *next = vma->vm_next;
70748
70749 might_sleep();
70750 + BUG_ON(vma->vm_mirror);
70751 if (vma->vm_ops && vma->vm_ops->close)
70752 vma->vm_ops->close(vma);
70753 if (vma->vm_file) {
70754 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
70755 * not page aligned -Ram Gupta
70756 */
70757 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
70758 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
70759 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
70760 (mm->end_data - mm->start_data) > rlim)
70761 goto out;
70762 @@ -704,6 +726,12 @@ static int
70763 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
70764 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
70765 {
70766 +
70767 +#ifdef CONFIG_PAX_SEGMEXEC
70768 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
70769 + return 0;
70770 +#endif
70771 +
70772 if (is_mergeable_vma(vma, file, vm_flags) &&
70773 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
70774 if (vma->vm_pgoff == vm_pgoff)
70775 @@ -723,6 +751,12 @@ static int
70776 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
70777 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
70778 {
70779 +
70780 +#ifdef CONFIG_PAX_SEGMEXEC
70781 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
70782 + return 0;
70783 +#endif
70784 +
70785 if (is_mergeable_vma(vma, file, vm_flags) &&
70786 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
70787 pgoff_t vm_pglen;
70788 @@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
70789 struct vm_area_struct *vma_merge(struct mm_struct *mm,
70790 struct vm_area_struct *prev, unsigned long addr,
70791 unsigned long end, unsigned long vm_flags,
70792 - struct anon_vma *anon_vma, struct file *file,
70793 + struct anon_vma *anon_vma, struct file *file,
70794 pgoff_t pgoff, struct mempolicy *policy)
70795 {
70796 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
70797 struct vm_area_struct *area, *next;
70798
70799 +#ifdef CONFIG_PAX_SEGMEXEC
70800 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
70801 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
70802 +
70803 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
70804 +#endif
70805 +
70806 /*
70807 * We later require that vma->vm_flags == vm_flags,
70808 * so this tests vma->vm_flags & VM_SPECIAL, too.
70809 @@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
70810 if (next && next->vm_end == end) /* cases 6, 7, 8 */
70811 next = next->vm_next;
70812
70813 +#ifdef CONFIG_PAX_SEGMEXEC
70814 + if (prev)
70815 + prev_m = pax_find_mirror_vma(prev);
70816 + if (area)
70817 + area_m = pax_find_mirror_vma(area);
70818 + if (next)
70819 + next_m = pax_find_mirror_vma(next);
70820 +#endif
70821 +
70822 /*
70823 * Can it merge with the predecessor?
70824 */
70825 @@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
70826 /* cases 1, 6 */
70827 vma_adjust(prev, prev->vm_start,
70828 next->vm_end, prev->vm_pgoff, NULL);
70829 - } else /* cases 2, 5, 7 */
70830 +
70831 +#ifdef CONFIG_PAX_SEGMEXEC
70832 + if (prev_m)
70833 + vma_adjust(prev_m, prev_m->vm_start,
70834 + next_m->vm_end, prev_m->vm_pgoff, NULL);
70835 +#endif
70836 +
70837 + } else { /* cases 2, 5, 7 */
70838 vma_adjust(prev, prev->vm_start,
70839 end, prev->vm_pgoff, NULL);
70840 +
70841 +#ifdef CONFIG_PAX_SEGMEXEC
70842 + if (prev_m)
70843 + vma_adjust(prev_m, prev_m->vm_start,
70844 + end_m, prev_m->vm_pgoff, NULL);
70845 +#endif
70846 +
70847 + }
70848 return prev;
70849 }
70850
70851 @@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
70852 mpol_equal(policy, vma_policy(next)) &&
70853 can_vma_merge_before(next, vm_flags,
70854 anon_vma, file, pgoff+pglen)) {
70855 - if (prev && addr < prev->vm_end) /* case 4 */
70856 + if (prev && addr < prev->vm_end) { /* case 4 */
70857 vma_adjust(prev, prev->vm_start,
70858 addr, prev->vm_pgoff, NULL);
70859 - else /* cases 3, 8 */
70860 +
70861 +#ifdef CONFIG_PAX_SEGMEXEC
70862 + if (prev_m)
70863 + vma_adjust(prev_m, prev_m->vm_start,
70864 + addr_m, prev_m->vm_pgoff, NULL);
70865 +#endif
70866 +
70867 + } else { /* cases 3, 8 */
70868 vma_adjust(area, addr, next->vm_end,
70869 next->vm_pgoff - pglen, NULL);
70870 +
70871 +#ifdef CONFIG_PAX_SEGMEXEC
70872 + if (area_m)
70873 + vma_adjust(area_m, addr_m, next_m->vm_end,
70874 + next_m->vm_pgoff - pglen, NULL);
70875 +#endif
70876 +
70877 + }
70878 return area;
70879 }
70880
70881 @@ -898,14 +978,11 @@ none:
70882 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
70883 struct file *file, long pages)
70884 {
70885 - const unsigned long stack_flags
70886 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
70887 -
70888 if (file) {
70889 mm->shared_vm += pages;
70890 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
70891 mm->exec_vm += pages;
70892 - } else if (flags & stack_flags)
70893 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
70894 mm->stack_vm += pages;
70895 if (flags & (VM_RESERVED|VM_IO))
70896 mm->reserved_vm += pages;
70897 @@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
70898 * (the exception is when the underlying filesystem is noexec
70899 * mounted, in which case we dont add PROT_EXEC.)
70900 */
70901 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
70902 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
70903 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
70904 prot |= PROT_EXEC;
70905
70906 @@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
70907 /* Obtain the address to map to. we verify (or select) it and ensure
70908 * that it represents a valid section of the address space.
70909 */
70910 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
70911 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
70912 if (addr & ~PAGE_MASK)
70913 return addr;
70914
70915 @@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
70916 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
70917 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
70918
70919 +#ifdef CONFIG_PAX_MPROTECT
70920 + if (mm->pax_flags & MF_PAX_MPROTECT) {
70921 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
70922 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
70923 + gr_log_rwxmmap(file);
70924 +
70925 +#ifdef CONFIG_PAX_EMUPLT
70926 + vm_flags &= ~VM_EXEC;
70927 +#else
70928 + return -EPERM;
70929 +#endif
70930 +
70931 + }
70932 +
70933 + if (!(vm_flags & VM_EXEC))
70934 + vm_flags &= ~VM_MAYEXEC;
70935 +#else
70936 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
70937 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
70938 +#endif
70939 + else
70940 + vm_flags &= ~VM_MAYWRITE;
70941 + }
70942 +#endif
70943 +
70944 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
70945 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
70946 + vm_flags &= ~VM_PAGEEXEC;
70947 +#endif
70948 +
70949 if (flags & MAP_LOCKED)
70950 if (!can_do_mlock())
70951 return -EPERM;
70952 @@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
70953 locked += mm->locked_vm;
70954 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
70955 lock_limit >>= PAGE_SHIFT;
70956 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
70957 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
70958 return -EAGAIN;
70959 }
70960 @@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
70961 if (error)
70962 return error;
70963
70964 + if (!gr_acl_handle_mmap(file, prot))
70965 + return -EACCES;
70966 +
70967 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
70968 }
70969 EXPORT_SYMBOL(do_mmap_pgoff);
70970 @@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
70971 */
70972 int vma_wants_writenotify(struct vm_area_struct *vma)
70973 {
70974 - unsigned int vm_flags = vma->vm_flags;
70975 + unsigned long vm_flags = vma->vm_flags;
70976
70977 /* If it was private or non-writable, the write bit is already clear */
70978 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
70979 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
70980 return 0;
70981
70982 /* The backer wishes to know when pages are first written to? */
70983 @@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
70984 unsigned long charged = 0;
70985 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
70986
70987 +#ifdef CONFIG_PAX_SEGMEXEC
70988 + struct vm_area_struct *vma_m = NULL;
70989 +#endif
70990 +
70991 + /*
70992 + * mm->mmap_sem is required to protect against another thread
70993 + * changing the mappings in case we sleep.
70994 + */
70995 + verify_mm_writelocked(mm);
70996 +
70997 /* Clear old maps */
70998 error = -ENOMEM;
70999 -munmap_back:
71000 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
71001 if (vma && vma->vm_start < addr + len) {
71002 if (do_munmap(mm, addr, len))
71003 return -ENOMEM;
71004 - goto munmap_back;
71005 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
71006 + BUG_ON(vma && vma->vm_start < addr + len);
71007 }
71008
71009 /* Check against address space limit. */
71010 @@ -1173,6 +1294,16 @@ munmap_back:
71011 goto unacct_error;
71012 }
71013
71014 +#ifdef CONFIG_PAX_SEGMEXEC
71015 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
71016 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
71017 + if (!vma_m) {
71018 + error = -ENOMEM;
71019 + goto free_vma;
71020 + }
71021 + }
71022 +#endif
71023 +
71024 vma->vm_mm = mm;
71025 vma->vm_start = addr;
71026 vma->vm_end = addr + len;
71027 @@ -1195,6 +1326,19 @@ munmap_back:
71028 error = file->f_op->mmap(file, vma);
71029 if (error)
71030 goto unmap_and_free_vma;
71031 +
71032 +#ifdef CONFIG_PAX_SEGMEXEC
71033 + if (vma_m && (vm_flags & VM_EXECUTABLE))
71034 + added_exe_file_vma(mm);
71035 +#endif
71036 +
71037 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
71038 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
71039 + vma->vm_flags |= VM_PAGEEXEC;
71040 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
71041 + }
71042 +#endif
71043 +
71044 if (vm_flags & VM_EXECUTABLE)
71045 added_exe_file_vma(mm);
71046
71047 @@ -1218,6 +1362,11 @@ munmap_back:
71048 vma_link(mm, vma, prev, rb_link, rb_parent);
71049 file = vma->vm_file;
71050
71051 +#ifdef CONFIG_PAX_SEGMEXEC
71052 + if (vma_m)
71053 + pax_mirror_vma(vma_m, vma);
71054 +#endif
71055 +
71056 /* Once vma denies write, undo our temporary denial count */
71057 if (correct_wcount)
71058 atomic_inc(&inode->i_writecount);
71059 @@ -1226,6 +1375,7 @@ out:
71060
71061 mm->total_vm += len >> PAGE_SHIFT;
71062 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
71063 + track_exec_limit(mm, addr, addr + len, vm_flags);
71064 if (vm_flags & VM_LOCKED) {
71065 /*
71066 * makes pages present; downgrades, drops, reacquires mmap_sem
71067 @@ -1248,6 +1398,12 @@ unmap_and_free_vma:
71068 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
71069 charged = 0;
71070 free_vma:
71071 +
71072 +#ifdef CONFIG_PAX_SEGMEXEC
71073 + if (vma_m)
71074 + kmem_cache_free(vm_area_cachep, vma_m);
71075 +#endif
71076 +
71077 kmem_cache_free(vm_area_cachep, vma);
71078 unacct_error:
71079 if (charged)
71080 @@ -1255,6 +1411,44 @@ unacct_error:
71081 return error;
71082 }
71083
71084 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
71085 +{
71086 + if (!vma) {
71087 +#ifdef CONFIG_STACK_GROWSUP
71088 + if (addr > sysctl_heap_stack_gap)
71089 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
71090 + else
71091 + vma = find_vma(current->mm, 0);
71092 + if (vma && (vma->vm_flags & VM_GROWSUP))
71093 + return false;
71094 +#endif
71095 + return true;
71096 + }
71097 +
71098 + if (addr + len > vma->vm_start)
71099 + return false;
71100 +
71101 + if (vma->vm_flags & VM_GROWSDOWN)
71102 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
71103 +#ifdef CONFIG_STACK_GROWSUP
71104 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
71105 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
71106 +#endif
71107 +
71108 + return true;
71109 +}
71110 +
71111 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
71112 +{
71113 + if (vma->vm_start < len)
71114 + return -ENOMEM;
71115 + if (!(vma->vm_flags & VM_GROWSDOWN))
71116 + return vma->vm_start - len;
71117 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
71118 + return vma->vm_start - len - sysctl_heap_stack_gap;
71119 + return -ENOMEM;
71120 +}
71121 +
71122 /* Get an address range which is currently unmapped.
71123 * For shmat() with addr=0.
71124 *
71125 @@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
71126 if (flags & MAP_FIXED)
71127 return addr;
71128
71129 +#ifdef CONFIG_PAX_RANDMMAP
71130 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
71131 +#endif
71132 +
71133 if (addr) {
71134 addr = PAGE_ALIGN(addr);
71135 - vma = find_vma(mm, addr);
71136 - if (TASK_SIZE - len >= addr &&
71137 - (!vma || addr + len <= vma->vm_start))
71138 - return addr;
71139 + if (TASK_SIZE - len >= addr) {
71140 + vma = find_vma(mm, addr);
71141 + if (check_heap_stack_gap(vma, addr, len))
71142 + return addr;
71143 + }
71144 }
71145 if (len > mm->cached_hole_size) {
71146 - start_addr = addr = mm->free_area_cache;
71147 + start_addr = addr = mm->free_area_cache;
71148 } else {
71149 - start_addr = addr = TASK_UNMAPPED_BASE;
71150 - mm->cached_hole_size = 0;
71151 + start_addr = addr = mm->mmap_base;
71152 + mm->cached_hole_size = 0;
71153 }
71154
71155 full_search:
71156 @@ -1303,34 +1502,40 @@ full_search:
71157 * Start a new search - just in case we missed
71158 * some holes.
71159 */
71160 - if (start_addr != TASK_UNMAPPED_BASE) {
71161 - addr = TASK_UNMAPPED_BASE;
71162 - start_addr = addr;
71163 + if (start_addr != mm->mmap_base) {
71164 + start_addr = addr = mm->mmap_base;
71165 mm->cached_hole_size = 0;
71166 goto full_search;
71167 }
71168 return -ENOMEM;
71169 }
71170 - if (!vma || addr + len <= vma->vm_start) {
71171 - /*
71172 - * Remember the place where we stopped the search:
71173 - */
71174 - mm->free_area_cache = addr + len;
71175 - return addr;
71176 - }
71177 + if (check_heap_stack_gap(vma, addr, len))
71178 + break;
71179 if (addr + mm->cached_hole_size < vma->vm_start)
71180 mm->cached_hole_size = vma->vm_start - addr;
71181 addr = vma->vm_end;
71182 }
71183 +
71184 + /*
71185 + * Remember the place where we stopped the search:
71186 + */
71187 + mm->free_area_cache = addr + len;
71188 + return addr;
71189 }
71190 #endif
71191
71192 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
71193 {
71194 +
71195 +#ifdef CONFIG_PAX_SEGMEXEC
71196 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
71197 + return;
71198 +#endif
71199 +
71200 /*
71201 * Is this a new hole at the lowest possible address?
71202 */
71203 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
71204 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
71205 mm->free_area_cache = addr;
71206 mm->cached_hole_size = ~0UL;
71207 }
71208 @@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
71209 {
71210 struct vm_area_struct *vma;
71211 struct mm_struct *mm = current->mm;
71212 - unsigned long addr = addr0;
71213 + unsigned long base = mm->mmap_base, addr = addr0;
71214
71215 /* requested length too big for entire address space */
71216 if (len > TASK_SIZE)
71217 @@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
71218 if (flags & MAP_FIXED)
71219 return addr;
71220
71221 +#ifdef CONFIG_PAX_RANDMMAP
71222 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
71223 +#endif
71224 +
71225 /* requesting a specific address */
71226 if (addr) {
71227 addr = PAGE_ALIGN(addr);
71228 - vma = find_vma(mm, addr);
71229 - if (TASK_SIZE - len >= addr &&
71230 - (!vma || addr + len <= vma->vm_start))
71231 - return addr;
71232 + if (TASK_SIZE - len >= addr) {
71233 + vma = find_vma(mm, addr);
71234 + if (check_heap_stack_gap(vma, addr, len))
71235 + return addr;
71236 + }
71237 }
71238
71239 /* check if free_area_cache is useful for us */
71240 @@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
71241 /* make sure it can fit in the remaining address space */
71242 if (addr > len) {
71243 vma = find_vma(mm, addr-len);
71244 - if (!vma || addr <= vma->vm_start)
71245 + if (check_heap_stack_gap(vma, addr - len, len))
71246 /* remember the address as a hint for next time */
71247 return (mm->free_area_cache = addr-len);
71248 }
71249 @@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
71250 * return with success:
71251 */
71252 vma = find_vma(mm, addr);
71253 - if (!vma || addr+len <= vma->vm_start)
71254 + if (check_heap_stack_gap(vma, addr, len))
71255 /* remember the address as a hint for next time */
71256 return (mm->free_area_cache = addr);
71257
71258 @@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
71259 mm->cached_hole_size = vma->vm_start - addr;
71260
71261 /* try just below the current vma->vm_start */
71262 - addr = vma->vm_start-len;
71263 - } while (len < vma->vm_start);
71264 + addr = skip_heap_stack_gap(vma, len);
71265 + } while (!IS_ERR_VALUE(addr));
71266
71267 bottomup:
71268 /*
71269 @@ -1414,13 +1624,21 @@ bottomup:
71270 * can happen with large stack limits and large mmap()
71271 * allocations.
71272 */
71273 + mm->mmap_base = TASK_UNMAPPED_BASE;
71274 +
71275 +#ifdef CONFIG_PAX_RANDMMAP
71276 + if (mm->pax_flags & MF_PAX_RANDMMAP)
71277 + mm->mmap_base += mm->delta_mmap;
71278 +#endif
71279 +
71280 + mm->free_area_cache = mm->mmap_base;
71281 mm->cached_hole_size = ~0UL;
71282 - mm->free_area_cache = TASK_UNMAPPED_BASE;
71283 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
71284 /*
71285 * Restore the topdown base:
71286 */
71287 - mm->free_area_cache = mm->mmap_base;
71288 + mm->mmap_base = base;
71289 + mm->free_area_cache = base;
71290 mm->cached_hole_size = ~0UL;
71291
71292 return addr;
71293 @@ -1429,6 +1647,12 @@ bottomup:
71294
71295 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
71296 {
71297 +
71298 +#ifdef CONFIG_PAX_SEGMEXEC
71299 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
71300 + return;
71301 +#endif
71302 +
71303 /*
71304 * Is this a new hole at the highest possible address?
71305 */
71306 @@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
71307 mm->free_area_cache = addr;
71308
71309 /* dont allow allocations above current base */
71310 - if (mm->free_area_cache > mm->mmap_base)
71311 + if (mm->free_area_cache > mm->mmap_base) {
71312 mm->free_area_cache = mm->mmap_base;
71313 + mm->cached_hole_size = ~0UL;
71314 + }
71315 }
71316
71317 unsigned long
71318 @@ -1545,6 +1771,27 @@ out:
71319 return prev ? prev->vm_next : vma;
71320 }
71321
71322 +#ifdef CONFIG_PAX_SEGMEXEC
71323 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
71324 +{
71325 + struct vm_area_struct *vma_m;
71326 +
71327 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
71328 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
71329 + BUG_ON(vma->vm_mirror);
71330 + return NULL;
71331 + }
71332 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
71333 + vma_m = vma->vm_mirror;
71334 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
71335 + BUG_ON(vma->vm_file != vma_m->vm_file);
71336 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
71337 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
71338 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
71339 + return vma_m;
71340 +}
71341 +#endif
71342 +
71343 /*
71344 * Verify that the stack growth is acceptable and
71345 * update accounting. This is shared with both the
71346 @@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
71347 return -ENOMEM;
71348
71349 /* Stack limit test */
71350 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
71351 if (size > rlim[RLIMIT_STACK].rlim_cur)
71352 return -ENOMEM;
71353
71354 @@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
71355 unsigned long limit;
71356 locked = mm->locked_vm + grow;
71357 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
71358 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
71359 if (locked > limit && !capable(CAP_IPC_LOCK))
71360 return -ENOMEM;
71361 }
71362 @@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
71363 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
71364 * vma is the last one with address > vma->vm_end. Have to extend vma.
71365 */
71366 +#ifndef CONFIG_IA64
71367 +static
71368 +#endif
71369 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
71370 {
71371 int error;
71372 + bool locknext;
71373
71374 if (!(vma->vm_flags & VM_GROWSUP))
71375 return -EFAULT;
71376
71377 + /* Also guard against wrapping around to address 0. */
71378 + if (address < PAGE_ALIGN(address+1))
71379 + address = PAGE_ALIGN(address+1);
71380 + else
71381 + return -ENOMEM;
71382 +
71383 /*
71384 * We must make sure the anon_vma is allocated
71385 * so that the anon_vma locking is not a noop.
71386 */
71387 if (unlikely(anon_vma_prepare(vma)))
71388 return -ENOMEM;
71389 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
71390 + if (locknext && anon_vma_prepare(vma->vm_next))
71391 + return -ENOMEM;
71392 anon_vma_lock(vma);
71393 + if (locknext)
71394 + anon_vma_lock(vma->vm_next);
71395
71396 /*
71397 * vma->vm_start/vm_end cannot change under us because the caller
71398 * is required to hold the mmap_sem in read mode. We need the
71399 - * anon_vma lock to serialize against concurrent expand_stacks.
71400 - * Also guard against wrapping around to address 0.
71401 + * anon_vma locks to serialize against concurrent expand_stacks
71402 + * and expand_upwards.
71403 */
71404 - if (address < PAGE_ALIGN(address+4))
71405 - address = PAGE_ALIGN(address+4);
71406 - else {
71407 - anon_vma_unlock(vma);
71408 - return -ENOMEM;
71409 - }
71410 error = 0;
71411
71412 /* Somebody else might have raced and expanded it already */
71413 - if (address > vma->vm_end) {
71414 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
71415 + error = -ENOMEM;
71416 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
71417 unsigned long size, grow;
71418
71419 size = address - vma->vm_start;
71420 @@ -1640,6 +1900,8 @@ int expand_upwards(struct vm_area_struct
71421 if (!error)
71422 vma->vm_end = address;
71423 }
71424 + if (locknext)
71425 + anon_vma_unlock(vma->vm_next);
71426 anon_vma_unlock(vma);
71427 return error;
71428 }
71429 @@ -1652,6 +1914,8 @@ static int expand_downwards(struct vm_ar
71430 unsigned long address)
71431 {
71432 int error;
71433 + bool lockprev = false;
71434 + struct vm_area_struct *prev;
71435
71436 /*
71437 * We must make sure the anon_vma is allocated
71438 @@ -1665,6 +1929,15 @@ static int expand_downwards(struct vm_ar
71439 if (error)
71440 return error;
71441
71442 + prev = vma->vm_prev;
71443 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
71444 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
71445 +#endif
71446 + if (lockprev && anon_vma_prepare(prev))
71447 + return -ENOMEM;
71448 + if (lockprev)
71449 + anon_vma_lock(prev);
71450 +
71451 anon_vma_lock(vma);
71452
71453 /*
71454 @@ -1674,9 +1947,17 @@ static int expand_downwards(struct vm_ar
71455 */
71456
71457 /* Somebody else might have raced and expanded it already */
71458 - if (address < vma->vm_start) {
71459 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
71460 + error = -ENOMEM;
71461 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
71462 unsigned long size, grow;
71463
71464 +#ifdef CONFIG_PAX_SEGMEXEC
71465 + struct vm_area_struct *vma_m;
71466 +
71467 + vma_m = pax_find_mirror_vma(vma);
71468 +#endif
71469 +
71470 size = vma->vm_end - address;
71471 grow = (vma->vm_start - address) >> PAGE_SHIFT;
71472
71473 @@ -1684,9 +1965,20 @@ static int expand_downwards(struct vm_ar
71474 if (!error) {
71475 vma->vm_start = address;
71476 vma->vm_pgoff -= grow;
71477 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
71478 +
71479 +#ifdef CONFIG_PAX_SEGMEXEC
71480 + if (vma_m) {
71481 + vma_m->vm_start -= grow << PAGE_SHIFT;
71482 + vma_m->vm_pgoff -= grow;
71483 + }
71484 +#endif
71485 +
71486 }
71487 }
71488 anon_vma_unlock(vma);
71489 + if (lockprev)
71490 + anon_vma_unlock(prev);
71491 return error;
71492 }
71493
71494 @@ -1762,6 +2054,13 @@ static void remove_vma_list(struct mm_st
71495 do {
71496 long nrpages = vma_pages(vma);
71497
71498 +#ifdef CONFIG_PAX_SEGMEXEC
71499 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
71500 + vma = remove_vma(vma);
71501 + continue;
71502 + }
71503 +#endif
71504 +
71505 mm->total_vm -= nrpages;
71506 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
71507 vma = remove_vma(vma);
71508 @@ -1807,6 +2106,16 @@ detach_vmas_to_be_unmapped(struct mm_str
71509 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
71510 vma->vm_prev = NULL;
71511 do {
71512 +
71513 +#ifdef CONFIG_PAX_SEGMEXEC
71514 + if (vma->vm_mirror) {
71515 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
71516 + vma->vm_mirror->vm_mirror = NULL;
71517 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
71518 + vma->vm_mirror = NULL;
71519 + }
71520 +#endif
71521 +
71522 rb_erase(&vma->vm_rb, &mm->mm_rb);
71523 mm->map_count--;
71524 tail_vma = vma;
71525 @@ -1834,10 +2143,25 @@ int split_vma(struct mm_struct * mm, str
71526 struct mempolicy *pol;
71527 struct vm_area_struct *new;
71528
71529 +#ifdef CONFIG_PAX_SEGMEXEC
71530 + struct vm_area_struct *vma_m, *new_m = NULL;
71531 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
71532 +#endif
71533 +
71534 if (is_vm_hugetlb_page(vma) && (addr &
71535 ~(huge_page_mask(hstate_vma(vma)))))
71536 return -EINVAL;
71537
71538 +#ifdef CONFIG_PAX_SEGMEXEC
71539 + vma_m = pax_find_mirror_vma(vma);
71540 +
71541 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
71542 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
71543 + if (mm->map_count >= sysctl_max_map_count-1)
71544 + return -ENOMEM;
71545 + } else
71546 +#endif
71547 +
71548 if (mm->map_count >= sysctl_max_map_count)
71549 return -ENOMEM;
71550
71551 @@ -1845,6 +2169,16 @@ int split_vma(struct mm_struct * mm, str
71552 if (!new)
71553 return -ENOMEM;
71554
71555 +#ifdef CONFIG_PAX_SEGMEXEC
71556 + if (vma_m) {
71557 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
71558 + if (!new_m) {
71559 + kmem_cache_free(vm_area_cachep, new);
71560 + return -ENOMEM;
71561 + }
71562 + }
71563 +#endif
71564 +
71565 /* most fields are the same, copy all, and then fixup */
71566 *new = *vma;
71567
71568 @@ -1855,8 +2189,29 @@ int split_vma(struct mm_struct * mm, str
71569 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
71570 }
71571
71572 +#ifdef CONFIG_PAX_SEGMEXEC
71573 + if (vma_m) {
71574 + *new_m = *vma_m;
71575 + new_m->vm_mirror = new;
71576 + new->vm_mirror = new_m;
71577 +
71578 + if (new_below)
71579 + new_m->vm_end = addr_m;
71580 + else {
71581 + new_m->vm_start = addr_m;
71582 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
71583 + }
71584 + }
71585 +#endif
71586 +
71587 pol = mpol_dup(vma_policy(vma));
71588 if (IS_ERR(pol)) {
71589 +
71590 +#ifdef CONFIG_PAX_SEGMEXEC
71591 + if (new_m)
71592 + kmem_cache_free(vm_area_cachep, new_m);
71593 +#endif
71594 +
71595 kmem_cache_free(vm_area_cachep, new);
71596 return PTR_ERR(pol);
71597 }
71598 @@ -1877,6 +2232,28 @@ int split_vma(struct mm_struct * mm, str
71599 else
71600 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
71601
71602 +#ifdef CONFIG_PAX_SEGMEXEC
71603 + if (vma_m) {
71604 + mpol_get(pol);
71605 + vma_set_policy(new_m, pol);
71606 +
71607 + if (new_m->vm_file) {
71608 + get_file(new_m->vm_file);
71609 + if (vma_m->vm_flags & VM_EXECUTABLE)
71610 + added_exe_file_vma(mm);
71611 + }
71612 +
71613 + if (new_m->vm_ops && new_m->vm_ops->open)
71614 + new_m->vm_ops->open(new_m);
71615 +
71616 + if (new_below)
71617 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
71618 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
71619 + else
71620 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
71621 + }
71622 +#endif
71623 +
71624 return 0;
71625 }
71626
71627 @@ -1885,11 +2262,30 @@ int split_vma(struct mm_struct * mm, str
71628 * work. This now handles partial unmappings.
71629 * Jeremy Fitzhardinge <jeremy@goop.org>
71630 */
71631 +#ifdef CONFIG_PAX_SEGMEXEC
71632 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
71633 +{
71634 + int ret = __do_munmap(mm, start, len);
71635 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
71636 + return ret;
71637 +
71638 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
71639 +}
71640 +
71641 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
71642 +#else
71643 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
71644 +#endif
71645 {
71646 unsigned long end;
71647 struct vm_area_struct *vma, *prev, *last;
71648
71649 + /*
71650 + * mm->mmap_sem is required to protect against another thread
71651 + * changing the mappings in case we sleep.
71652 + */
71653 + verify_mm_writelocked(mm);
71654 +
71655 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
71656 return -EINVAL;
71657
71658 @@ -1953,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
71659 /* Fix up all other VM information */
71660 remove_vma_list(mm, vma);
71661
71662 + track_exec_limit(mm, start, end, 0UL);
71663 +
71664 return 0;
71665 }
71666
71667 @@ -1965,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
71668
71669 profile_munmap(addr);
71670
71671 +#ifdef CONFIG_PAX_SEGMEXEC
71672 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
71673 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
71674 + return -EINVAL;
71675 +#endif
71676 +
71677 down_write(&mm->mmap_sem);
71678 ret = do_munmap(mm, addr, len);
71679 up_write(&mm->mmap_sem);
71680 return ret;
71681 }
71682
71683 -static inline void verify_mm_writelocked(struct mm_struct *mm)
71684 -{
71685 -#ifdef CONFIG_DEBUG_VM
71686 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
71687 - WARN_ON(1);
71688 - up_read(&mm->mmap_sem);
71689 - }
71690 -#endif
71691 -}
71692 -
71693 /*
71694 * this is really a simplified "do_mmap". it only handles
71695 * anonymous maps. eventually we may be able to do some
71696 @@ -1994,6 +2388,7 @@ unsigned long do_brk(unsigned long addr,
71697 struct rb_node ** rb_link, * rb_parent;
71698 pgoff_t pgoff = addr >> PAGE_SHIFT;
71699 int error;
71700 + unsigned long charged;
71701
71702 len = PAGE_ALIGN(len);
71703 if (!len)
71704 @@ -2005,16 +2400,30 @@ unsigned long do_brk(unsigned long addr,
71705
71706 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
71707
71708 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
71709 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
71710 + flags &= ~VM_EXEC;
71711 +
71712 +#ifdef CONFIG_PAX_MPROTECT
71713 + if (mm->pax_flags & MF_PAX_MPROTECT)
71714 + flags &= ~VM_MAYEXEC;
71715 +#endif
71716 +
71717 + }
71718 +#endif
71719 +
71720 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
71721 if (error & ~PAGE_MASK)
71722 return error;
71723
71724 + charged = len >> PAGE_SHIFT;
71725 +
71726 /*
71727 * mlock MCL_FUTURE?
71728 */
71729 if (mm->def_flags & VM_LOCKED) {
71730 unsigned long locked, lock_limit;
71731 - locked = len >> PAGE_SHIFT;
71732 + locked = charged;
71733 locked += mm->locked_vm;
71734 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
71735 lock_limit >>= PAGE_SHIFT;
71736 @@ -2031,22 +2440,22 @@ unsigned long do_brk(unsigned long addr,
71737 /*
71738 * Clear old maps. this also does some error checking for us
71739 */
71740 - munmap_back:
71741 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
71742 if (vma && vma->vm_start < addr + len) {
71743 if (do_munmap(mm, addr, len))
71744 return -ENOMEM;
71745 - goto munmap_back;
71746 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
71747 + BUG_ON(vma && vma->vm_start < addr + len);
71748 }
71749
71750 /* Check against address space limits *after* clearing old maps... */
71751 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
71752 + if (!may_expand_vm(mm, charged))
71753 return -ENOMEM;
71754
71755 if (mm->map_count > sysctl_max_map_count)
71756 return -ENOMEM;
71757
71758 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
71759 + if (security_vm_enough_memory(charged))
71760 return -ENOMEM;
71761
71762 /* Can we just expand an old private anonymous mapping? */
71763 @@ -2060,7 +2469,7 @@ unsigned long do_brk(unsigned long addr,
71764 */
71765 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
71766 if (!vma) {
71767 - vm_unacct_memory(len >> PAGE_SHIFT);
71768 + vm_unacct_memory(charged);
71769 return -ENOMEM;
71770 }
71771
71772 @@ -2072,11 +2481,12 @@ unsigned long do_brk(unsigned long addr,
71773 vma->vm_page_prot = vm_get_page_prot(flags);
71774 vma_link(mm, vma, prev, rb_link, rb_parent);
71775 out:
71776 - mm->total_vm += len >> PAGE_SHIFT;
71777 + mm->total_vm += charged;
71778 if (flags & VM_LOCKED) {
71779 if (!mlock_vma_pages_range(vma, addr, addr + len))
71780 - mm->locked_vm += (len >> PAGE_SHIFT);
71781 + mm->locked_vm += charged;
71782 }
71783 + track_exec_limit(mm, addr, addr + len, flags);
71784 return addr;
71785 }
71786
71787 @@ -2123,8 +2533,10 @@ void exit_mmap(struct mm_struct *mm)
71788 * Walk the list again, actually closing and freeing it,
71789 * with preemption enabled, without holding any MM locks.
71790 */
71791 - while (vma)
71792 + while (vma) {
71793 + vma->vm_mirror = NULL;
71794 vma = remove_vma(vma);
71795 + }
71796
71797 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
71798 }
71799 @@ -2138,6 +2550,10 @@ int insert_vm_struct(struct mm_struct *
71800 struct vm_area_struct * __vma, * prev;
71801 struct rb_node ** rb_link, * rb_parent;
71802
71803 +#ifdef CONFIG_PAX_SEGMEXEC
71804 + struct vm_area_struct *vma_m = NULL;
71805 +#endif
71806 +
71807 /*
71808 * The vm_pgoff of a purely anonymous vma should be irrelevant
71809 * until its first write fault, when page's anon_vma and index
71810 @@ -2160,7 +2576,22 @@ int insert_vm_struct(struct mm_struct *
71811 if ((vma->vm_flags & VM_ACCOUNT) &&
71812 security_vm_enough_memory_mm(mm, vma_pages(vma)))
71813 return -ENOMEM;
71814 +
71815 +#ifdef CONFIG_PAX_SEGMEXEC
71816 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
71817 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
71818 + if (!vma_m)
71819 + return -ENOMEM;
71820 + }
71821 +#endif
71822 +
71823 vma_link(mm, vma, prev, rb_link, rb_parent);
71824 +
71825 +#ifdef CONFIG_PAX_SEGMEXEC
71826 + if (vma_m)
71827 + pax_mirror_vma(vma_m, vma);
71828 +#endif
71829 +
71830 return 0;
71831 }
71832
71833 @@ -2178,6 +2609,8 @@ struct vm_area_struct *copy_vma(struct v
71834 struct rb_node **rb_link, *rb_parent;
71835 struct mempolicy *pol;
71836
71837 + BUG_ON(vma->vm_mirror);
71838 +
71839 /*
71840 * If anonymous vma has not yet been faulted, update new pgoff
71841 * to match new location, to increase its chance of merging.
71842 @@ -2221,6 +2654,35 @@ struct vm_area_struct *copy_vma(struct v
71843 return new_vma;
71844 }
71845
71846 +#ifdef CONFIG_PAX_SEGMEXEC
71847 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
71848 +{
71849 + struct vm_area_struct *prev_m;
71850 + struct rb_node **rb_link_m, *rb_parent_m;
71851 + struct mempolicy *pol_m;
71852 +
71853 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
71854 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
71855 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
71856 + *vma_m = *vma;
71857 + pol_m = vma_policy(vma_m);
71858 + mpol_get(pol_m);
71859 + vma_set_policy(vma_m, pol_m);
71860 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
71861 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
71862 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
71863 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
71864 + if (vma_m->vm_file)
71865 + get_file(vma_m->vm_file);
71866 + if (vma_m->vm_ops && vma_m->vm_ops->open)
71867 + vma_m->vm_ops->open(vma_m);
71868 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
71869 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
71870 + vma_m->vm_mirror = vma;
71871 + vma->vm_mirror = vma_m;
71872 +}
71873 +#endif
71874 +
71875 /*
71876 * Return true if the calling process may expand its vm space by the passed
71877 * number of pages
71878 @@ -2231,7 +2693,7 @@ int may_expand_vm(struct mm_struct *mm,
71879 unsigned long lim;
71880
71881 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
71882 -
71883 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
71884 if (cur + npages > lim)
71885 return 0;
71886 return 1;
71887 @@ -2301,6 +2763,22 @@ int install_special_mapping(struct mm_st
71888 vma->vm_start = addr;
71889 vma->vm_end = addr + len;
71890
71891 +#ifdef CONFIG_PAX_MPROTECT
71892 + if (mm->pax_flags & MF_PAX_MPROTECT) {
71893 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
71894 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
71895 + return -EPERM;
71896 + if (!(vm_flags & VM_EXEC))
71897 + vm_flags &= ~VM_MAYEXEC;
71898 +#else
71899 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
71900 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
71901 +#endif
71902 + else
71903 + vm_flags &= ~VM_MAYWRITE;
71904 + }
71905 +#endif
71906 +
71907 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
71908 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
71909
71910 diff -urNp linux-2.6.32.46/mm/mprotect.c linux-2.6.32.46/mm/mprotect.c
71911 --- linux-2.6.32.46/mm/mprotect.c 2011-03-27 14:31:47.000000000 -0400
71912 +++ linux-2.6.32.46/mm/mprotect.c 2011-04-17 15:56:46.000000000 -0400
71913 @@ -24,10 +24,16 @@
71914 #include <linux/mmu_notifier.h>
71915 #include <linux/migrate.h>
71916 #include <linux/perf_event.h>
71917 +
71918 +#ifdef CONFIG_PAX_MPROTECT
71919 +#include <linux/elf.h>
71920 +#endif
71921 +
71922 #include <asm/uaccess.h>
71923 #include <asm/pgtable.h>
71924 #include <asm/cacheflush.h>
71925 #include <asm/tlbflush.h>
71926 +#include <asm/mmu_context.h>
71927
71928 #ifndef pgprot_modify
71929 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
71930 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
71931 flush_tlb_range(vma, start, end);
71932 }
71933
71934 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
71935 +/* called while holding the mmap semaphor for writing except stack expansion */
71936 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
71937 +{
71938 + unsigned long oldlimit, newlimit = 0UL;
71939 +
71940 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
71941 + return;
71942 +
71943 + spin_lock(&mm->page_table_lock);
71944 + oldlimit = mm->context.user_cs_limit;
71945 + if ((prot & VM_EXEC) && oldlimit < end)
71946 + /* USER_CS limit moved up */
71947 + newlimit = end;
71948 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
71949 + /* USER_CS limit moved down */
71950 + newlimit = start;
71951 +
71952 + if (newlimit) {
71953 + mm->context.user_cs_limit = newlimit;
71954 +
71955 +#ifdef CONFIG_SMP
71956 + wmb();
71957 + cpus_clear(mm->context.cpu_user_cs_mask);
71958 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
71959 +#endif
71960 +
71961 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
71962 + }
71963 + spin_unlock(&mm->page_table_lock);
71964 + if (newlimit == end) {
71965 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
71966 +
71967 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
71968 + if (is_vm_hugetlb_page(vma))
71969 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
71970 + else
71971 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
71972 + }
71973 +}
71974 +#endif
71975 +
71976 int
71977 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
71978 unsigned long start, unsigned long end, unsigned long newflags)
71979 @@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
71980 int error;
71981 int dirty_accountable = 0;
71982
71983 +#ifdef CONFIG_PAX_SEGMEXEC
71984 + struct vm_area_struct *vma_m = NULL;
71985 + unsigned long start_m, end_m;
71986 +
71987 + start_m = start + SEGMEXEC_TASK_SIZE;
71988 + end_m = end + SEGMEXEC_TASK_SIZE;
71989 +#endif
71990 +
71991 if (newflags == oldflags) {
71992 *pprev = vma;
71993 return 0;
71994 }
71995
71996 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
71997 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
71998 +
71999 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
72000 + return -ENOMEM;
72001 +
72002 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
72003 + return -ENOMEM;
72004 + }
72005 +
72006 /*
72007 * If we make a private mapping writable we increase our commit;
72008 * but (without finer accounting) cannot reduce our commit if we
72009 @@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
72010 }
72011 }
72012
72013 +#ifdef CONFIG_PAX_SEGMEXEC
72014 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
72015 + if (start != vma->vm_start) {
72016 + error = split_vma(mm, vma, start, 1);
72017 + if (error)
72018 + goto fail;
72019 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
72020 + *pprev = (*pprev)->vm_next;
72021 + }
72022 +
72023 + if (end != vma->vm_end) {
72024 + error = split_vma(mm, vma, end, 0);
72025 + if (error)
72026 + goto fail;
72027 + }
72028 +
72029 + if (pax_find_mirror_vma(vma)) {
72030 + error = __do_munmap(mm, start_m, end_m - start_m);
72031 + if (error)
72032 + goto fail;
72033 + } else {
72034 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
72035 + if (!vma_m) {
72036 + error = -ENOMEM;
72037 + goto fail;
72038 + }
72039 + vma->vm_flags = newflags;
72040 + pax_mirror_vma(vma_m, vma);
72041 + }
72042 + }
72043 +#endif
72044 +
72045 /*
72046 * First try to merge with previous and/or next vma.
72047 */
72048 @@ -195,9 +293,21 @@ success:
72049 * vm_flags and vm_page_prot are protected by the mmap_sem
72050 * held in write mode.
72051 */
72052 +
72053 +#ifdef CONFIG_PAX_SEGMEXEC
72054 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
72055 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
72056 +#endif
72057 +
72058 vma->vm_flags = newflags;
72059 +
72060 +#ifdef CONFIG_PAX_MPROTECT
72061 + if (mm->binfmt && mm->binfmt->handle_mprotect)
72062 + mm->binfmt->handle_mprotect(vma, newflags);
72063 +#endif
72064 +
72065 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
72066 - vm_get_page_prot(newflags));
72067 + vm_get_page_prot(vma->vm_flags));
72068
72069 if (vma_wants_writenotify(vma)) {
72070 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
72071 @@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
72072 end = start + len;
72073 if (end <= start)
72074 return -ENOMEM;
72075 +
72076 +#ifdef CONFIG_PAX_SEGMEXEC
72077 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
72078 + if (end > SEGMEXEC_TASK_SIZE)
72079 + return -EINVAL;
72080 + } else
72081 +#endif
72082 +
72083 + if (end > TASK_SIZE)
72084 + return -EINVAL;
72085 +
72086 if (!arch_validate_prot(prot))
72087 return -EINVAL;
72088
72089 @@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
72090 /*
72091 * Does the application expect PROT_READ to imply PROT_EXEC:
72092 */
72093 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
72094 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
72095 prot |= PROT_EXEC;
72096
72097 vm_flags = calc_vm_prot_bits(prot);
72098 @@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
72099 if (start > vma->vm_start)
72100 prev = vma;
72101
72102 +#ifdef CONFIG_PAX_MPROTECT
72103 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
72104 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
72105 +#endif
72106 +
72107 for (nstart = start ; ; ) {
72108 unsigned long newflags;
72109
72110 @@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
72111
72112 /* newflags >> 4 shift VM_MAY% in place of VM_% */
72113 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
72114 + if (prot & (PROT_WRITE | PROT_EXEC))
72115 + gr_log_rwxmprotect(vma->vm_file);
72116 +
72117 + error = -EACCES;
72118 + goto out;
72119 + }
72120 +
72121 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
72122 error = -EACCES;
72123 goto out;
72124 }
72125 @@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
72126 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
72127 if (error)
72128 goto out;
72129 +
72130 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
72131 +
72132 nstart = tmp;
72133
72134 if (nstart < prev->vm_end)
72135 diff -urNp linux-2.6.32.46/mm/mremap.c linux-2.6.32.46/mm/mremap.c
72136 --- linux-2.6.32.46/mm/mremap.c 2011-04-17 17:00:52.000000000 -0400
72137 +++ linux-2.6.32.46/mm/mremap.c 2011-04-17 17:03:58.000000000 -0400
72138 @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
72139 continue;
72140 pte = ptep_clear_flush(vma, old_addr, old_pte);
72141 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
72142 +
72143 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
72144 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
72145 + pte = pte_exprotect(pte);
72146 +#endif
72147 +
72148 set_pte_at(mm, new_addr, new_pte, pte);
72149 }
72150
72151 @@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
72152 if (is_vm_hugetlb_page(vma))
72153 goto Einval;
72154
72155 +#ifdef CONFIG_PAX_SEGMEXEC
72156 + if (pax_find_mirror_vma(vma))
72157 + goto Einval;
72158 +#endif
72159 +
72160 /* We can't remap across vm area boundaries */
72161 if (old_len > vma->vm_end - addr)
72162 goto Efault;
72163 @@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
72164 unsigned long ret = -EINVAL;
72165 unsigned long charged = 0;
72166 unsigned long map_flags;
72167 + unsigned long pax_task_size = TASK_SIZE;
72168
72169 if (new_addr & ~PAGE_MASK)
72170 goto out;
72171
72172 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
72173 +#ifdef CONFIG_PAX_SEGMEXEC
72174 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
72175 + pax_task_size = SEGMEXEC_TASK_SIZE;
72176 +#endif
72177 +
72178 + pax_task_size -= PAGE_SIZE;
72179 +
72180 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
72181 goto out;
72182
72183 /* Check if the location we're moving into overlaps the
72184 * old location at all, and fail if it does.
72185 */
72186 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
72187 - goto out;
72188 -
72189 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
72190 + if (addr + old_len > new_addr && new_addr + new_len > addr)
72191 goto out;
72192
72193 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
72194 @@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
72195 struct vm_area_struct *vma;
72196 unsigned long ret = -EINVAL;
72197 unsigned long charged = 0;
72198 + unsigned long pax_task_size = TASK_SIZE;
72199
72200 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
72201 goto out;
72202 @@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
72203 if (!new_len)
72204 goto out;
72205
72206 +#ifdef CONFIG_PAX_SEGMEXEC
72207 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
72208 + pax_task_size = SEGMEXEC_TASK_SIZE;
72209 +#endif
72210 +
72211 + pax_task_size -= PAGE_SIZE;
72212 +
72213 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
72214 + old_len > pax_task_size || addr > pax_task_size-old_len)
72215 + goto out;
72216 +
72217 if (flags & MREMAP_FIXED) {
72218 if (flags & MREMAP_MAYMOVE)
72219 ret = mremap_to(addr, old_len, new_addr, new_len);
72220 @@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
72221 addr + new_len);
72222 }
72223 ret = addr;
72224 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
72225 goto out;
72226 }
72227 }
72228 @@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
72229 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
72230 if (ret)
72231 goto out;
72232 +
72233 + map_flags = vma->vm_flags;
72234 ret = move_vma(vma, addr, old_len, new_len, new_addr);
72235 + if (!(ret & ~PAGE_MASK)) {
72236 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
72237 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
72238 + }
72239 }
72240 out:
72241 if (ret & ~PAGE_MASK)
72242 diff -urNp linux-2.6.32.46/mm/nommu.c linux-2.6.32.46/mm/nommu.c
72243 --- linux-2.6.32.46/mm/nommu.c 2011-03-27 14:31:47.000000000 -0400
72244 +++ linux-2.6.32.46/mm/nommu.c 2011-04-17 15:56:46.000000000 -0400
72245 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
72246 int sysctl_overcommit_ratio = 50; /* default is 50% */
72247 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
72248 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
72249 -int heap_stack_gap = 0;
72250
72251 atomic_long_t mmap_pages_allocated;
72252
72253 @@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
72254 EXPORT_SYMBOL(find_vma);
72255
72256 /*
72257 - * find a VMA
72258 - * - we don't extend stack VMAs under NOMMU conditions
72259 - */
72260 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
72261 -{
72262 - return find_vma(mm, addr);
72263 -}
72264 -
72265 -/*
72266 * expand a stack to a given address
72267 * - not supported under NOMMU conditions
72268 */
72269 diff -urNp linux-2.6.32.46/mm/page_alloc.c linux-2.6.32.46/mm/page_alloc.c
72270 --- linux-2.6.32.46/mm/page_alloc.c 2011-06-25 12:55:35.000000000 -0400
72271 +++ linux-2.6.32.46/mm/page_alloc.c 2011-07-09 09:13:08.000000000 -0400
72272 @@ -289,7 +289,7 @@ out:
72273 * This usage means that zero-order pages may not be compound.
72274 */
72275
72276 -static void free_compound_page(struct page *page)
72277 +void free_compound_page(struct page *page)
72278 {
72279 __free_pages_ok(page, compound_order(page));
72280 }
72281 @@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
72282 int bad = 0;
72283 int wasMlocked = __TestClearPageMlocked(page);
72284
72285 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
72286 + unsigned long index = 1UL << order;
72287 +#endif
72288 +
72289 kmemcheck_free_shadow(page, order);
72290
72291 for (i = 0 ; i < (1 << order) ; ++i)
72292 @@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
72293 debug_check_no_obj_freed(page_address(page),
72294 PAGE_SIZE << order);
72295 }
72296 +
72297 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
72298 + for (; index; --index)
72299 + sanitize_highpage(page + index - 1);
72300 +#endif
72301 +
72302 arch_free_page(page, order);
72303 kernel_map_pages(page, 1 << order, 0);
72304
72305 @@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
72306 arch_alloc_page(page, order);
72307 kernel_map_pages(page, 1 << order, 1);
72308
72309 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
72310 if (gfp_flags & __GFP_ZERO)
72311 prep_zero_page(page, order, gfp_flags);
72312 +#endif
72313
72314 if (order && (gfp_flags & __GFP_COMP))
72315 prep_compound_page(page, order);
72316 @@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
72317 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
72318 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
72319 }
72320 +
72321 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
72322 + sanitize_highpage(page);
72323 +#endif
72324 +
72325 arch_free_page(page, 0);
72326 kernel_map_pages(page, 1, 0);
72327
72328 @@ -2179,6 +2196,8 @@ void show_free_areas(void)
72329 int cpu;
72330 struct zone *zone;
72331
72332 + pax_track_stack();
72333 +
72334 for_each_populated_zone(zone) {
72335 show_node(zone);
72336 printk("%s per-cpu:\n", zone->name);
72337 @@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
72338 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
72339 }
72340 #else
72341 -static void inline setup_usemap(struct pglist_data *pgdat,
72342 +static inline void setup_usemap(struct pglist_data *pgdat,
72343 struct zone *zone, unsigned long zonesize) {}
72344 #endif /* CONFIG_SPARSEMEM */
72345
72346 diff -urNp linux-2.6.32.46/mm/percpu.c linux-2.6.32.46/mm/percpu.c
72347 --- linux-2.6.32.46/mm/percpu.c 2011-03-27 14:31:47.000000000 -0400
72348 +++ linux-2.6.32.46/mm/percpu.c 2011-04-17 15:56:46.000000000 -0400
72349 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
72350 static unsigned int pcpu_last_unit_cpu __read_mostly;
72351
72352 /* the address of the first chunk which starts with the kernel static area */
72353 -void *pcpu_base_addr __read_mostly;
72354 +void *pcpu_base_addr __read_only;
72355 EXPORT_SYMBOL_GPL(pcpu_base_addr);
72356
72357 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
72358 diff -urNp linux-2.6.32.46/mm/rmap.c linux-2.6.32.46/mm/rmap.c
72359 --- linux-2.6.32.46/mm/rmap.c 2011-03-27 14:31:47.000000000 -0400
72360 +++ linux-2.6.32.46/mm/rmap.c 2011-04-17 15:56:46.000000000 -0400
72361 @@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
72362 /* page_table_lock to protect against threads */
72363 spin_lock(&mm->page_table_lock);
72364 if (likely(!vma->anon_vma)) {
72365 +
72366 +#ifdef CONFIG_PAX_SEGMEXEC
72367 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
72368 +
72369 + if (vma_m) {
72370 + BUG_ON(vma_m->anon_vma);
72371 + vma_m->anon_vma = anon_vma;
72372 + list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
72373 + }
72374 +#endif
72375 +
72376 vma->anon_vma = anon_vma;
72377 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
72378 allocated = NULL;
72379 diff -urNp linux-2.6.32.46/mm/shmem.c linux-2.6.32.46/mm/shmem.c
72380 --- linux-2.6.32.46/mm/shmem.c 2011-03-27 14:31:47.000000000 -0400
72381 +++ linux-2.6.32.46/mm/shmem.c 2011-05-18 20:09:37.000000000 -0400
72382 @@ -31,7 +31,7 @@
72383 #include <linux/swap.h>
72384 #include <linux/ima.h>
72385
72386 -static struct vfsmount *shm_mnt;
72387 +struct vfsmount *shm_mnt;
72388
72389 #ifdef CONFIG_SHMEM
72390 /*
72391 @@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
72392 goto unlock;
72393 }
72394 entry = shmem_swp_entry(info, index, NULL);
72395 + if (!entry)
72396 + goto unlock;
72397 if (entry->val) {
72398 /*
72399 * The more uptodate page coming down from a stacked
72400 @@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
72401 struct vm_area_struct pvma;
72402 struct page *page;
72403
72404 + pax_track_stack();
72405 +
72406 spol = mpol_cond_copy(&mpol,
72407 mpol_shared_policy_lookup(&info->policy, idx));
72408
72409 @@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
72410
72411 info = SHMEM_I(inode);
72412 inode->i_size = len-1;
72413 - if (len <= (char *)inode - (char *)info) {
72414 + if (len <= (char *)inode - (char *)info && len <= 64) {
72415 /* do it inline */
72416 memcpy(info, symname, len);
72417 inode->i_op = &shmem_symlink_inline_operations;
72418 @@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
72419 int err = -ENOMEM;
72420
72421 /* Round up to L1_CACHE_BYTES to resist false sharing */
72422 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
72423 - L1_CACHE_BYTES), GFP_KERNEL);
72424 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
72425 if (!sbinfo)
72426 return -ENOMEM;
72427
72428 diff -urNp linux-2.6.32.46/mm/slab.c linux-2.6.32.46/mm/slab.c
72429 --- linux-2.6.32.46/mm/slab.c 2011-03-27 14:31:47.000000000 -0400
72430 +++ linux-2.6.32.46/mm/slab.c 2011-05-04 17:56:20.000000000 -0400
72431 @@ -174,7 +174,7 @@
72432
72433 /* Legal flag mask for kmem_cache_create(). */
72434 #if DEBUG
72435 -# define CREATE_MASK (SLAB_RED_ZONE | \
72436 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
72437 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
72438 SLAB_CACHE_DMA | \
72439 SLAB_STORE_USER | \
72440 @@ -182,7 +182,7 @@
72441 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
72442 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
72443 #else
72444 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
72445 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
72446 SLAB_CACHE_DMA | \
72447 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
72448 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
72449 @@ -308,7 +308,7 @@ struct kmem_list3 {
72450 * Need this for bootstrapping a per node allocator.
72451 */
72452 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
72453 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
72454 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
72455 #define CACHE_CACHE 0
72456 #define SIZE_AC MAX_NUMNODES
72457 #define SIZE_L3 (2 * MAX_NUMNODES)
72458 @@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
72459 if ((x)->max_freeable < i) \
72460 (x)->max_freeable = i; \
72461 } while (0)
72462 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
72463 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
72464 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
72465 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
72466 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
72467 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
72468 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
72469 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
72470 #else
72471 #define STATS_INC_ACTIVE(x) do { } while (0)
72472 #define STATS_DEC_ACTIVE(x) do { } while (0)
72473 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
72474 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
72475 */
72476 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
72477 - const struct slab *slab, void *obj)
72478 + const struct slab *slab, const void *obj)
72479 {
72480 u32 offset = (obj - slab->s_mem);
72481 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
72482 @@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
72483 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
72484 sizes[INDEX_AC].cs_size,
72485 ARCH_KMALLOC_MINALIGN,
72486 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
72487 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
72488 NULL);
72489
72490 if (INDEX_AC != INDEX_L3) {
72491 @@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
72492 kmem_cache_create(names[INDEX_L3].name,
72493 sizes[INDEX_L3].cs_size,
72494 ARCH_KMALLOC_MINALIGN,
72495 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
72496 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
72497 NULL);
72498 }
72499
72500 @@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
72501 sizes->cs_cachep = kmem_cache_create(names->name,
72502 sizes->cs_size,
72503 ARCH_KMALLOC_MINALIGN,
72504 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
72505 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
72506 NULL);
72507 }
72508 #ifdef CONFIG_ZONE_DMA
72509 @@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
72510 }
72511 /* cpu stats */
72512 {
72513 - unsigned long allochit = atomic_read(&cachep->allochit);
72514 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
72515 - unsigned long freehit = atomic_read(&cachep->freehit);
72516 - unsigned long freemiss = atomic_read(&cachep->freemiss);
72517 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
72518 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
72519 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
72520 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
72521
72522 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
72523 allochit, allocmiss, freehit, freemiss);
72524 @@ -4471,15 +4471,66 @@ static const struct file_operations proc
72525
72526 static int __init slab_proc_init(void)
72527 {
72528 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
72529 + mode_t gr_mode = S_IRUGO;
72530 +
72531 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
72532 + gr_mode = S_IRUSR;
72533 +#endif
72534 +
72535 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
72536 #ifdef CONFIG_DEBUG_SLAB_LEAK
72537 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
72538 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
72539 #endif
72540 return 0;
72541 }
72542 module_init(slab_proc_init);
72543 #endif
72544
72545 +void check_object_size(const void *ptr, unsigned long n, bool to)
72546 +{
72547 +
72548 +#ifdef CONFIG_PAX_USERCOPY
72549 + struct page *page;
72550 + struct kmem_cache *cachep = NULL;
72551 + struct slab *slabp;
72552 + unsigned int objnr;
72553 + unsigned long offset;
72554 +
72555 + if (!n)
72556 + return;
72557 +
72558 + if (ZERO_OR_NULL_PTR(ptr))
72559 + goto report;
72560 +
72561 + if (!virt_addr_valid(ptr))
72562 + return;
72563 +
72564 + page = virt_to_head_page(ptr);
72565 +
72566 + if (!PageSlab(page)) {
72567 + if (object_is_on_stack(ptr, n) == -1)
72568 + goto report;
72569 + return;
72570 + }
72571 +
72572 + cachep = page_get_cache(page);
72573 + if (!(cachep->flags & SLAB_USERCOPY))
72574 + goto report;
72575 +
72576 + slabp = page_get_slab(page);
72577 + objnr = obj_to_index(cachep, slabp, ptr);
72578 + BUG_ON(objnr >= cachep->num);
72579 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
72580 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
72581 + return;
72582 +
72583 +report:
72584 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
72585 +#endif
72586 +
72587 +}
72588 +EXPORT_SYMBOL(check_object_size);
72589 +
72590 /**
72591 * ksize - get the actual amount of memory allocated for a given object
72592 * @objp: Pointer to the object
72593 diff -urNp linux-2.6.32.46/mm/slob.c linux-2.6.32.46/mm/slob.c
72594 --- linux-2.6.32.46/mm/slob.c 2011-03-27 14:31:47.000000000 -0400
72595 +++ linux-2.6.32.46/mm/slob.c 2011-07-06 19:53:33.000000000 -0400
72596 @@ -29,7 +29,7 @@
72597 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
72598 * alloc_pages() directly, allocating compound pages so the page order
72599 * does not have to be separately tracked, and also stores the exact
72600 - * allocation size in page->private so that it can be used to accurately
72601 + * allocation size in slob_page->size so that it can be used to accurately
72602 * provide ksize(). These objects are detected in kfree() because slob_page()
72603 * is false for them.
72604 *
72605 @@ -58,6 +58,7 @@
72606 */
72607
72608 #include <linux/kernel.h>
72609 +#include <linux/sched.h>
72610 #include <linux/slab.h>
72611 #include <linux/mm.h>
72612 #include <linux/swap.h> /* struct reclaim_state */
72613 @@ -100,7 +101,8 @@ struct slob_page {
72614 unsigned long flags; /* mandatory */
72615 atomic_t _count; /* mandatory */
72616 slobidx_t units; /* free units left in page */
72617 - unsigned long pad[2];
72618 + unsigned long pad[1];
72619 + unsigned long size; /* size when >=PAGE_SIZE */
72620 slob_t *free; /* first free slob_t in page */
72621 struct list_head list; /* linked list of free pages */
72622 };
72623 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
72624 */
72625 static inline int is_slob_page(struct slob_page *sp)
72626 {
72627 - return PageSlab((struct page *)sp);
72628 + return PageSlab((struct page *)sp) && !sp->size;
72629 }
72630
72631 static inline void set_slob_page(struct slob_page *sp)
72632 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
72633
72634 static inline struct slob_page *slob_page(const void *addr)
72635 {
72636 - return (struct slob_page *)virt_to_page(addr);
72637 + return (struct slob_page *)virt_to_head_page(addr);
72638 }
72639
72640 /*
72641 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
72642 /*
72643 * Return the size of a slob block.
72644 */
72645 -static slobidx_t slob_units(slob_t *s)
72646 +static slobidx_t slob_units(const slob_t *s)
72647 {
72648 if (s->units > 0)
72649 return s->units;
72650 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
72651 /*
72652 * Return the next free slob block pointer after this one.
72653 */
72654 -static slob_t *slob_next(slob_t *s)
72655 +static slob_t *slob_next(const slob_t *s)
72656 {
72657 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
72658 slobidx_t next;
72659 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
72660 /*
72661 * Returns true if s is the last free block in its page.
72662 */
72663 -static int slob_last(slob_t *s)
72664 +static int slob_last(const slob_t *s)
72665 {
72666 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
72667 }
72668 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
72669 if (!page)
72670 return NULL;
72671
72672 + set_slob_page(page);
72673 return page_address(page);
72674 }
72675
72676 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
72677 if (!b)
72678 return NULL;
72679 sp = slob_page(b);
72680 - set_slob_page(sp);
72681
72682 spin_lock_irqsave(&slob_lock, flags);
72683 sp->units = SLOB_UNITS(PAGE_SIZE);
72684 sp->free = b;
72685 + sp->size = 0;
72686 INIT_LIST_HEAD(&sp->list);
72687 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
72688 set_slob_page_free(sp, slob_list);
72689 @@ -475,10 +478,9 @@ out:
72690 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
72691 #endif
72692
72693 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
72694 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
72695 {
72696 - unsigned int *m;
72697 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
72698 + slob_t *m;
72699 void *ret;
72700
72701 lockdep_trace_alloc(gfp);
72702 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
72703
72704 if (!m)
72705 return NULL;
72706 - *m = size;
72707 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
72708 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
72709 + m[0].units = size;
72710 + m[1].units = align;
72711 ret = (void *)m + align;
72712
72713 trace_kmalloc_node(_RET_IP_, ret,
72714 @@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
72715
72716 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
72717 if (ret) {
72718 - struct page *page;
72719 - page = virt_to_page(ret);
72720 - page->private = size;
72721 + struct slob_page *sp;
72722 + sp = slob_page(ret);
72723 + sp->size = size;
72724 }
72725
72726 trace_kmalloc_node(_RET_IP_, ret,
72727 size, PAGE_SIZE << order, gfp, node);
72728 }
72729
72730 - kmemleak_alloc(ret, size, 1, gfp);
72731 + return ret;
72732 +}
72733 +
72734 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
72735 +{
72736 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
72737 + void *ret = __kmalloc_node_align(size, gfp, node, align);
72738 +
72739 + if (!ZERO_OR_NULL_PTR(ret))
72740 + kmemleak_alloc(ret, size, 1, gfp);
72741 return ret;
72742 }
72743 EXPORT_SYMBOL(__kmalloc_node);
72744 @@ -528,13 +542,88 @@ void kfree(const void *block)
72745 sp = slob_page(block);
72746 if (is_slob_page(sp)) {
72747 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
72748 - unsigned int *m = (unsigned int *)(block - align);
72749 - slob_free(m, *m + align);
72750 - } else
72751 + slob_t *m = (slob_t *)(block - align);
72752 + slob_free(m, m[0].units + align);
72753 + } else {
72754 + clear_slob_page(sp);
72755 + free_slob_page(sp);
72756 + sp->size = 0;
72757 put_page(&sp->page);
72758 + }
72759 }
72760 EXPORT_SYMBOL(kfree);
72761
72762 +void check_object_size(const void *ptr, unsigned long n, bool to)
72763 +{
72764 +
72765 +#ifdef CONFIG_PAX_USERCOPY
72766 + struct slob_page *sp;
72767 + const slob_t *free;
72768 + const void *base;
72769 + unsigned long flags;
72770 +
72771 + if (!n)
72772 + return;
72773 +
72774 + if (ZERO_OR_NULL_PTR(ptr))
72775 + goto report;
72776 +
72777 + if (!virt_addr_valid(ptr))
72778 + return;
72779 +
72780 + sp = slob_page(ptr);
72781 + if (!PageSlab((struct page*)sp)) {
72782 + if (object_is_on_stack(ptr, n) == -1)
72783 + goto report;
72784 + return;
72785 + }
72786 +
72787 + if (sp->size) {
72788 + base = page_address(&sp->page);
72789 + if (base <= ptr && n <= sp->size - (ptr - base))
72790 + return;
72791 + goto report;
72792 + }
72793 +
72794 + /* some tricky double walking to find the chunk */
72795 + spin_lock_irqsave(&slob_lock, flags);
72796 + base = (void *)((unsigned long)ptr & PAGE_MASK);
72797 + free = sp->free;
72798 +
72799 + while (!slob_last(free) && (void *)free <= ptr) {
72800 + base = free + slob_units(free);
72801 + free = slob_next(free);
72802 + }
72803 +
72804 + while (base < (void *)free) {
72805 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
72806 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
72807 + int offset;
72808 +
72809 + if (ptr < base + align)
72810 + break;
72811 +
72812 + offset = ptr - base - align;
72813 + if (offset >= m) {
72814 + base += size;
72815 + continue;
72816 + }
72817 +
72818 + if (n > m - offset)
72819 + break;
72820 +
72821 + spin_unlock_irqrestore(&slob_lock, flags);
72822 + return;
72823 + }
72824 +
72825 + spin_unlock_irqrestore(&slob_lock, flags);
72826 +report:
72827 + pax_report_usercopy(ptr, n, to, NULL);
72828 +#endif
72829 +
72830 +}
72831 +EXPORT_SYMBOL(check_object_size);
72832 +
72833 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
72834 size_t ksize(const void *block)
72835 {
72836 @@ -547,10 +636,10 @@ size_t ksize(const void *block)
72837 sp = slob_page(block);
72838 if (is_slob_page(sp)) {
72839 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
72840 - unsigned int *m = (unsigned int *)(block - align);
72841 - return SLOB_UNITS(*m) * SLOB_UNIT;
72842 + slob_t *m = (slob_t *)(block - align);
72843 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
72844 } else
72845 - return sp->page.private;
72846 + return sp->size;
72847 }
72848 EXPORT_SYMBOL(ksize);
72849
72850 @@ -566,8 +655,13 @@ struct kmem_cache *kmem_cache_create(con
72851 {
72852 struct kmem_cache *c;
72853
72854 +#ifdef CONFIG_PAX_USERCOPY
72855 + c = __kmalloc_node_align(sizeof(struct kmem_cache),
72856 + GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
72857 +#else
72858 c = slob_alloc(sizeof(struct kmem_cache),
72859 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
72860 +#endif
72861
72862 if (c) {
72863 c->name = name;
72864 @@ -605,17 +699,25 @@ void *kmem_cache_alloc_node(struct kmem_
72865 {
72866 void *b;
72867
72868 +#ifdef CONFIG_PAX_USERCOPY
72869 + b = __kmalloc_node_align(c->size, flags, node, c->align);
72870 +#else
72871 if (c->size < PAGE_SIZE) {
72872 b = slob_alloc(c->size, flags, c->align, node);
72873 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
72874 SLOB_UNITS(c->size) * SLOB_UNIT,
72875 flags, node);
72876 } else {
72877 + struct slob_page *sp;
72878 +
72879 b = slob_new_pages(flags, get_order(c->size), node);
72880 + sp = slob_page(b);
72881 + sp->size = c->size;
72882 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
72883 PAGE_SIZE << get_order(c->size),
72884 flags, node);
72885 }
72886 +#endif
72887
72888 if (c->ctor)
72889 c->ctor(b);
72890 @@ -627,10 +729,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
72891
72892 static void __kmem_cache_free(void *b, int size)
72893 {
72894 - if (size < PAGE_SIZE)
72895 + struct slob_page *sp = slob_page(b);
72896 +
72897 + if (is_slob_page(sp))
72898 slob_free(b, size);
72899 - else
72900 + else {
72901 + clear_slob_page(sp);
72902 + free_slob_page(sp);
72903 + sp->size = 0;
72904 slob_free_pages(b, get_order(size));
72905 + }
72906 }
72907
72908 static void kmem_rcu_free(struct rcu_head *head)
72909 @@ -643,18 +751,32 @@ static void kmem_rcu_free(struct rcu_hea
72910
72911 void kmem_cache_free(struct kmem_cache *c, void *b)
72912 {
72913 + int size = c->size;
72914 +
72915 +#ifdef CONFIG_PAX_USERCOPY
72916 + if (size + c->align < PAGE_SIZE) {
72917 + size += c->align;
72918 + b -= c->align;
72919 + }
72920 +#endif
72921 +
72922 kmemleak_free_recursive(b, c->flags);
72923 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
72924 struct slob_rcu *slob_rcu;
72925 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
72926 + slob_rcu = b + (size - sizeof(struct slob_rcu));
72927 INIT_RCU_HEAD(&slob_rcu->head);
72928 - slob_rcu->size = c->size;
72929 + slob_rcu->size = size;
72930 call_rcu(&slob_rcu->head, kmem_rcu_free);
72931 } else {
72932 - __kmem_cache_free(b, c->size);
72933 + __kmem_cache_free(b, size);
72934 }
72935
72936 +#ifdef CONFIG_PAX_USERCOPY
72937 + trace_kfree(_RET_IP_, b);
72938 +#else
72939 trace_kmem_cache_free(_RET_IP_, b);
72940 +#endif
72941 +
72942 }
72943 EXPORT_SYMBOL(kmem_cache_free);
72944
72945 diff -urNp linux-2.6.32.46/mm/slub.c linux-2.6.32.46/mm/slub.c
72946 --- linux-2.6.32.46/mm/slub.c 2011-03-27 14:31:47.000000000 -0400
72947 +++ linux-2.6.32.46/mm/slub.c 2011-04-17 15:56:46.000000000 -0400
72948 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
72949 if (!t->addr)
72950 return;
72951
72952 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
72953 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
72954 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
72955 }
72956
72957 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
72958
72959 page = virt_to_head_page(x);
72960
72961 + BUG_ON(!PageSlab(page));
72962 +
72963 slab_free(s, page, x, _RET_IP_);
72964
72965 trace_kmem_cache_free(_RET_IP_, x);
72966 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
72967 * Merge control. If this is set then no merging of slab caches will occur.
72968 * (Could be removed. This was introduced to pacify the merge skeptics.)
72969 */
72970 -static int slub_nomerge;
72971 +static int slub_nomerge = 1;
72972
72973 /*
72974 * Calculate the order of allocation given an slab object size.
72975 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
72976 * list to avoid pounding the page allocator excessively.
72977 */
72978 set_min_partial(s, ilog2(s->size));
72979 - s->refcount = 1;
72980 + atomic_set(&s->refcount, 1);
72981 #ifdef CONFIG_NUMA
72982 s->remote_node_defrag_ratio = 1000;
72983 #endif
72984 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
72985 void kmem_cache_destroy(struct kmem_cache *s)
72986 {
72987 down_write(&slub_lock);
72988 - s->refcount--;
72989 - if (!s->refcount) {
72990 + if (atomic_dec_and_test(&s->refcount)) {
72991 list_del(&s->list);
72992 up_write(&slub_lock);
72993 if (kmem_cache_close(s)) {
72994 @@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
72995 __setup("slub_nomerge", setup_slub_nomerge);
72996
72997 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
72998 - const char *name, int size, gfp_t gfp_flags)
72999 + const char *name, int size, gfp_t gfp_flags, unsigned int flags)
73000 {
73001 - unsigned int flags = 0;
73002 -
73003 if (gfp_flags & SLUB_DMA)
73004 - flags = SLAB_CACHE_DMA;
73005 + flags |= SLAB_CACHE_DMA;
73006
73007 /*
73008 * This function is called with IRQs disabled during early-boot on
73009 @@ -2915,6 +2914,46 @@ void *__kmalloc_node(size_t size, gfp_t
73010 EXPORT_SYMBOL(__kmalloc_node);
73011 #endif
73012
73013 +void check_object_size(const void *ptr, unsigned long n, bool to)
73014 +{
73015 +
73016 +#ifdef CONFIG_PAX_USERCOPY
73017 + struct page *page;
73018 + struct kmem_cache *s = NULL;
73019 + unsigned long offset;
73020 +
73021 + if (!n)
73022 + return;
73023 +
73024 + if (ZERO_OR_NULL_PTR(ptr))
73025 + goto report;
73026 +
73027 + if (!virt_addr_valid(ptr))
73028 + return;
73029 +
73030 + page = get_object_page(ptr);
73031 +
73032 + if (!page) {
73033 + if (object_is_on_stack(ptr, n) == -1)
73034 + goto report;
73035 + return;
73036 + }
73037 +
73038 + s = page->slab;
73039 + if (!(s->flags & SLAB_USERCOPY))
73040 + goto report;
73041 +
73042 + offset = (ptr - page_address(page)) % s->size;
73043 + if (offset <= s->objsize && n <= s->objsize - offset)
73044 + return;
73045 +
73046 +report:
73047 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
73048 +#endif
73049 +
73050 +}
73051 +EXPORT_SYMBOL(check_object_size);
73052 +
73053 size_t ksize(const void *object)
73054 {
73055 struct page *page;
73056 @@ -3185,8 +3224,8 @@ void __init kmem_cache_init(void)
73057 * kmem_cache_open for slab_state == DOWN.
73058 */
73059 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
73060 - sizeof(struct kmem_cache_node), GFP_NOWAIT);
73061 - kmalloc_caches[0].refcount = -1;
73062 + sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
73063 + atomic_set(&kmalloc_caches[0].refcount, -1);
73064 caches++;
73065
73066 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
73067 @@ -3198,18 +3237,18 @@ void __init kmem_cache_init(void)
73068 /* Caches that are not of the two-to-the-power-of size */
73069 if (KMALLOC_MIN_SIZE <= 32) {
73070 create_kmalloc_cache(&kmalloc_caches[1],
73071 - "kmalloc-96", 96, GFP_NOWAIT);
73072 + "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
73073 caches++;
73074 }
73075 if (KMALLOC_MIN_SIZE <= 64) {
73076 create_kmalloc_cache(&kmalloc_caches[2],
73077 - "kmalloc-192", 192, GFP_NOWAIT);
73078 + "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
73079 caches++;
73080 }
73081
73082 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
73083 create_kmalloc_cache(&kmalloc_caches[i],
73084 - "kmalloc", 1 << i, GFP_NOWAIT);
73085 + "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
73086 caches++;
73087 }
73088
73089 @@ -3293,7 +3332,7 @@ static int slab_unmergeable(struct kmem_
73090 /*
73091 * We may have set a slab to be unmergeable during bootstrap.
73092 */
73093 - if (s->refcount < 0)
73094 + if (atomic_read(&s->refcount) < 0)
73095 return 1;
73096
73097 return 0;
73098 @@ -3353,7 +3392,7 @@ struct kmem_cache *kmem_cache_create(con
73099 if (s) {
73100 int cpu;
73101
73102 - s->refcount++;
73103 + atomic_inc(&s->refcount);
73104 /*
73105 * Adjust the object sizes so that we clear
73106 * the complete object on kzalloc.
73107 @@ -3372,7 +3411,7 @@ struct kmem_cache *kmem_cache_create(con
73108
73109 if (sysfs_slab_alias(s, name)) {
73110 down_write(&slub_lock);
73111 - s->refcount--;
73112 + atomic_dec(&s->refcount);
73113 up_write(&slub_lock);
73114 goto err;
73115 }
73116 @@ -4101,7 +4140,7 @@ SLAB_ATTR_RO(ctor);
73117
73118 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
73119 {
73120 - return sprintf(buf, "%d\n", s->refcount - 1);
73121 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
73122 }
73123 SLAB_ATTR_RO(aliases);
73124
73125 @@ -4503,7 +4542,7 @@ static void kmem_cache_release(struct ko
73126 kfree(s);
73127 }
73128
73129 -static struct sysfs_ops slab_sysfs_ops = {
73130 +static const struct sysfs_ops slab_sysfs_ops = {
73131 .show = slab_attr_show,
73132 .store = slab_attr_store,
73133 };
73134 @@ -4522,7 +4561,7 @@ static int uevent_filter(struct kset *ks
73135 return 0;
73136 }
73137
73138 -static struct kset_uevent_ops slab_uevent_ops = {
73139 +static const struct kset_uevent_ops slab_uevent_ops = {
73140 .filter = uevent_filter,
73141 };
73142
73143 @@ -4785,7 +4824,13 @@ static const struct file_operations proc
73144
73145 static int __init slab_proc_init(void)
73146 {
73147 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
73148 + mode_t gr_mode = S_IRUGO;
73149 +
73150 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
73151 + gr_mode = S_IRUSR;
73152 +#endif
73153 +
73154 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
73155 return 0;
73156 }
73157 module_init(slab_proc_init);
73158 diff -urNp linux-2.6.32.46/mm/swap.c linux-2.6.32.46/mm/swap.c
73159 --- linux-2.6.32.46/mm/swap.c 2011-03-27 14:31:47.000000000 -0400
73160 +++ linux-2.6.32.46/mm/swap.c 2011-07-09 09:15:19.000000000 -0400
73161 @@ -30,6 +30,7 @@
73162 #include <linux/notifier.h>
73163 #include <linux/backing-dev.h>
73164 #include <linux/memcontrol.h>
73165 +#include <linux/hugetlb.h>
73166
73167 #include "internal.h"
73168
73169 @@ -65,6 +66,8 @@ static void put_compound_page(struct pag
73170 compound_page_dtor *dtor;
73171
73172 dtor = get_compound_page_dtor(page);
73173 + if (!PageHuge(page))
73174 + BUG_ON(dtor != free_compound_page);
73175 (*dtor)(page);
73176 }
73177 }
73178 diff -urNp linux-2.6.32.46/mm/util.c linux-2.6.32.46/mm/util.c
73179 --- linux-2.6.32.46/mm/util.c 2011-03-27 14:31:47.000000000 -0400
73180 +++ linux-2.6.32.46/mm/util.c 2011-04-17 15:56:46.000000000 -0400
73181 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
73182 void arch_pick_mmap_layout(struct mm_struct *mm)
73183 {
73184 mm->mmap_base = TASK_UNMAPPED_BASE;
73185 +
73186 +#ifdef CONFIG_PAX_RANDMMAP
73187 + if (mm->pax_flags & MF_PAX_RANDMMAP)
73188 + mm->mmap_base += mm->delta_mmap;
73189 +#endif
73190 +
73191 mm->get_unmapped_area = arch_get_unmapped_area;
73192 mm->unmap_area = arch_unmap_area;
73193 }
73194 diff -urNp linux-2.6.32.46/mm/vmalloc.c linux-2.6.32.46/mm/vmalloc.c
73195 --- linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:24:44.000000000 -0400
73196 +++ linux-2.6.32.46/mm/vmalloc.c 2011-08-29 22:25:07.000000000 -0400
73197 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
73198
73199 pte = pte_offset_kernel(pmd, addr);
73200 do {
73201 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
73202 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
73203 +
73204 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
73205 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
73206 + BUG_ON(!pte_exec(*pte));
73207 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
73208 + continue;
73209 + }
73210 +#endif
73211 +
73212 + {
73213 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
73214 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
73215 + }
73216 } while (pte++, addr += PAGE_SIZE, addr != end);
73217 }
73218
73219 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
73220 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
73221 {
73222 pte_t *pte;
73223 + int ret = -ENOMEM;
73224
73225 /*
73226 * nr is a running index into the array which helps higher level
73227 @@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
73228 pte = pte_alloc_kernel(pmd, addr);
73229 if (!pte)
73230 return -ENOMEM;
73231 +
73232 + pax_open_kernel();
73233 do {
73234 struct page *page = pages[*nr];
73235
73236 - if (WARN_ON(!pte_none(*pte)))
73237 - return -EBUSY;
73238 - if (WARN_ON(!page))
73239 - return -ENOMEM;
73240 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
73241 + if (!(pgprot_val(prot) & _PAGE_NX))
73242 + BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
73243 + else
73244 +#endif
73245 +
73246 + if (WARN_ON(!pte_none(*pte))) {
73247 + ret = -EBUSY;
73248 + goto out;
73249 + }
73250 + if (WARN_ON(!page)) {
73251 + ret = -ENOMEM;
73252 + goto out;
73253 + }
73254 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
73255 (*nr)++;
73256 } while (pte++, addr += PAGE_SIZE, addr != end);
73257 - return 0;
73258 + ret = 0;
73259 +out:
73260 + pax_close_kernel();
73261 + return ret;
73262 }
73263
73264 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
73265 @@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
73266 * and fall back on vmalloc() if that fails. Others
73267 * just put it in the vmalloc space.
73268 */
73269 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
73270 +#ifdef CONFIG_MODULES
73271 +#ifdef MODULES_VADDR
73272 unsigned long addr = (unsigned long)x;
73273 if (addr >= MODULES_VADDR && addr < MODULES_END)
73274 return 1;
73275 #endif
73276 +
73277 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
73278 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
73279 + return 1;
73280 +#endif
73281 +
73282 +#endif
73283 +
73284 return is_vmalloc_addr(x);
73285 }
73286
73287 @@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
73288
73289 if (!pgd_none(*pgd)) {
73290 pud_t *pud = pud_offset(pgd, addr);
73291 +#ifdef CONFIG_X86
73292 + if (!pud_large(*pud))
73293 +#endif
73294 if (!pud_none(*pud)) {
73295 pmd_t *pmd = pmd_offset(pud, addr);
73296 +#ifdef CONFIG_X86
73297 + if (!pmd_large(*pmd))
73298 +#endif
73299 if (!pmd_none(*pmd)) {
73300 pte_t *ptep, pte;
73301
73302 @@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
73303 struct rb_node *tmp;
73304
73305 while (*p) {
73306 - struct vmap_area *tmp;
73307 + struct vmap_area *varea;
73308
73309 parent = *p;
73310 - tmp = rb_entry(parent, struct vmap_area, rb_node);
73311 - if (va->va_start < tmp->va_end)
73312 + varea = rb_entry(parent, struct vmap_area, rb_node);
73313 + if (va->va_start < varea->va_end)
73314 p = &(*p)->rb_left;
73315 - else if (va->va_end > tmp->va_start)
73316 + else if (va->va_end > varea->va_start)
73317 p = &(*p)->rb_right;
73318 else
73319 BUG();
73320 @@ -1233,6 +1275,16 @@ static struct vm_struct *__get_vm_area_n
73321 struct vm_struct *area;
73322
73323 BUG_ON(in_interrupt());
73324 +
73325 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
73326 + if (flags & VM_KERNEXEC) {
73327 + if (start != VMALLOC_START || end != VMALLOC_END)
73328 + return NULL;
73329 + start = (unsigned long)MODULES_EXEC_VADDR;
73330 + end = (unsigned long)MODULES_EXEC_END;
73331 + }
73332 +#endif
73333 +
73334 if (flags & VM_IOREMAP) {
73335 int bit = fls(size);
73336
73337 @@ -1458,6 +1510,11 @@ void *vmap(struct page **pages, unsigned
73338 if (count > totalram_pages)
73339 return NULL;
73340
73341 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
73342 + if (!(pgprot_val(prot) & _PAGE_NX))
73343 + flags |= VM_KERNEXEC;
73344 +#endif
73345 +
73346 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
73347 __builtin_return_address(0));
73348 if (!area)
73349 @@ -1568,6 +1625,13 @@ static void *__vmalloc_node(unsigned lon
73350 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
73351 return NULL;
73352
73353 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
73354 + if (!(pgprot_val(prot) & _PAGE_NX))
73355 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
73356 + node, gfp_mask, caller);
73357 + else
73358 +#endif
73359 +
73360 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
73361 VMALLOC_END, node, gfp_mask, caller);
73362
73363 @@ -1586,6 +1650,7 @@ static void *__vmalloc_node(unsigned lon
73364 return addr;
73365 }
73366
73367 +#undef __vmalloc
73368 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
73369 {
73370 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
73371 @@ -1602,6 +1667,7 @@ EXPORT_SYMBOL(__vmalloc);
73372 * For tight control over page level allocator and protection flags
73373 * use __vmalloc() instead.
73374 */
73375 +#undef vmalloc
73376 void *vmalloc(unsigned long size)
73377 {
73378 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
73379 @@ -1616,6 +1682,7 @@ EXPORT_SYMBOL(vmalloc);
73380 * The resulting memory area is zeroed so it can be mapped to userspace
73381 * without leaking data.
73382 */
73383 +#undef vmalloc_user
73384 void *vmalloc_user(unsigned long size)
73385 {
73386 struct vm_struct *area;
73387 @@ -1643,6 +1710,7 @@ EXPORT_SYMBOL(vmalloc_user);
73388 * For tight control over page level allocator and protection flags
73389 * use __vmalloc() instead.
73390 */
73391 +#undef vmalloc_node
73392 void *vmalloc_node(unsigned long size, int node)
73393 {
73394 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
73395 @@ -1665,10 +1733,10 @@ EXPORT_SYMBOL(vmalloc_node);
73396 * For tight control over page level allocator and protection flags
73397 * use __vmalloc() instead.
73398 */
73399 -
73400 +#undef vmalloc_exec
73401 void *vmalloc_exec(unsigned long size)
73402 {
73403 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
73404 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
73405 -1, __builtin_return_address(0));
73406 }
73407
73408 @@ -1687,6 +1755,7 @@ void *vmalloc_exec(unsigned long size)
73409 * Allocate enough 32bit PA addressable pages to cover @size from the
73410 * page level allocator and map them into contiguous kernel virtual space.
73411 */
73412 +#undef vmalloc_32
73413 void *vmalloc_32(unsigned long size)
73414 {
73415 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
73416 @@ -1701,6 +1770,7 @@ EXPORT_SYMBOL(vmalloc_32);
73417 * The resulting memory area is 32bit addressable and zeroed so it can be
73418 * mapped to userspace without leaking data.
73419 */
73420 +#undef vmalloc_32_user
73421 void *vmalloc_32_user(unsigned long size)
73422 {
73423 struct vm_struct *area;
73424 @@ -1965,6 +2035,8 @@ int remap_vmalloc_range(struct vm_area_s
73425 unsigned long uaddr = vma->vm_start;
73426 unsigned long usize = vma->vm_end - vma->vm_start;
73427
73428 + BUG_ON(vma->vm_mirror);
73429 +
73430 if ((PAGE_SIZE-1) & (unsigned long)addr)
73431 return -EINVAL;
73432
73433 diff -urNp linux-2.6.32.46/mm/vmstat.c linux-2.6.32.46/mm/vmstat.c
73434 --- linux-2.6.32.46/mm/vmstat.c 2011-03-27 14:31:47.000000000 -0400
73435 +++ linux-2.6.32.46/mm/vmstat.c 2011-04-17 15:56:46.000000000 -0400
73436 @@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
73437 *
73438 * vm_stat contains the global counters
73439 */
73440 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
73441 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
73442 EXPORT_SYMBOL(vm_stat);
73443
73444 #ifdef CONFIG_SMP
73445 @@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
73446 v = p->vm_stat_diff[i];
73447 p->vm_stat_diff[i] = 0;
73448 local_irq_restore(flags);
73449 - atomic_long_add(v, &zone->vm_stat[i]);
73450 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
73451 global_diff[i] += v;
73452 #ifdef CONFIG_NUMA
73453 /* 3 seconds idle till flush */
73454 @@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
73455
73456 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
73457 if (global_diff[i])
73458 - atomic_long_add(global_diff[i], &vm_stat[i]);
73459 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
73460 }
73461
73462 #endif
73463 @@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
73464 start_cpu_timer(cpu);
73465 #endif
73466 #ifdef CONFIG_PROC_FS
73467 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
73468 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
73469 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
73470 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
73471 + {
73472 + mode_t gr_mode = S_IRUGO;
73473 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
73474 + gr_mode = S_IRUSR;
73475 +#endif
73476 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
73477 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
73478 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
73479 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
73480 +#else
73481 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
73482 +#endif
73483 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
73484 + }
73485 #endif
73486 return 0;
73487 }
73488 diff -urNp linux-2.6.32.46/net/8021q/vlan.c linux-2.6.32.46/net/8021q/vlan.c
73489 --- linux-2.6.32.46/net/8021q/vlan.c 2011-03-27 14:31:47.000000000 -0400
73490 +++ linux-2.6.32.46/net/8021q/vlan.c 2011-04-17 15:56:46.000000000 -0400
73491 @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
73492 err = -EPERM;
73493 if (!capable(CAP_NET_ADMIN))
73494 break;
73495 - if ((args.u.name_type >= 0) &&
73496 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
73497 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
73498 struct vlan_net *vn;
73499
73500 vn = net_generic(net, vlan_net_id);
73501 diff -urNp linux-2.6.32.46/net/atm/atm_misc.c linux-2.6.32.46/net/atm/atm_misc.c
73502 --- linux-2.6.32.46/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400
73503 +++ linux-2.6.32.46/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400
73504 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
73505 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
73506 return 1;
73507 atm_return(vcc,truesize);
73508 - atomic_inc(&vcc->stats->rx_drop);
73509 + atomic_inc_unchecked(&vcc->stats->rx_drop);
73510 return 0;
73511 }
73512
73513 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
73514 }
73515 }
73516 atm_return(vcc,guess);
73517 - atomic_inc(&vcc->stats->rx_drop);
73518 + atomic_inc_unchecked(&vcc->stats->rx_drop);
73519 return NULL;
73520 }
73521
73522 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
73523
73524 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
73525 {
73526 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
73527 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
73528 __SONET_ITEMS
73529 #undef __HANDLE_ITEM
73530 }
73531 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
73532
73533 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
73534 {
73535 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
73536 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
73537 __SONET_ITEMS
73538 #undef __HANDLE_ITEM
73539 }
73540 diff -urNp linux-2.6.32.46/net/atm/lec.h linux-2.6.32.46/net/atm/lec.h
73541 --- linux-2.6.32.46/net/atm/lec.h 2011-03-27 14:31:47.000000000 -0400
73542 +++ linux-2.6.32.46/net/atm/lec.h 2011-08-05 20:33:55.000000000 -0400
73543 @@ -48,7 +48,7 @@ struct lane2_ops {
73544 const u8 *tlvs, u32 sizeoftlvs);
73545 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
73546 const u8 *tlvs, u32 sizeoftlvs);
73547 -};
73548 +} __no_const;
73549
73550 /*
73551 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
73552 diff -urNp linux-2.6.32.46/net/atm/mpc.h linux-2.6.32.46/net/atm/mpc.h
73553 --- linux-2.6.32.46/net/atm/mpc.h 2011-03-27 14:31:47.000000000 -0400
73554 +++ linux-2.6.32.46/net/atm/mpc.h 2011-08-23 21:22:38.000000000 -0400
73555 @@ -33,7 +33,7 @@ struct mpoa_client {
73556 struct mpc_parameters parameters; /* parameters for this client */
73557
73558 const struct net_device_ops *old_ops;
73559 - struct net_device_ops new_ops;
73560 + net_device_ops_no_const new_ops;
73561 };
73562
73563
73564 diff -urNp linux-2.6.32.46/net/atm/mpoa_caches.c linux-2.6.32.46/net/atm/mpoa_caches.c
73565 --- linux-2.6.32.46/net/atm/mpoa_caches.c 2011-03-27 14:31:47.000000000 -0400
73566 +++ linux-2.6.32.46/net/atm/mpoa_caches.c 2011-05-16 21:46:57.000000000 -0400
73567 @@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
73568 struct timeval now;
73569 struct k_message msg;
73570
73571 + pax_track_stack();
73572 +
73573 do_gettimeofday(&now);
73574
73575 write_lock_irq(&client->egress_lock);
73576 diff -urNp linux-2.6.32.46/net/atm/proc.c linux-2.6.32.46/net/atm/proc.c
73577 --- linux-2.6.32.46/net/atm/proc.c 2011-03-27 14:31:47.000000000 -0400
73578 +++ linux-2.6.32.46/net/atm/proc.c 2011-04-17 15:56:46.000000000 -0400
73579 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
73580 const struct k_atm_aal_stats *stats)
73581 {
73582 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
73583 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
73584 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
73585 - atomic_read(&stats->rx_drop));
73586 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
73587 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
73588 + atomic_read_unchecked(&stats->rx_drop));
73589 }
73590
73591 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
73592 @@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
73593 {
73594 struct sock *sk = sk_atm(vcc);
73595
73596 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73597 + seq_printf(seq, "%p ", NULL);
73598 +#else
73599 seq_printf(seq, "%p ", vcc);
73600 +#endif
73601 +
73602 if (!vcc->dev)
73603 seq_printf(seq, "Unassigned ");
73604 else
73605 @@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
73606 {
73607 if (!vcc->dev)
73608 seq_printf(seq, sizeof(void *) == 4 ?
73609 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73610 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
73611 +#else
73612 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
73613 +#endif
73614 else
73615 seq_printf(seq, "%3d %3d %5d ",
73616 vcc->dev->number, vcc->vpi, vcc->vci);
73617 diff -urNp linux-2.6.32.46/net/atm/resources.c linux-2.6.32.46/net/atm/resources.c
73618 --- linux-2.6.32.46/net/atm/resources.c 2011-03-27 14:31:47.000000000 -0400
73619 +++ linux-2.6.32.46/net/atm/resources.c 2011-04-17 15:56:46.000000000 -0400
73620 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
73621 static void copy_aal_stats(struct k_atm_aal_stats *from,
73622 struct atm_aal_stats *to)
73623 {
73624 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
73625 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
73626 __AAL_STAT_ITEMS
73627 #undef __HANDLE_ITEM
73628 }
73629 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
73630 static void subtract_aal_stats(struct k_atm_aal_stats *from,
73631 struct atm_aal_stats *to)
73632 {
73633 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
73634 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
73635 __AAL_STAT_ITEMS
73636 #undef __HANDLE_ITEM
73637 }
73638 diff -urNp linux-2.6.32.46/net/bluetooth/l2cap.c linux-2.6.32.46/net/bluetooth/l2cap.c
73639 --- linux-2.6.32.46/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
73640 +++ linux-2.6.32.46/net/bluetooth/l2cap.c 2011-06-25 14:36:21.000000000 -0400
73641 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
73642 err = -ENOTCONN;
73643 break;
73644 }
73645 -
73646 + memset(&cinfo, 0, sizeof(cinfo));
73647 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
73648 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
73649
73650 @@ -2719,7 +2719,7 @@ static inline int l2cap_config_req(struc
73651
73652 /* Reject if config buffer is too small. */
73653 len = cmd_len - sizeof(*req);
73654 - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
73655 + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
73656 l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
73657 l2cap_build_conf_rsp(sk, rsp,
73658 L2CAP_CONF_REJECT, flags), rsp);
73659 diff -urNp linux-2.6.32.46/net/bluetooth/rfcomm/sock.c linux-2.6.32.46/net/bluetooth/rfcomm/sock.c
73660 --- linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
73661 +++ linux-2.6.32.46/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
73662 @@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
73663
73664 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
73665
73666 + memset(&cinfo, 0, sizeof(cinfo));
73667 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
73668 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
73669
73670 diff -urNp linux-2.6.32.46/net/bridge/br_private.h linux-2.6.32.46/net/bridge/br_private.h
73671 --- linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:35:30.000000000 -0400
73672 +++ linux-2.6.32.46/net/bridge/br_private.h 2011-08-09 18:34:01.000000000 -0400
73673 @@ -255,7 +255,7 @@ extern void br_ifinfo_notify(int event,
73674
73675 #ifdef CONFIG_SYSFS
73676 /* br_sysfs_if.c */
73677 -extern struct sysfs_ops brport_sysfs_ops;
73678 +extern const struct sysfs_ops brport_sysfs_ops;
73679 extern int br_sysfs_addif(struct net_bridge_port *p);
73680
73681 /* br_sysfs_br.c */
73682 diff -urNp linux-2.6.32.46/net/bridge/br_stp_if.c linux-2.6.32.46/net/bridge/br_stp_if.c
73683 --- linux-2.6.32.46/net/bridge/br_stp_if.c 2011-03-27 14:31:47.000000000 -0400
73684 +++ linux-2.6.32.46/net/bridge/br_stp_if.c 2011-04-17 15:56:46.000000000 -0400
73685 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
73686 char *envp[] = { NULL };
73687
73688 if (br->stp_enabled == BR_USER_STP) {
73689 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
73690 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
73691 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
73692 br->dev->name, r);
73693
73694 diff -urNp linux-2.6.32.46/net/bridge/br_sysfs_if.c linux-2.6.32.46/net/bridge/br_sysfs_if.c
73695 --- linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-03-27 14:31:47.000000000 -0400
73696 +++ linux-2.6.32.46/net/bridge/br_sysfs_if.c 2011-04-17 15:56:46.000000000 -0400
73697 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
73698 return ret;
73699 }
73700
73701 -struct sysfs_ops brport_sysfs_ops = {
73702 +const struct sysfs_ops brport_sysfs_ops = {
73703 .show = brport_show,
73704 .store = brport_store,
73705 };
73706 diff -urNp linux-2.6.32.46/net/bridge/netfilter/ebtables.c linux-2.6.32.46/net/bridge/netfilter/ebtables.c
73707 --- linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:52.000000000 -0400
73708 +++ linux-2.6.32.46/net/bridge/netfilter/ebtables.c 2011-05-16 21:46:57.000000000 -0400
73709 @@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
73710 unsigned int entries_size, nentries;
73711 char *entries;
73712
73713 + pax_track_stack();
73714 +
73715 if (cmd == EBT_SO_GET_ENTRIES) {
73716 entries_size = t->private->entries_size;
73717 nentries = t->private->nentries;
73718 diff -urNp linux-2.6.32.46/net/can/bcm.c linux-2.6.32.46/net/can/bcm.c
73719 --- linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:01.000000000 -0400
73720 +++ linux-2.6.32.46/net/can/bcm.c 2011-05-10 22:12:34.000000000 -0400
73721 @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
73722 struct bcm_sock *bo = bcm_sk(sk);
73723 struct bcm_op *op;
73724
73725 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73726 + seq_printf(m, ">>> socket %p", NULL);
73727 + seq_printf(m, " / sk %p", NULL);
73728 + seq_printf(m, " / bo %p", NULL);
73729 +#else
73730 seq_printf(m, ">>> socket %p", sk->sk_socket);
73731 seq_printf(m, " / sk %p", sk);
73732 seq_printf(m, " / bo %p", bo);
73733 +#endif
73734 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
73735 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
73736 seq_printf(m, " <<<\n");
73737 diff -urNp linux-2.6.32.46/net/core/dev.c linux-2.6.32.46/net/core/dev.c
73738 --- linux-2.6.32.46/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400
73739 +++ linux-2.6.32.46/net/core/dev.c 2011-08-05 20:33:55.000000000 -0400
73740 @@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
73741 if (no_module && capable(CAP_NET_ADMIN))
73742 no_module = request_module("netdev-%s", name);
73743 if (no_module && capable(CAP_SYS_MODULE)) {
73744 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
73745 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
73746 +#else
73747 if (!request_module("%s", name))
73748 pr_err("Loading kernel module for a network device "
73749 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
73750 "instead\n", name);
73751 +#endif
73752 }
73753 }
73754 EXPORT_SYMBOL(dev_load);
73755 @@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
73756
73757 struct dev_gso_cb {
73758 void (*destructor)(struct sk_buff *skb);
73759 -};
73760 +} __no_const;
73761
73762 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
73763
73764 @@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
73765 }
73766 EXPORT_SYMBOL(netif_rx_ni);
73767
73768 -static void net_tx_action(struct softirq_action *h)
73769 +static void net_tx_action(void)
73770 {
73771 struct softnet_data *sd = &__get_cpu_var(softnet_data);
73772
73773 @@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
73774 EXPORT_SYMBOL(netif_napi_del);
73775
73776
73777 -static void net_rx_action(struct softirq_action *h)
73778 +static void net_rx_action(void)
73779 {
73780 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
73781 unsigned long time_limit = jiffies + 2;
73782 diff -urNp linux-2.6.32.46/net/core/flow.c linux-2.6.32.46/net/core/flow.c
73783 --- linux-2.6.32.46/net/core/flow.c 2011-03-27 14:31:47.000000000 -0400
73784 +++ linux-2.6.32.46/net/core/flow.c 2011-05-04 17:56:20.000000000 -0400
73785 @@ -35,11 +35,11 @@ struct flow_cache_entry {
73786 atomic_t *object_ref;
73787 };
73788
73789 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
73790 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
73791
73792 static u32 flow_hash_shift;
73793 #define flow_hash_size (1 << flow_hash_shift)
73794 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
73795 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
73796
73797 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
73798
73799 @@ -52,7 +52,7 @@ struct flow_percpu_info {
73800 u32 hash_rnd;
73801 int count;
73802 };
73803 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
73804 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
73805
73806 #define flow_hash_rnd_recalc(cpu) \
73807 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
73808 @@ -69,7 +69,7 @@ struct flow_flush_info {
73809 atomic_t cpuleft;
73810 struct completion completion;
73811 };
73812 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
73813 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
73814
73815 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
73816
73817 @@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
73818 if (fle->family == family &&
73819 fle->dir == dir &&
73820 flow_key_compare(key, &fle->key) == 0) {
73821 - if (fle->genid == atomic_read(&flow_cache_genid)) {
73822 + if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
73823 void *ret = fle->object;
73824
73825 if (ret)
73826 @@ -228,7 +228,7 @@ nocache:
73827 err = resolver(net, key, family, dir, &obj, &obj_ref);
73828
73829 if (fle && !err) {
73830 - fle->genid = atomic_read(&flow_cache_genid);
73831 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
73832
73833 if (fle->object)
73834 atomic_dec(fle->object_ref);
73835 @@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
73836
73837 fle = flow_table(cpu)[i];
73838 for (; fle; fle = fle->next) {
73839 - unsigned genid = atomic_read(&flow_cache_genid);
73840 + unsigned genid = atomic_read_unchecked(&flow_cache_genid);
73841
73842 if (!fle->object || fle->genid == genid)
73843 continue;
73844 diff -urNp linux-2.6.32.46/net/core/rtnetlink.c linux-2.6.32.46/net/core/rtnetlink.c
73845 --- linux-2.6.32.46/net/core/rtnetlink.c 2011-03-27 14:31:47.000000000 -0400
73846 +++ linux-2.6.32.46/net/core/rtnetlink.c 2011-08-05 20:33:55.000000000 -0400
73847 @@ -57,7 +57,7 @@ struct rtnl_link
73848 {
73849 rtnl_doit_func doit;
73850 rtnl_dumpit_func dumpit;
73851 -};
73852 +} __no_const;
73853
73854 static DEFINE_MUTEX(rtnl_mutex);
73855
73856 diff -urNp linux-2.6.32.46/net/core/secure_seq.c linux-2.6.32.46/net/core/secure_seq.c
73857 --- linux-2.6.32.46/net/core/secure_seq.c 2011-08-16 20:37:25.000000000 -0400
73858 +++ linux-2.6.32.46/net/core/secure_seq.c 2011-08-07 19:48:09.000000000 -0400
73859 @@ -57,7 +57,7 @@ __u32 secure_tcpv6_sequence_number(__be3
73860 EXPORT_SYMBOL(secure_tcpv6_sequence_number);
73861
73862 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
73863 - __be16 dport)
73864 + __be16 dport)
73865 {
73866 u32 secret[MD5_MESSAGE_BYTES / 4];
73867 u32 hash[MD5_DIGEST_WORDS];
73868 @@ -71,7 +71,6 @@ u32 secure_ipv6_port_ephemeral(const __b
73869 secret[i] = net_secret[i];
73870
73871 md5_transform(hash, secret);
73872 -
73873 return hash[0];
73874 }
73875 #endif
73876 diff -urNp linux-2.6.32.46/net/core/skbuff.c linux-2.6.32.46/net/core/skbuff.c
73877 --- linux-2.6.32.46/net/core/skbuff.c 2011-03-27 14:31:47.000000000 -0400
73878 +++ linux-2.6.32.46/net/core/skbuff.c 2011-05-16 21:46:57.000000000 -0400
73879 @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
73880 struct sk_buff *frag_iter;
73881 struct sock *sk = skb->sk;
73882
73883 + pax_track_stack();
73884 +
73885 /*
73886 * __skb_splice_bits() only fails if the output has no room left,
73887 * so no point in going over the frag_list for the error case.
73888 diff -urNp linux-2.6.32.46/net/core/sock.c linux-2.6.32.46/net/core/sock.c
73889 --- linux-2.6.32.46/net/core/sock.c 2011-03-27 14:31:47.000000000 -0400
73890 +++ linux-2.6.32.46/net/core/sock.c 2011-05-04 17:56:20.000000000 -0400
73891 @@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
73892 break;
73893
73894 case SO_PEERCRED:
73895 + {
73896 + struct ucred peercred;
73897 if (len > sizeof(sk->sk_peercred))
73898 len = sizeof(sk->sk_peercred);
73899 - if (copy_to_user(optval, &sk->sk_peercred, len))
73900 + peercred = sk->sk_peercred;
73901 + if (copy_to_user(optval, &peercred, len))
73902 return -EFAULT;
73903 goto lenout;
73904 + }
73905
73906 case SO_PEERNAME:
73907 {
73908 @@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
73909 */
73910 smp_wmb();
73911 atomic_set(&sk->sk_refcnt, 1);
73912 - atomic_set(&sk->sk_drops, 0);
73913 + atomic_set_unchecked(&sk->sk_drops, 0);
73914 }
73915 EXPORT_SYMBOL(sock_init_data);
73916
73917 diff -urNp linux-2.6.32.46/net/decnet/sysctl_net_decnet.c linux-2.6.32.46/net/decnet/sysctl_net_decnet.c
73918 --- linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-03-27 14:31:47.000000000 -0400
73919 +++ linux-2.6.32.46/net/decnet/sysctl_net_decnet.c 2011-04-17 15:56:46.000000000 -0400
73920 @@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
73921
73922 if (len > *lenp) len = *lenp;
73923
73924 - if (copy_to_user(buffer, addr, len))
73925 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
73926 return -EFAULT;
73927
73928 *lenp = len;
73929 @@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
73930
73931 if (len > *lenp) len = *lenp;
73932
73933 - if (copy_to_user(buffer, devname, len))
73934 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
73935 return -EFAULT;
73936
73937 *lenp = len;
73938 diff -urNp linux-2.6.32.46/net/econet/Kconfig linux-2.6.32.46/net/econet/Kconfig
73939 --- linux-2.6.32.46/net/econet/Kconfig 2011-03-27 14:31:47.000000000 -0400
73940 +++ linux-2.6.32.46/net/econet/Kconfig 2011-04-17 15:56:46.000000000 -0400
73941 @@ -4,7 +4,7 @@
73942
73943 config ECONET
73944 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
73945 - depends on EXPERIMENTAL && INET
73946 + depends on EXPERIMENTAL && INET && BROKEN
73947 ---help---
73948 Econet is a fairly old and slow networking protocol mainly used by
73949 Acorn computers to access file and print servers. It uses native
73950 diff -urNp linux-2.6.32.46/net/ieee802154/dgram.c linux-2.6.32.46/net/ieee802154/dgram.c
73951 --- linux-2.6.32.46/net/ieee802154/dgram.c 2011-03-27 14:31:47.000000000 -0400
73952 +++ linux-2.6.32.46/net/ieee802154/dgram.c 2011-05-04 17:56:28.000000000 -0400
73953 @@ -318,7 +318,7 @@ out:
73954 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
73955 {
73956 if (sock_queue_rcv_skb(sk, skb) < 0) {
73957 - atomic_inc(&sk->sk_drops);
73958 + atomic_inc_unchecked(&sk->sk_drops);
73959 kfree_skb(skb);
73960 return NET_RX_DROP;
73961 }
73962 diff -urNp linux-2.6.32.46/net/ieee802154/raw.c linux-2.6.32.46/net/ieee802154/raw.c
73963 --- linux-2.6.32.46/net/ieee802154/raw.c 2011-03-27 14:31:47.000000000 -0400
73964 +++ linux-2.6.32.46/net/ieee802154/raw.c 2011-05-04 17:56:28.000000000 -0400
73965 @@ -206,7 +206,7 @@ out:
73966 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
73967 {
73968 if (sock_queue_rcv_skb(sk, skb) < 0) {
73969 - atomic_inc(&sk->sk_drops);
73970 + atomic_inc_unchecked(&sk->sk_drops);
73971 kfree_skb(skb);
73972 return NET_RX_DROP;
73973 }
73974 diff -urNp linux-2.6.32.46/net/ipv4/inet_diag.c linux-2.6.32.46/net/ipv4/inet_diag.c
73975 --- linux-2.6.32.46/net/ipv4/inet_diag.c 2011-07-13 17:23:04.000000000 -0400
73976 +++ linux-2.6.32.46/net/ipv4/inet_diag.c 2011-06-20 19:31:13.000000000 -0400
73977 @@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
73978 r->idiag_retrans = 0;
73979
73980 r->id.idiag_if = sk->sk_bound_dev_if;
73981 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73982 + r->id.idiag_cookie[0] = 0;
73983 + r->id.idiag_cookie[1] = 0;
73984 +#else
73985 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
73986 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
73987 +#endif
73988
73989 r->id.idiag_sport = inet->sport;
73990 r->id.idiag_dport = inet->dport;
73991 @@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
73992 r->idiag_family = tw->tw_family;
73993 r->idiag_retrans = 0;
73994 r->id.idiag_if = tw->tw_bound_dev_if;
73995 +
73996 +#ifdef CONFIG_GRKERNSEC_HIDESYM
73997 + r->id.idiag_cookie[0] = 0;
73998 + r->id.idiag_cookie[1] = 0;
73999 +#else
74000 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
74001 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
74002 +#endif
74003 +
74004 r->id.idiag_sport = tw->tw_sport;
74005 r->id.idiag_dport = tw->tw_dport;
74006 r->id.idiag_src[0] = tw->tw_rcv_saddr;
74007 @@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
74008 if (sk == NULL)
74009 goto unlock;
74010
74011 +#ifndef CONFIG_GRKERNSEC_HIDESYM
74012 err = -ESTALE;
74013 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
74014 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
74015 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
74016 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
74017 goto out;
74018 +#endif
74019
74020 err = -ENOMEM;
74021 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
74022 @@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
74023 r->idiag_retrans = req->retrans;
74024
74025 r->id.idiag_if = sk->sk_bound_dev_if;
74026 +
74027 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74028 + r->id.idiag_cookie[0] = 0;
74029 + r->id.idiag_cookie[1] = 0;
74030 +#else
74031 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
74032 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
74033 +#endif
74034
74035 tmo = req->expires - jiffies;
74036 if (tmo < 0)
74037 diff -urNp linux-2.6.32.46/net/ipv4/inet_hashtables.c linux-2.6.32.46/net/ipv4/inet_hashtables.c
74038 --- linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:37:25.000000000 -0400
74039 +++ linux-2.6.32.46/net/ipv4/inet_hashtables.c 2011-08-16 20:42:30.000000000 -0400
74040 @@ -18,12 +18,15 @@
74041 #include <linux/sched.h>
74042 #include <linux/slab.h>
74043 #include <linux/wait.h>
74044 +#include <linux/security.h>
74045
74046 #include <net/inet_connection_sock.h>
74047 #include <net/inet_hashtables.h>
74048 #include <net/secure_seq.h>
74049 #include <net/ip.h>
74050
74051 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
74052 +
74053 /*
74054 * Allocate and initialize a new local port bind bucket.
74055 * The bindhash mutex for snum's hash chain must be held here.
74056 @@ -491,6 +494,8 @@ ok:
74057 }
74058 spin_unlock(&head->lock);
74059
74060 + gr_update_task_in_ip_table(current, inet_sk(sk));
74061 +
74062 if (tw) {
74063 inet_twsk_deschedule(tw, death_row);
74064 inet_twsk_put(tw);
74065 diff -urNp linux-2.6.32.46/net/ipv4/inetpeer.c linux-2.6.32.46/net/ipv4/inetpeer.c
74066 --- linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-16 20:37:25.000000000 -0400
74067 +++ linux-2.6.32.46/net/ipv4/inetpeer.c 2011-08-07 19:48:09.000000000 -0400
74068 @@ -367,6 +367,8 @@ struct inet_peer *inet_getpeer(__be32 da
74069 struct inet_peer *p, *n;
74070 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
74071
74072 + pax_track_stack();
74073 +
74074 /* Look up for the address quickly. */
74075 read_lock_bh(&peer_pool_lock);
74076 p = lookup(daddr, NULL);
74077 @@ -390,7 +392,7 @@ struct inet_peer *inet_getpeer(__be32 da
74078 return NULL;
74079 n->v4daddr = daddr;
74080 atomic_set(&n->refcnt, 1);
74081 - atomic_set(&n->rid, 0);
74082 + atomic_set_unchecked(&n->rid, 0);
74083 n->ip_id_count = secure_ip_id(daddr);
74084 n->tcp_ts_stamp = 0;
74085
74086 diff -urNp linux-2.6.32.46/net/ipv4/ip_fragment.c linux-2.6.32.46/net/ipv4/ip_fragment.c
74087 --- linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400
74088 +++ linux-2.6.32.46/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400
74089 @@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
74090 return 0;
74091
74092 start = qp->rid;
74093 - end = atomic_inc_return(&peer->rid);
74094 + end = atomic_inc_return_unchecked(&peer->rid);
74095 qp->rid = end;
74096
74097 rc = qp->q.fragments && (end - start) > max;
74098 diff -urNp linux-2.6.32.46/net/ipv4/ip_sockglue.c linux-2.6.32.46/net/ipv4/ip_sockglue.c
74099 --- linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400
74100 +++ linux-2.6.32.46/net/ipv4/ip_sockglue.c 2011-05-16 21:46:57.000000000 -0400
74101 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
74102 int val;
74103 int len;
74104
74105 + pax_track_stack();
74106 +
74107 if (level != SOL_IP)
74108 return -EOPNOTSUPP;
74109
74110 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c
74111 --- linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400
74112 +++ linux-2.6.32.46/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400
74113 @@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
74114 private = &tmp;
74115 }
74116 #endif
74117 + memset(&info, 0, sizeof(info));
74118 info.valid_hooks = t->valid_hooks;
74119 memcpy(info.hook_entry, private->hook_entry,
74120 sizeof(info.hook_entry));
74121 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c
74122 --- linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-03-27 14:31:47.000000000 -0400
74123 +++ linux-2.6.32.46/net/ipv4/netfilter/ip_queue.c 2011-08-21 18:42:53.000000000 -0400
74124 @@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
74125
74126 if (v->data_len < sizeof(*user_iph))
74127 return 0;
74128 + if (v->data_len > 65535)
74129 + return -EMSGSIZE;
74130 +
74131 diff = v->data_len - e->skb->len;
74132 if (diff < 0) {
74133 if (pskb_trim(e->skb, v->data_len))
74134 @@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
74135 static inline void
74136 __ipq_rcv_skb(struct sk_buff *skb)
74137 {
74138 - int status, type, pid, flags, nlmsglen, skblen;
74139 + int status, type, pid, flags;
74140 + unsigned int nlmsglen, skblen;
74141 struct nlmsghdr *nlh;
74142
74143 skblen = skb->len;
74144 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c
74145 --- linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400
74146 +++ linux-2.6.32.46/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400
74147 @@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
74148 private = &tmp;
74149 }
74150 #endif
74151 + memset(&info, 0, sizeof(info));
74152 info.valid_hooks = t->valid_hooks;
74153 memcpy(info.hook_entry, private->hook_entry,
74154 sizeof(info.hook_entry));
74155 diff -urNp linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c
74156 --- linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-27 14:31:47.000000000 -0400
74157 +++ linux-2.6.32.46/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:56:46.000000000 -0400
74158 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
74159
74160 *len = 0;
74161
74162 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
74163 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
74164 if (*octets == NULL) {
74165 if (net_ratelimit())
74166 printk("OOM in bsalg (%d)\n", __LINE__);
74167 diff -urNp linux-2.6.32.46/net/ipv4/raw.c linux-2.6.32.46/net/ipv4/raw.c
74168 --- linux-2.6.32.46/net/ipv4/raw.c 2011-03-27 14:31:47.000000000 -0400
74169 +++ linux-2.6.32.46/net/ipv4/raw.c 2011-08-14 11:46:51.000000000 -0400
74170 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
74171 /* Charge it to the socket. */
74172
74173 if (sock_queue_rcv_skb(sk, skb) < 0) {
74174 - atomic_inc(&sk->sk_drops);
74175 + atomic_inc_unchecked(&sk->sk_drops);
74176 kfree_skb(skb);
74177 return NET_RX_DROP;
74178 }
74179 @@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
74180 int raw_rcv(struct sock *sk, struct sk_buff *skb)
74181 {
74182 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
74183 - atomic_inc(&sk->sk_drops);
74184 + atomic_inc_unchecked(&sk->sk_drops);
74185 kfree_skb(skb);
74186 return NET_RX_DROP;
74187 }
74188 @@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
74189
74190 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
74191 {
74192 + struct icmp_filter filter;
74193 +
74194 + if (optlen < 0)
74195 + return -EINVAL;
74196 if (optlen > sizeof(struct icmp_filter))
74197 optlen = sizeof(struct icmp_filter);
74198 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
74199 + if (copy_from_user(&filter, optval, optlen))
74200 return -EFAULT;
74201 + raw_sk(sk)->filter = filter;
74202 +
74203 return 0;
74204 }
74205
74206 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
74207 {
74208 int len, ret = -EFAULT;
74209 + struct icmp_filter filter;
74210
74211 if (get_user(len, optlen))
74212 goto out;
74213 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
74214 if (len > sizeof(struct icmp_filter))
74215 len = sizeof(struct icmp_filter);
74216 ret = -EFAULT;
74217 - if (put_user(len, optlen) ||
74218 - copy_to_user(optval, &raw_sk(sk)->filter, len))
74219 + filter = raw_sk(sk)->filter;
74220 + if (put_user(len, optlen) || len > sizeof filter ||
74221 + copy_to_user(optval, &filter, len))
74222 goto out;
74223 ret = 0;
74224 out: return ret;
74225 @@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
74226 sk_wmem_alloc_get(sp),
74227 sk_rmem_alloc_get(sp),
74228 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
74229 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
74230 + atomic_read(&sp->sk_refcnt),
74231 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74232 + NULL,
74233 +#else
74234 + sp,
74235 +#endif
74236 + atomic_read_unchecked(&sp->sk_drops));
74237 }
74238
74239 static int raw_seq_show(struct seq_file *seq, void *v)
74240 diff -urNp linux-2.6.32.46/net/ipv4/route.c linux-2.6.32.46/net/ipv4/route.c
74241 --- linux-2.6.32.46/net/ipv4/route.c 2011-08-16 20:37:25.000000000 -0400
74242 +++ linux-2.6.32.46/net/ipv4/route.c 2011-08-07 19:48:09.000000000 -0400
74243 @@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be3
74244
74245 static inline int rt_genid(struct net *net)
74246 {
74247 - return atomic_read(&net->ipv4.rt_genid);
74248 + return atomic_read_unchecked(&net->ipv4.rt_genid);
74249 }
74250
74251 #ifdef CONFIG_PROC_FS
74252 @@ -889,7 +889,7 @@ static void rt_cache_invalidate(struct n
74253 unsigned char shuffle;
74254
74255 get_random_bytes(&shuffle, sizeof(shuffle));
74256 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
74257 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
74258 }
74259
74260 /*
74261 @@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_oper
74262
74263 static __net_init int rt_secret_timer_init(struct net *net)
74264 {
74265 - atomic_set(&net->ipv4.rt_genid,
74266 + atomic_set_unchecked(&net->ipv4.rt_genid,
74267 (int) ((num_physpages ^ (num_physpages>>8)) ^
74268 (jiffies ^ (jiffies >> 7))));
74269
74270 diff -urNp linux-2.6.32.46/net/ipv4/tcp.c linux-2.6.32.46/net/ipv4/tcp.c
74271 --- linux-2.6.32.46/net/ipv4/tcp.c 2011-03-27 14:31:47.000000000 -0400
74272 +++ linux-2.6.32.46/net/ipv4/tcp.c 2011-05-16 21:46:57.000000000 -0400
74273 @@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
74274 int val;
74275 int err = 0;
74276
74277 + pax_track_stack();
74278 +
74279 /* This is a string value all the others are int's */
74280 if (optname == TCP_CONGESTION) {
74281 char name[TCP_CA_NAME_MAX];
74282 @@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
74283 struct tcp_sock *tp = tcp_sk(sk);
74284 int val, len;
74285
74286 + pax_track_stack();
74287 +
74288 if (get_user(len, optlen))
74289 return -EFAULT;
74290
74291 diff -urNp linux-2.6.32.46/net/ipv4/tcp_ipv4.c linux-2.6.32.46/net/ipv4/tcp_ipv4.c
74292 --- linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-16 20:37:25.000000000 -0400
74293 +++ linux-2.6.32.46/net/ipv4/tcp_ipv4.c 2011-08-23 21:22:32.000000000 -0400
74294 @@ -85,6 +85,9 @@
74295 int sysctl_tcp_tw_reuse __read_mostly;
74296 int sysctl_tcp_low_latency __read_mostly;
74297
74298 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74299 +extern int grsec_enable_blackhole;
74300 +#endif
74301
74302 #ifdef CONFIG_TCP_MD5SIG
74303 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
74304 @@ -1543,6 +1546,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
74305 return 0;
74306
74307 reset:
74308 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74309 + if (!grsec_enable_blackhole)
74310 +#endif
74311 tcp_v4_send_reset(rsk, skb);
74312 discard:
74313 kfree_skb(skb);
74314 @@ -1604,12 +1610,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
74315 TCP_SKB_CB(skb)->sacked = 0;
74316
74317 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
74318 - if (!sk)
74319 + if (!sk) {
74320 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74321 + ret = 1;
74322 +#endif
74323 goto no_tcp_socket;
74324 + }
74325
74326 process:
74327 - if (sk->sk_state == TCP_TIME_WAIT)
74328 + if (sk->sk_state == TCP_TIME_WAIT) {
74329 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74330 + ret = 2;
74331 +#endif
74332 goto do_time_wait;
74333 + }
74334
74335 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
74336 goto discard_and_relse;
74337 @@ -1651,6 +1665,10 @@ no_tcp_socket:
74338 bad_packet:
74339 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
74340 } else {
74341 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74342 + if (!grsec_enable_blackhole || (ret == 1 &&
74343 + (skb->dev->flags & IFF_LOOPBACK)))
74344 +#endif
74345 tcp_v4_send_reset(NULL, skb);
74346 }
74347
74348 @@ -2238,7 +2256,11 @@ static void get_openreq4(struct sock *sk
74349 0, /* non standard timer */
74350 0, /* open_requests have no inode */
74351 atomic_read(&sk->sk_refcnt),
74352 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74353 + NULL,
74354 +#else
74355 req,
74356 +#endif
74357 len);
74358 }
74359
74360 @@ -2280,7 +2302,12 @@ static void get_tcp4_sock(struct sock *s
74361 sock_i_uid(sk),
74362 icsk->icsk_probes_out,
74363 sock_i_ino(sk),
74364 - atomic_read(&sk->sk_refcnt), sk,
74365 + atomic_read(&sk->sk_refcnt),
74366 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74367 + NULL,
74368 +#else
74369 + sk,
74370 +#endif
74371 jiffies_to_clock_t(icsk->icsk_rto),
74372 jiffies_to_clock_t(icsk->icsk_ack.ato),
74373 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
74374 @@ -2308,7 +2335,13 @@ static void get_timewait4_sock(struct in
74375 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
74376 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
74377 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
74378 - atomic_read(&tw->tw_refcnt), tw, len);
74379 + atomic_read(&tw->tw_refcnt),
74380 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74381 + NULL,
74382 +#else
74383 + tw,
74384 +#endif
74385 + len);
74386 }
74387
74388 #define TMPSZ 150
74389 diff -urNp linux-2.6.32.46/net/ipv4/tcp_minisocks.c linux-2.6.32.46/net/ipv4/tcp_minisocks.c
74390 --- linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-03-27 14:31:47.000000000 -0400
74391 +++ linux-2.6.32.46/net/ipv4/tcp_minisocks.c 2011-04-17 15:56:46.000000000 -0400
74392 @@ -26,6 +26,10 @@
74393 #include <net/inet_common.h>
74394 #include <net/xfrm.h>
74395
74396 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74397 +extern int grsec_enable_blackhole;
74398 +#endif
74399 +
74400 #ifdef CONFIG_SYSCTL
74401 #define SYNC_INIT 0 /* let the user enable it */
74402 #else
74403 @@ -672,6 +676,10 @@ listen_overflow:
74404
74405 embryonic_reset:
74406 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
74407 +
74408 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74409 + if (!grsec_enable_blackhole)
74410 +#endif
74411 if (!(flg & TCP_FLAG_RST))
74412 req->rsk_ops->send_reset(sk, skb);
74413
74414 diff -urNp linux-2.6.32.46/net/ipv4/tcp_output.c linux-2.6.32.46/net/ipv4/tcp_output.c
74415 --- linux-2.6.32.46/net/ipv4/tcp_output.c 2011-03-27 14:31:47.000000000 -0400
74416 +++ linux-2.6.32.46/net/ipv4/tcp_output.c 2011-05-16 21:46:57.000000000 -0400
74417 @@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
74418 __u8 *md5_hash_location;
74419 int mss;
74420
74421 + pax_track_stack();
74422 +
74423 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
74424 if (skb == NULL)
74425 return NULL;
74426 diff -urNp linux-2.6.32.46/net/ipv4/tcp_probe.c linux-2.6.32.46/net/ipv4/tcp_probe.c
74427 --- linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-03-27 14:31:47.000000000 -0400
74428 +++ linux-2.6.32.46/net/ipv4/tcp_probe.c 2011-04-17 15:56:46.000000000 -0400
74429 @@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
74430 if (cnt + width >= len)
74431 break;
74432
74433 - if (copy_to_user(buf + cnt, tbuf, width))
74434 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
74435 return -EFAULT;
74436 cnt += width;
74437 }
74438 diff -urNp linux-2.6.32.46/net/ipv4/tcp_timer.c linux-2.6.32.46/net/ipv4/tcp_timer.c
74439 --- linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-03-27 14:31:47.000000000 -0400
74440 +++ linux-2.6.32.46/net/ipv4/tcp_timer.c 2011-04-17 15:56:46.000000000 -0400
74441 @@ -21,6 +21,10 @@
74442 #include <linux/module.h>
74443 #include <net/tcp.h>
74444
74445 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74446 +extern int grsec_lastack_retries;
74447 +#endif
74448 +
74449 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
74450 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
74451 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
74452 @@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
74453 }
74454 }
74455
74456 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74457 + if ((sk->sk_state == TCP_LAST_ACK) &&
74458 + (grsec_lastack_retries > 0) &&
74459 + (grsec_lastack_retries < retry_until))
74460 + retry_until = grsec_lastack_retries;
74461 +#endif
74462 +
74463 if (retransmits_timed_out(sk, retry_until)) {
74464 /* Has it gone just too far? */
74465 tcp_write_err(sk);
74466 diff -urNp linux-2.6.32.46/net/ipv4/udp.c linux-2.6.32.46/net/ipv4/udp.c
74467 --- linux-2.6.32.46/net/ipv4/udp.c 2011-07-13 17:23:04.000000000 -0400
74468 +++ linux-2.6.32.46/net/ipv4/udp.c 2011-08-23 21:22:32.000000000 -0400
74469 @@ -86,6 +86,7 @@
74470 #include <linux/types.h>
74471 #include <linux/fcntl.h>
74472 #include <linux/module.h>
74473 +#include <linux/security.h>
74474 #include <linux/socket.h>
74475 #include <linux/sockios.h>
74476 #include <linux/igmp.h>
74477 @@ -106,6 +107,10 @@
74478 #include <net/xfrm.h>
74479 #include "udp_impl.h"
74480
74481 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74482 +extern int grsec_enable_blackhole;
74483 +#endif
74484 +
74485 struct udp_table udp_table;
74486 EXPORT_SYMBOL(udp_table);
74487
74488 @@ -371,6 +376,9 @@ found:
74489 return s;
74490 }
74491
74492 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
74493 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
74494 +
74495 /*
74496 * This routine is called by the ICMP module when it gets some
74497 * sort of error condition. If err < 0 then the socket should
74498 @@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
74499 dport = usin->sin_port;
74500 if (dport == 0)
74501 return -EINVAL;
74502 +
74503 + err = gr_search_udp_sendmsg(sk, usin);
74504 + if (err)
74505 + return err;
74506 } else {
74507 if (sk->sk_state != TCP_ESTABLISHED)
74508 return -EDESTADDRREQ;
74509 +
74510 + err = gr_search_udp_sendmsg(sk, NULL);
74511 + if (err)
74512 + return err;
74513 +
74514 daddr = inet->daddr;
74515 dport = inet->dport;
74516 /* Open fast path for connected socket.
74517 @@ -945,6 +962,10 @@ try_again:
74518 if (!skb)
74519 goto out;
74520
74521 + err = gr_search_udp_recvmsg(sk, skb);
74522 + if (err)
74523 + goto out_free;
74524 +
74525 ulen = skb->len - sizeof(struct udphdr);
74526 copied = len;
74527 if (copied > ulen)
74528 @@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
74529 if (rc == -ENOMEM) {
74530 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
74531 is_udplite);
74532 - atomic_inc(&sk->sk_drops);
74533 + atomic_inc_unchecked(&sk->sk_drops);
74534 }
74535 goto drop;
74536 }
74537 @@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
74538 goto csum_error;
74539
74540 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
74541 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74542 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
74543 +#endif
74544 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
74545
74546 /*
74547 @@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
74548 sk_wmem_alloc_get(sp),
74549 sk_rmem_alloc_get(sp),
74550 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
74551 - atomic_read(&sp->sk_refcnt), sp,
74552 - atomic_read(&sp->sk_drops), len);
74553 + atomic_read(&sp->sk_refcnt),
74554 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74555 + NULL,
74556 +#else
74557 + sp,
74558 +#endif
74559 + atomic_read_unchecked(&sp->sk_drops), len);
74560 }
74561
74562 int udp4_seq_show(struct seq_file *seq, void *v)
74563 diff -urNp linux-2.6.32.46/net/ipv6/inet6_connection_sock.c linux-2.6.32.46/net/ipv6/inet6_connection_sock.c
74564 --- linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400
74565 +++ linux-2.6.32.46/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400
74566 @@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
74567 #ifdef CONFIG_XFRM
74568 {
74569 struct rt6_info *rt = (struct rt6_info *)dst;
74570 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
74571 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
74572 }
74573 #endif
74574 }
74575 @@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
74576 #ifdef CONFIG_XFRM
74577 if (dst) {
74578 struct rt6_info *rt = (struct rt6_info *)dst;
74579 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
74580 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
74581 sk->sk_dst_cache = NULL;
74582 dst_release(dst);
74583 dst = NULL;
74584 diff -urNp linux-2.6.32.46/net/ipv6/inet6_hashtables.c linux-2.6.32.46/net/ipv6/inet6_hashtables.c
74585 --- linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-16 20:37:25.000000000 -0400
74586 +++ linux-2.6.32.46/net/ipv6/inet6_hashtables.c 2011-08-07 19:48:09.000000000 -0400
74587 @@ -119,7 +119,7 @@ out:
74588 }
74589 EXPORT_SYMBOL(__inet6_lookup_established);
74590
74591 -static int inline compute_score(struct sock *sk, struct net *net,
74592 +static inline int compute_score(struct sock *sk, struct net *net,
74593 const unsigned short hnum,
74594 const struct in6_addr *daddr,
74595 const int dif)
74596 diff -urNp linux-2.6.32.46/net/ipv6/ip6_tunnel.c linux-2.6.32.46/net/ipv6/ip6_tunnel.c
74597 --- linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-09 18:35:30.000000000 -0400
74598 +++ linux-2.6.32.46/net/ipv6/ip6_tunnel.c 2011-08-24 18:52:25.000000000 -0400
74599 @@ -1466,7 +1466,7 @@ static int __init ip6_tunnel_init(void)
74600 {
74601 int err;
74602
74603 - err = register_pernet_device(&ip6_tnl_net_ops);
74604 + err = register_pernet_gen_device(&ip6_tnl_net_id, &ip6_tnl_net_ops);
74605 if (err < 0)
74606 goto out_pernet;
74607
74608 @@ -1487,7 +1487,7 @@ static int __init ip6_tunnel_init(void)
74609 out_ip6ip6:
74610 xfrm6_tunnel_deregister(&ip4ip6_handler, AF_INET);
74611 out_ip4ip6:
74612 - unregister_pernet_device(&ip6_tnl_net_ops);
74613 + unregister_pernet_gen_device(ip6_tnl_net_id, &ip6_tnl_net_ops);
74614 out_pernet:
74615 return err;
74616 }
74617 diff -urNp linux-2.6.32.46/net/ipv6/ipv6_sockglue.c linux-2.6.32.46/net/ipv6/ipv6_sockglue.c
74618 --- linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400
74619 +++ linux-2.6.32.46/net/ipv6/ipv6_sockglue.c 2011-05-16 21:46:57.000000000 -0400
74620 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
74621 int val, valbool;
74622 int retv = -ENOPROTOOPT;
74623
74624 + pax_track_stack();
74625 +
74626 if (optval == NULL)
74627 val=0;
74628 else {
74629 @@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
74630 int len;
74631 int val;
74632
74633 + pax_track_stack();
74634 +
74635 if (ip6_mroute_opt(optname))
74636 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
74637
74638 diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c
74639 --- linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-03-27 14:31:47.000000000 -0400
74640 +++ linux-2.6.32.46/net/ipv6/netfilter/ip6_queue.c 2011-08-21 18:43:32.000000000 -0400
74641 @@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
74642
74643 if (v->data_len < sizeof(*user_iph))
74644 return 0;
74645 + if (v->data_len > 65535)
74646 + return -EMSGSIZE;
74647 +
74648 diff = v->data_len - e->skb->len;
74649 if (diff < 0) {
74650 if (pskb_trim(e->skb, v->data_len))
74651 @@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
74652 static inline void
74653 __ipq_rcv_skb(struct sk_buff *skb)
74654 {
74655 - int status, type, pid, flags, nlmsglen, skblen;
74656 + int status, type, pid, flags;
74657 + unsigned int nlmsglen, skblen;
74658 struct nlmsghdr *nlh;
74659
74660 skblen = skb->len;
74661 diff -urNp linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c
74662 --- linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400
74663 +++ linux-2.6.32.46/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400
74664 @@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
74665 private = &tmp;
74666 }
74667 #endif
74668 + memset(&info, 0, sizeof(info));
74669 info.valid_hooks = t->valid_hooks;
74670 memcpy(info.hook_entry, private->hook_entry,
74671 sizeof(info.hook_entry));
74672 diff -urNp linux-2.6.32.46/net/ipv6/raw.c linux-2.6.32.46/net/ipv6/raw.c
74673 --- linux-2.6.32.46/net/ipv6/raw.c 2011-03-27 14:31:47.000000000 -0400
74674 +++ linux-2.6.32.46/net/ipv6/raw.c 2011-08-14 11:48:20.000000000 -0400
74675 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
74676 {
74677 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
74678 skb_checksum_complete(skb)) {
74679 - atomic_inc(&sk->sk_drops);
74680 + atomic_inc_unchecked(&sk->sk_drops);
74681 kfree_skb(skb);
74682 return NET_RX_DROP;
74683 }
74684
74685 /* Charge it to the socket. */
74686 if (sock_queue_rcv_skb(sk,skb)<0) {
74687 - atomic_inc(&sk->sk_drops);
74688 + atomic_inc_unchecked(&sk->sk_drops);
74689 kfree_skb(skb);
74690 return NET_RX_DROP;
74691 }
74692 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
74693 struct raw6_sock *rp = raw6_sk(sk);
74694
74695 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
74696 - atomic_inc(&sk->sk_drops);
74697 + atomic_inc_unchecked(&sk->sk_drops);
74698 kfree_skb(skb);
74699 return NET_RX_DROP;
74700 }
74701 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
74702
74703 if (inet->hdrincl) {
74704 if (skb_checksum_complete(skb)) {
74705 - atomic_inc(&sk->sk_drops);
74706 + atomic_inc_unchecked(&sk->sk_drops);
74707 kfree_skb(skb);
74708 return NET_RX_DROP;
74709 }
74710 @@ -518,7 +518,7 @@ csum_copy_err:
74711 as some normal condition.
74712 */
74713 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
74714 - atomic_inc(&sk->sk_drops);
74715 + atomic_inc_unchecked(&sk->sk_drops);
74716 goto out;
74717 }
74718
74719 @@ -600,7 +600,7 @@ out:
74720 return err;
74721 }
74722
74723 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
74724 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
74725 struct flowi *fl, struct rt6_info *rt,
74726 unsigned int flags)
74727 {
74728 @@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
74729 u16 proto;
74730 int err;
74731
74732 + pax_track_stack();
74733 +
74734 /* Rough check on arithmetic overflow,
74735 better check is made in ip6_append_data().
74736 */
74737 @@ -916,12 +918,17 @@ do_confirm:
74738 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
74739 char __user *optval, int optlen)
74740 {
74741 + struct icmp6_filter filter;
74742 +
74743 switch (optname) {
74744 case ICMPV6_FILTER:
74745 + if (optlen < 0)
74746 + return -EINVAL;
74747 if (optlen > sizeof(struct icmp6_filter))
74748 optlen = sizeof(struct icmp6_filter);
74749 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
74750 + if (copy_from_user(&filter, optval, optlen))
74751 return -EFAULT;
74752 + raw6_sk(sk)->filter = filter;
74753 return 0;
74754 default:
74755 return -ENOPROTOOPT;
74756 @@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
74757 char __user *optval, int __user *optlen)
74758 {
74759 int len;
74760 + struct icmp6_filter filter;
74761
74762 switch (optname) {
74763 case ICMPV6_FILTER:
74764 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
74765 len = sizeof(struct icmp6_filter);
74766 if (put_user(len, optlen))
74767 return -EFAULT;
74768 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
74769 + filter = raw6_sk(sk)->filter;
74770 + if (len > sizeof filter || copy_to_user(optval, &filter, len))
74771 return -EFAULT;
74772 return 0;
74773 default:
74774 @@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
74775 0, 0L, 0,
74776 sock_i_uid(sp), 0,
74777 sock_i_ino(sp),
74778 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
74779 + atomic_read(&sp->sk_refcnt),
74780 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74781 + NULL,
74782 +#else
74783 + sp,
74784 +#endif
74785 + atomic_read_unchecked(&sp->sk_drops));
74786 }
74787
74788 static int raw6_seq_show(struct seq_file *seq, void *v)
74789 diff -urNp linux-2.6.32.46/net/ipv6/tcp_ipv6.c linux-2.6.32.46/net/ipv6/tcp_ipv6.c
74790 --- linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-16 20:37:25.000000000 -0400
74791 +++ linux-2.6.32.46/net/ipv6/tcp_ipv6.c 2011-08-07 19:48:09.000000000 -0400
74792 @@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
74793 }
74794 #endif
74795
74796 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74797 +extern int grsec_enable_blackhole;
74798 +#endif
74799 +
74800 static void tcp_v6_hash(struct sock *sk)
74801 {
74802 if (sk->sk_state != TCP_CLOSE) {
74803 @@ -1579,6 +1583,9 @@ static int tcp_v6_do_rcv(struct sock *sk
74804 return 0;
74805
74806 reset:
74807 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74808 + if (!grsec_enable_blackhole)
74809 +#endif
74810 tcp_v6_send_reset(sk, skb);
74811 discard:
74812 if (opt_skb)
74813 @@ -1656,12 +1663,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
74814 TCP_SKB_CB(skb)->sacked = 0;
74815
74816 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
74817 - if (!sk)
74818 + if (!sk) {
74819 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74820 + ret = 1;
74821 +#endif
74822 goto no_tcp_socket;
74823 + }
74824
74825 process:
74826 - if (sk->sk_state == TCP_TIME_WAIT)
74827 + if (sk->sk_state == TCP_TIME_WAIT) {
74828 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74829 + ret = 2;
74830 +#endif
74831 goto do_time_wait;
74832 + }
74833
74834 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
74835 goto discard_and_relse;
74836 @@ -1701,6 +1716,10 @@ no_tcp_socket:
74837 bad_packet:
74838 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
74839 } else {
74840 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74841 + if (!grsec_enable_blackhole || (ret == 1 &&
74842 + (skb->dev->flags & IFF_LOOPBACK)))
74843 +#endif
74844 tcp_v6_send_reset(NULL, skb);
74845 }
74846
74847 @@ -1916,7 +1935,13 @@ static void get_openreq6(struct seq_file
74848 uid,
74849 0, /* non standard timer */
74850 0, /* open_requests have no inode */
74851 - 0, req);
74852 + 0,
74853 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74854 + NULL
74855 +#else
74856 + req
74857 +#endif
74858 + );
74859 }
74860
74861 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
74862 @@ -1966,7 +1991,12 @@ static void get_tcp6_sock(struct seq_fil
74863 sock_i_uid(sp),
74864 icsk->icsk_probes_out,
74865 sock_i_ino(sp),
74866 - atomic_read(&sp->sk_refcnt), sp,
74867 + atomic_read(&sp->sk_refcnt),
74868 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74869 + NULL,
74870 +#else
74871 + sp,
74872 +#endif
74873 jiffies_to_clock_t(icsk->icsk_rto),
74874 jiffies_to_clock_t(icsk->icsk_ack.ato),
74875 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
74876 @@ -2001,7 +2031,13 @@ static void get_timewait6_sock(struct se
74877 dest->s6_addr32[2], dest->s6_addr32[3], destp,
74878 tw->tw_substate, 0, 0,
74879 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
74880 - atomic_read(&tw->tw_refcnt), tw);
74881 + atomic_read(&tw->tw_refcnt),
74882 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74883 + NULL
74884 +#else
74885 + tw
74886 +#endif
74887 + );
74888 }
74889
74890 static int tcp6_seq_show(struct seq_file *seq, void *v)
74891 diff -urNp linux-2.6.32.46/net/ipv6/udp.c linux-2.6.32.46/net/ipv6/udp.c
74892 --- linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:04.000000000 -0400
74893 +++ linux-2.6.32.46/net/ipv6/udp.c 2011-07-13 17:23:27.000000000 -0400
74894 @@ -49,6 +49,10 @@
74895 #include <linux/seq_file.h>
74896 #include "udp_impl.h"
74897
74898 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74899 +extern int grsec_enable_blackhole;
74900 +#endif
74901 +
74902 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
74903 {
74904 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
74905 @@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
74906 if (rc == -ENOMEM) {
74907 UDP6_INC_STATS_BH(sock_net(sk),
74908 UDP_MIB_RCVBUFERRORS, is_udplite);
74909 - atomic_inc(&sk->sk_drops);
74910 + atomic_inc_unchecked(&sk->sk_drops);
74911 }
74912 goto drop;
74913 }
74914 @@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
74915 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
74916 proto == IPPROTO_UDPLITE);
74917
74918 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
74919 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
74920 +#endif
74921 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
74922
74923 kfree_skb(skb);
74924 @@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
74925 0, 0L, 0,
74926 sock_i_uid(sp), 0,
74927 sock_i_ino(sp),
74928 - atomic_read(&sp->sk_refcnt), sp,
74929 - atomic_read(&sp->sk_drops));
74930 + atomic_read(&sp->sk_refcnt),
74931 +#ifdef CONFIG_GRKERNSEC_HIDESYM
74932 + NULL,
74933 +#else
74934 + sp,
74935 +#endif
74936 + atomic_read_unchecked(&sp->sk_drops));
74937 }
74938
74939 int udp6_seq_show(struct seq_file *seq, void *v)
74940 diff -urNp linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c
74941 --- linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-03-27 14:31:47.000000000 -0400
74942 +++ linux-2.6.32.46/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:56:46.000000000 -0400
74943 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
74944 add_wait_queue(&self->open_wait, &wait);
74945
74946 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
74947 - __FILE__,__LINE__, tty->driver->name, self->open_count );
74948 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
74949
74950 /* As far as I can see, we protect open_count - Jean II */
74951 spin_lock_irqsave(&self->spinlock, flags);
74952 if (!tty_hung_up_p(filp)) {
74953 extra_count = 1;
74954 - self->open_count--;
74955 + local_dec(&self->open_count);
74956 }
74957 spin_unlock_irqrestore(&self->spinlock, flags);
74958 - self->blocked_open++;
74959 + local_inc(&self->blocked_open);
74960
74961 while (1) {
74962 if (tty->termios->c_cflag & CBAUD) {
74963 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
74964 }
74965
74966 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
74967 - __FILE__,__LINE__, tty->driver->name, self->open_count );
74968 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
74969
74970 schedule();
74971 }
74972 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
74973 if (extra_count) {
74974 /* ++ is not atomic, so this should be protected - Jean II */
74975 spin_lock_irqsave(&self->spinlock, flags);
74976 - self->open_count++;
74977 + local_inc(&self->open_count);
74978 spin_unlock_irqrestore(&self->spinlock, flags);
74979 }
74980 - self->blocked_open--;
74981 + local_dec(&self->blocked_open);
74982
74983 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
74984 - __FILE__,__LINE__, tty->driver->name, self->open_count);
74985 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
74986
74987 if (!retval)
74988 self->flags |= ASYNC_NORMAL_ACTIVE;
74989 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
74990 }
74991 /* ++ is not atomic, so this should be protected - Jean II */
74992 spin_lock_irqsave(&self->spinlock, flags);
74993 - self->open_count++;
74994 + local_inc(&self->open_count);
74995
74996 tty->driver_data = self;
74997 self->tty = tty;
74998 spin_unlock_irqrestore(&self->spinlock, flags);
74999
75000 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
75001 - self->line, self->open_count);
75002 + self->line, local_read(&self->open_count));
75003
75004 /* Not really used by us, but lets do it anyway */
75005 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
75006 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
75007 return;
75008 }
75009
75010 - if ((tty->count == 1) && (self->open_count != 1)) {
75011 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
75012 /*
75013 * Uh, oh. tty->count is 1, which means that the tty
75014 * structure will be freed. state->count should always
75015 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
75016 */
75017 IRDA_DEBUG(0, "%s(), bad serial port count; "
75018 "tty->count is 1, state->count is %d\n", __func__ ,
75019 - self->open_count);
75020 - self->open_count = 1;
75021 + local_read(&self->open_count));
75022 + local_set(&self->open_count, 1);
75023 }
75024
75025 - if (--self->open_count < 0) {
75026 + if (local_dec_return(&self->open_count) < 0) {
75027 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
75028 - __func__, self->line, self->open_count);
75029 - self->open_count = 0;
75030 + __func__, self->line, local_read(&self->open_count));
75031 + local_set(&self->open_count, 0);
75032 }
75033 - if (self->open_count) {
75034 + if (local_read(&self->open_count)) {
75035 spin_unlock_irqrestore(&self->spinlock, flags);
75036
75037 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
75038 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
75039 tty->closing = 0;
75040 self->tty = NULL;
75041
75042 - if (self->blocked_open) {
75043 + if (local_read(&self->blocked_open)) {
75044 if (self->close_delay)
75045 schedule_timeout_interruptible(self->close_delay);
75046 wake_up_interruptible(&self->open_wait);
75047 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
75048 spin_lock_irqsave(&self->spinlock, flags);
75049 self->flags &= ~ASYNC_NORMAL_ACTIVE;
75050 self->tty = NULL;
75051 - self->open_count = 0;
75052 + local_set(&self->open_count, 0);
75053 spin_unlock_irqrestore(&self->spinlock, flags);
75054
75055 wake_up_interruptible(&self->open_wait);
75056 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
75057 seq_putc(m, '\n');
75058
75059 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
75060 - seq_printf(m, "Open count: %d\n", self->open_count);
75061 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
75062 seq_printf(m, "Max data size: %d\n", self->max_data_size);
75063 seq_printf(m, "Max header size: %d\n", self->max_header_size);
75064
75065 diff -urNp linux-2.6.32.46/net/iucv/af_iucv.c linux-2.6.32.46/net/iucv/af_iucv.c
75066 --- linux-2.6.32.46/net/iucv/af_iucv.c 2011-03-27 14:31:47.000000000 -0400
75067 +++ linux-2.6.32.46/net/iucv/af_iucv.c 2011-05-04 17:56:28.000000000 -0400
75068 @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
75069
75070 write_lock_bh(&iucv_sk_list.lock);
75071
75072 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
75073 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
75074 while (__iucv_get_sock_by_name(name)) {
75075 sprintf(name, "%08x",
75076 - atomic_inc_return(&iucv_sk_list.autobind_name));
75077 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
75078 }
75079
75080 write_unlock_bh(&iucv_sk_list.lock);
75081 diff -urNp linux-2.6.32.46/net/key/af_key.c linux-2.6.32.46/net/key/af_key.c
75082 --- linux-2.6.32.46/net/key/af_key.c 2011-03-27 14:31:47.000000000 -0400
75083 +++ linux-2.6.32.46/net/key/af_key.c 2011-05-16 21:46:57.000000000 -0400
75084 @@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
75085 struct xfrm_migrate m[XFRM_MAX_DEPTH];
75086 struct xfrm_kmaddress k;
75087
75088 + pax_track_stack();
75089 +
75090 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
75091 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
75092 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
75093 @@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
75094 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
75095 else
75096 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
75097 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75098 + NULL,
75099 +#else
75100 s,
75101 +#endif
75102 atomic_read(&s->sk_refcnt),
75103 sk_rmem_alloc_get(s),
75104 sk_wmem_alloc_get(s),
75105 diff -urNp linux-2.6.32.46/net/lapb/lapb_iface.c linux-2.6.32.46/net/lapb/lapb_iface.c
75106 --- linux-2.6.32.46/net/lapb/lapb_iface.c 2011-03-27 14:31:47.000000000 -0400
75107 +++ linux-2.6.32.46/net/lapb/lapb_iface.c 2011-08-05 20:33:55.000000000 -0400
75108 @@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
75109 goto out;
75110
75111 lapb->dev = dev;
75112 - lapb->callbacks = *callbacks;
75113 + lapb->callbacks = callbacks;
75114
75115 __lapb_insert_cb(lapb);
75116
75117 @@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
75118
75119 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
75120 {
75121 - if (lapb->callbacks.connect_confirmation)
75122 - lapb->callbacks.connect_confirmation(lapb->dev, reason);
75123 + if (lapb->callbacks->connect_confirmation)
75124 + lapb->callbacks->connect_confirmation(lapb->dev, reason);
75125 }
75126
75127 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
75128 {
75129 - if (lapb->callbacks.connect_indication)
75130 - lapb->callbacks.connect_indication(lapb->dev, reason);
75131 + if (lapb->callbacks->connect_indication)
75132 + lapb->callbacks->connect_indication(lapb->dev, reason);
75133 }
75134
75135 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
75136 {
75137 - if (lapb->callbacks.disconnect_confirmation)
75138 - lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
75139 + if (lapb->callbacks->disconnect_confirmation)
75140 + lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
75141 }
75142
75143 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
75144 {
75145 - if (lapb->callbacks.disconnect_indication)
75146 - lapb->callbacks.disconnect_indication(lapb->dev, reason);
75147 + if (lapb->callbacks->disconnect_indication)
75148 + lapb->callbacks->disconnect_indication(lapb->dev, reason);
75149 }
75150
75151 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
75152 {
75153 - if (lapb->callbacks.data_indication)
75154 - return lapb->callbacks.data_indication(lapb->dev, skb);
75155 + if (lapb->callbacks->data_indication)
75156 + return lapb->callbacks->data_indication(lapb->dev, skb);
75157
75158 kfree_skb(skb);
75159 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
75160 @@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
75161 {
75162 int used = 0;
75163
75164 - if (lapb->callbacks.data_transmit) {
75165 - lapb->callbacks.data_transmit(lapb->dev, skb);
75166 + if (lapb->callbacks->data_transmit) {
75167 + lapb->callbacks->data_transmit(lapb->dev, skb);
75168 used = 1;
75169 }
75170
75171 diff -urNp linux-2.6.32.46/net/mac80211/cfg.c linux-2.6.32.46/net/mac80211/cfg.c
75172 --- linux-2.6.32.46/net/mac80211/cfg.c 2011-03-27 14:31:47.000000000 -0400
75173 +++ linux-2.6.32.46/net/mac80211/cfg.c 2011-04-17 15:56:46.000000000 -0400
75174 @@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
75175 return err;
75176 }
75177
75178 -struct cfg80211_ops mac80211_config_ops = {
75179 +const struct cfg80211_ops mac80211_config_ops = {
75180 .add_virtual_intf = ieee80211_add_iface,
75181 .del_virtual_intf = ieee80211_del_iface,
75182 .change_virtual_intf = ieee80211_change_iface,
75183 diff -urNp linux-2.6.32.46/net/mac80211/cfg.h linux-2.6.32.46/net/mac80211/cfg.h
75184 --- linux-2.6.32.46/net/mac80211/cfg.h 2011-03-27 14:31:47.000000000 -0400
75185 +++ linux-2.6.32.46/net/mac80211/cfg.h 2011-04-17 15:56:46.000000000 -0400
75186 @@ -4,6 +4,6 @@
75187 #ifndef __CFG_H
75188 #define __CFG_H
75189
75190 -extern struct cfg80211_ops mac80211_config_ops;
75191 +extern const struct cfg80211_ops mac80211_config_ops;
75192
75193 #endif /* __CFG_H */
75194 diff -urNp linux-2.6.32.46/net/mac80211/debugfs_key.c linux-2.6.32.46/net/mac80211/debugfs_key.c
75195 --- linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-03-27 14:31:47.000000000 -0400
75196 +++ linux-2.6.32.46/net/mac80211/debugfs_key.c 2011-04-17 15:56:46.000000000 -0400
75197 @@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
75198 size_t count, loff_t *ppos)
75199 {
75200 struct ieee80211_key *key = file->private_data;
75201 - int i, res, bufsize = 2 * key->conf.keylen + 2;
75202 + int i, bufsize = 2 * key->conf.keylen + 2;
75203 char *buf = kmalloc(bufsize, GFP_KERNEL);
75204 char *p = buf;
75205 + ssize_t res;
75206 +
75207 + if (buf == NULL)
75208 + return -ENOMEM;
75209
75210 for (i = 0; i < key->conf.keylen; i++)
75211 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
75212 diff -urNp linux-2.6.32.46/net/mac80211/debugfs_sta.c linux-2.6.32.46/net/mac80211/debugfs_sta.c
75213 --- linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-03-27 14:31:47.000000000 -0400
75214 +++ linux-2.6.32.46/net/mac80211/debugfs_sta.c 2011-05-16 21:46:57.000000000 -0400
75215 @@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
75216 int i;
75217 struct sta_info *sta = file->private_data;
75218
75219 + pax_track_stack();
75220 +
75221 spin_lock_bh(&sta->lock);
75222 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
75223 sta->ampdu_mlme.dialog_token_allocator + 1);
75224 diff -urNp linux-2.6.32.46/net/mac80211/ieee80211_i.h linux-2.6.32.46/net/mac80211/ieee80211_i.h
75225 --- linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-03-27 14:31:47.000000000 -0400
75226 +++ linux-2.6.32.46/net/mac80211/ieee80211_i.h 2011-04-17 15:56:46.000000000 -0400
75227 @@ -25,6 +25,7 @@
75228 #include <linux/etherdevice.h>
75229 #include <net/cfg80211.h>
75230 #include <net/mac80211.h>
75231 +#include <asm/local.h>
75232 #include "key.h"
75233 #include "sta_info.h"
75234
75235 @@ -635,7 +636,7 @@ struct ieee80211_local {
75236 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
75237 spinlock_t queue_stop_reason_lock;
75238
75239 - int open_count;
75240 + local_t open_count;
75241 int monitors, cooked_mntrs;
75242 /* number of interfaces with corresponding FIF_ flags */
75243 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
75244 diff -urNp linux-2.6.32.46/net/mac80211/iface.c linux-2.6.32.46/net/mac80211/iface.c
75245 --- linux-2.6.32.46/net/mac80211/iface.c 2011-03-27 14:31:47.000000000 -0400
75246 +++ linux-2.6.32.46/net/mac80211/iface.c 2011-04-17 15:56:46.000000000 -0400
75247 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
75248 break;
75249 }
75250
75251 - if (local->open_count == 0) {
75252 + if (local_read(&local->open_count) == 0) {
75253 res = drv_start(local);
75254 if (res)
75255 goto err_del_bss;
75256 @@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
75257 * Validate the MAC address for this device.
75258 */
75259 if (!is_valid_ether_addr(dev->dev_addr)) {
75260 - if (!local->open_count)
75261 + if (!local_read(&local->open_count))
75262 drv_stop(local);
75263 return -EADDRNOTAVAIL;
75264 }
75265 @@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
75266
75267 hw_reconf_flags |= __ieee80211_recalc_idle(local);
75268
75269 - local->open_count++;
75270 + local_inc(&local->open_count);
75271 if (hw_reconf_flags) {
75272 ieee80211_hw_config(local, hw_reconf_flags);
75273 /*
75274 @@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
75275 err_del_interface:
75276 drv_remove_interface(local, &conf);
75277 err_stop:
75278 - if (!local->open_count)
75279 + if (!local_read(&local->open_count))
75280 drv_stop(local);
75281 err_del_bss:
75282 sdata->bss = NULL;
75283 @@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
75284 WARN_ON(!list_empty(&sdata->u.ap.vlans));
75285 }
75286
75287 - local->open_count--;
75288 + local_dec(&local->open_count);
75289
75290 switch (sdata->vif.type) {
75291 case NL80211_IFTYPE_AP_VLAN:
75292 @@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
75293
75294 ieee80211_recalc_ps(local, -1);
75295
75296 - if (local->open_count == 0) {
75297 + if (local_read(&local->open_count) == 0) {
75298 ieee80211_clear_tx_pending(local);
75299 ieee80211_stop_device(local);
75300
75301 diff -urNp linux-2.6.32.46/net/mac80211/main.c linux-2.6.32.46/net/mac80211/main.c
75302 --- linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:02.000000000 -0400
75303 +++ linux-2.6.32.46/net/mac80211/main.c 2011-05-10 22:12:34.000000000 -0400
75304 @@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
75305 local->hw.conf.power_level = power;
75306 }
75307
75308 - if (changed && local->open_count) {
75309 + if (changed && local_read(&local->open_count)) {
75310 ret = drv_config(local, changed);
75311 /*
75312 * Goal:
75313 diff -urNp linux-2.6.32.46/net/mac80211/mlme.c linux-2.6.32.46/net/mac80211/mlme.c
75314 --- linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:35:30.000000000 -0400
75315 +++ linux-2.6.32.46/net/mac80211/mlme.c 2011-08-09 18:34:01.000000000 -0400
75316 @@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
75317 bool have_higher_than_11mbit = false, newsta = false;
75318 u16 ap_ht_cap_flags;
75319
75320 + pax_track_stack();
75321 +
75322 /*
75323 * AssocResp and ReassocResp have identical structure, so process both
75324 * of them in this function.
75325 diff -urNp linux-2.6.32.46/net/mac80211/pm.c linux-2.6.32.46/net/mac80211/pm.c
75326 --- linux-2.6.32.46/net/mac80211/pm.c 2011-03-27 14:31:47.000000000 -0400
75327 +++ linux-2.6.32.46/net/mac80211/pm.c 2011-04-17 15:56:46.000000000 -0400
75328 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
75329 }
75330
75331 /* stop hardware - this must stop RX */
75332 - if (local->open_count)
75333 + if (local_read(&local->open_count))
75334 ieee80211_stop_device(local);
75335
75336 local->suspended = true;
75337 diff -urNp linux-2.6.32.46/net/mac80211/rate.c linux-2.6.32.46/net/mac80211/rate.c
75338 --- linux-2.6.32.46/net/mac80211/rate.c 2011-03-27 14:31:47.000000000 -0400
75339 +++ linux-2.6.32.46/net/mac80211/rate.c 2011-04-17 15:56:46.000000000 -0400
75340 @@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
75341 struct rate_control_ref *ref, *old;
75342
75343 ASSERT_RTNL();
75344 - if (local->open_count)
75345 + if (local_read(&local->open_count))
75346 return -EBUSY;
75347
75348 ref = rate_control_alloc(name, local);
75349 diff -urNp linux-2.6.32.46/net/mac80211/tx.c linux-2.6.32.46/net/mac80211/tx.c
75350 --- linux-2.6.32.46/net/mac80211/tx.c 2011-03-27 14:31:47.000000000 -0400
75351 +++ linux-2.6.32.46/net/mac80211/tx.c 2011-04-17 15:56:46.000000000 -0400
75352 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
75353 return cpu_to_le16(dur);
75354 }
75355
75356 -static int inline is_ieee80211_device(struct ieee80211_local *local,
75357 +static inline int is_ieee80211_device(struct ieee80211_local *local,
75358 struct net_device *dev)
75359 {
75360 return local == wdev_priv(dev->ieee80211_ptr);
75361 diff -urNp linux-2.6.32.46/net/mac80211/util.c linux-2.6.32.46/net/mac80211/util.c
75362 --- linux-2.6.32.46/net/mac80211/util.c 2011-03-27 14:31:47.000000000 -0400
75363 +++ linux-2.6.32.46/net/mac80211/util.c 2011-04-17 15:56:46.000000000 -0400
75364 @@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
75365 local->resuming = true;
75366
75367 /* restart hardware */
75368 - if (local->open_count) {
75369 + if (local_read(&local->open_count)) {
75370 /*
75371 * Upon resume hardware can sometimes be goofy due to
75372 * various platform / driver / bus issues, so restarting
75373 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c
75374 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-03-27 14:31:47.000000000 -0400
75375 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:26:34.000000000 -0400
75376 @@ -564,7 +564,7 @@ static const struct file_operations ip_v
75377 .open = ip_vs_app_open,
75378 .read = seq_read,
75379 .llseek = seq_lseek,
75380 - .release = seq_release,
75381 + .release = seq_release_net,
75382 };
75383 #endif
75384
75385 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c
75386 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-03-27 14:31:47.000000000 -0400
75387 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:26:34.000000000 -0400
75388 @@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
75389 /* if the connection is not template and is created
75390 * by sync, preserve the activity flag.
75391 */
75392 - cp->flags |= atomic_read(&dest->conn_flags) &
75393 + cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
75394 (~IP_VS_CONN_F_INACTIVE);
75395 else
75396 - cp->flags |= atomic_read(&dest->conn_flags);
75397 + cp->flags |= atomic_read_unchecked(&dest->conn_flags);
75398 cp->dest = dest;
75399
75400 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
75401 @@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
75402 atomic_set(&cp->refcnt, 1);
75403
75404 atomic_set(&cp->n_control, 0);
75405 - atomic_set(&cp->in_pkts, 0);
75406 + atomic_set_unchecked(&cp->in_pkts, 0);
75407
75408 atomic_inc(&ip_vs_conn_count);
75409 if (flags & IP_VS_CONN_F_NO_CPORT)
75410 @@ -871,7 +871,7 @@ static const struct file_operations ip_v
75411 .open = ip_vs_conn_open,
75412 .read = seq_read,
75413 .llseek = seq_lseek,
75414 - .release = seq_release,
75415 + .release = seq_release_net,
75416 };
75417
75418 static const char *ip_vs_origin_name(unsigned flags)
75419 @@ -934,7 +934,7 @@ static const struct file_operations ip_v
75420 .open = ip_vs_conn_sync_open,
75421 .read = seq_read,
75422 .llseek = seq_lseek,
75423 - .release = seq_release,
75424 + .release = seq_release_net,
75425 };
75426
75427 #endif
75428 @@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
75429
75430 /* Don't drop the entry if its number of incoming packets is not
75431 located in [0, 8] */
75432 - i = atomic_read(&cp->in_pkts);
75433 + i = atomic_read_unchecked(&cp->in_pkts);
75434 if (i > 8 || i < 0) return 0;
75435
75436 if (!todrop_rate[i]) return 0;
75437 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c
75438 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-03-27 14:31:47.000000000 -0400
75439 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_core.c 2011-05-04 17:56:28.000000000 -0400
75440 @@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
75441 ret = cp->packet_xmit(skb, cp, pp);
75442 /* do not touch skb anymore */
75443
75444 - atomic_inc(&cp->in_pkts);
75445 + atomic_inc_unchecked(&cp->in_pkts);
75446 ip_vs_conn_put(cp);
75447 return ret;
75448 }
75449 @@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
75450 * Sync connection if it is about to close to
75451 * encorage the standby servers to update the connections timeout
75452 */
75453 - pkts = atomic_add_return(1, &cp->in_pkts);
75454 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
75455 if (af == AF_INET &&
75456 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
75457 (((cp->protocol != IPPROTO_TCP ||
75458 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c
75459 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-27 14:31:47.000000000 -0400
75460 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:26:34.000000000 -0400
75461 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
75462 ip_vs_rs_hash(dest);
75463 write_unlock_bh(&__ip_vs_rs_lock);
75464 }
75465 - atomic_set(&dest->conn_flags, conn_flags);
75466 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
75467
75468 /* bind the service */
75469 if (!dest->svc) {
75470 @@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
75471 " %-7s %-6d %-10d %-10d\n",
75472 &dest->addr.in6,
75473 ntohs(dest->port),
75474 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
75475 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
75476 atomic_read(&dest->weight),
75477 atomic_read(&dest->activeconns),
75478 atomic_read(&dest->inactconns));
75479 @@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
75480 "%-7s %-6d %-10d %-10d\n",
75481 ntohl(dest->addr.ip),
75482 ntohs(dest->port),
75483 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
75484 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
75485 atomic_read(&dest->weight),
75486 atomic_read(&dest->activeconns),
75487 atomic_read(&dest->inactconns));
75488 @@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
75489 .open = ip_vs_info_open,
75490 .read = seq_read,
75491 .llseek = seq_lseek,
75492 - .release = seq_release_private,
75493 + .release = seq_release_net,
75494 };
75495
75496 #endif
75497 @@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
75498 .open = ip_vs_stats_seq_open,
75499 .read = seq_read,
75500 .llseek = seq_lseek,
75501 - .release = single_release,
75502 + .release = single_release_net,
75503 };
75504
75505 #endif
75506 @@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
75507
75508 entry.addr = dest->addr.ip;
75509 entry.port = dest->port;
75510 - entry.conn_flags = atomic_read(&dest->conn_flags);
75511 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
75512 entry.weight = atomic_read(&dest->weight);
75513 entry.u_threshold = dest->u_threshold;
75514 entry.l_threshold = dest->l_threshold;
75515 @@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
75516 unsigned char arg[128];
75517 int ret = 0;
75518
75519 + pax_track_stack();
75520 +
75521 if (!capable(CAP_NET_ADMIN))
75522 return -EPERM;
75523
75524 @@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
75525 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
75526
75527 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
75528 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
75529 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
75530 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
75531 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
75532 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
75533 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c
75534 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-03-27 14:31:47.000000000 -0400
75535 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_sync.c 2011-05-04 17:56:28.000000000 -0400
75536 @@ -438,7 +438,7 @@ static void ip_vs_process_message(const
75537
75538 if (opt)
75539 memcpy(&cp->in_seq, opt, sizeof(*opt));
75540 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
75541 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
75542 cp->state = state;
75543 cp->old_state = cp->state;
75544 /*
75545 diff -urNp linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c
75546 --- linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-27 14:31:47.000000000 -0400
75547 +++ linux-2.6.32.46/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-04 17:56:28.000000000 -0400
75548 @@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
75549 else
75550 rc = NF_ACCEPT;
75551 /* do not touch skb anymore */
75552 - atomic_inc(&cp->in_pkts);
75553 + atomic_inc_unchecked(&cp->in_pkts);
75554 goto out;
75555 }
75556
75557 @@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
75558 else
75559 rc = NF_ACCEPT;
75560 /* do not touch skb anymore */
75561 - atomic_inc(&cp->in_pkts);
75562 + atomic_inc_unchecked(&cp->in_pkts);
75563 goto out;
75564 }
75565
75566 diff -urNp linux-2.6.32.46/net/netfilter/Kconfig linux-2.6.32.46/net/netfilter/Kconfig
75567 --- linux-2.6.32.46/net/netfilter/Kconfig 2011-03-27 14:31:47.000000000 -0400
75568 +++ linux-2.6.32.46/net/netfilter/Kconfig 2011-04-17 15:56:46.000000000 -0400
75569 @@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
75570
75571 To compile it as a module, choose M here. If unsure, say N.
75572
75573 +config NETFILTER_XT_MATCH_GRADM
75574 + tristate '"gradm" match support'
75575 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
75576 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
75577 + ---help---
75578 + The gradm match allows to match on grsecurity RBAC being enabled.
75579 + It is useful when iptables rules are applied early on bootup to
75580 + prevent connections to the machine (except from a trusted host)
75581 + while the RBAC system is disabled.
75582 +
75583 config NETFILTER_XT_MATCH_HASHLIMIT
75584 tristate '"hashlimit" match support'
75585 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
75586 diff -urNp linux-2.6.32.46/net/netfilter/Makefile linux-2.6.32.46/net/netfilter/Makefile
75587 --- linux-2.6.32.46/net/netfilter/Makefile 2011-03-27 14:31:47.000000000 -0400
75588 +++ linux-2.6.32.46/net/netfilter/Makefile 2011-04-17 15:56:46.000000000 -0400
75589 @@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
75590 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
75591 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
75592 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
75593 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
75594 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
75595 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
75596 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
75597 diff -urNp linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c
75598 --- linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-03-27 14:31:47.000000000 -0400
75599 +++ linux-2.6.32.46/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:56:46.000000000 -0400
75600 @@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
75601 static int
75602 ctnetlink_parse_tuple(const struct nlattr * const cda[],
75603 struct nf_conntrack_tuple *tuple,
75604 - enum ctattr_tuple type, u_int8_t l3num)
75605 + enum ctattr_type type, u_int8_t l3num)
75606 {
75607 struct nlattr *tb[CTA_TUPLE_MAX+1];
75608 int err;
75609 diff -urNp linux-2.6.32.46/net/netfilter/nfnetlink_log.c linux-2.6.32.46/net/netfilter/nfnetlink_log.c
75610 --- linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-03-27 14:31:47.000000000 -0400
75611 +++ linux-2.6.32.46/net/netfilter/nfnetlink_log.c 2011-05-04 17:56:28.000000000 -0400
75612 @@ -68,7 +68,7 @@ struct nfulnl_instance {
75613 };
75614
75615 static DEFINE_RWLOCK(instances_lock);
75616 -static atomic_t global_seq;
75617 +static atomic_unchecked_t global_seq;
75618
75619 #define INSTANCE_BUCKETS 16
75620 static struct hlist_head instance_table[INSTANCE_BUCKETS];
75621 @@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
75622 /* global sequence number */
75623 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
75624 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
75625 - htonl(atomic_inc_return(&global_seq)));
75626 + htonl(atomic_inc_return_unchecked(&global_seq)));
75627
75628 if (data_len) {
75629 struct nlattr *nla;
75630 diff -urNp linux-2.6.32.46/net/netfilter/xt_gradm.c linux-2.6.32.46/net/netfilter/xt_gradm.c
75631 --- linux-2.6.32.46/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
75632 +++ linux-2.6.32.46/net/netfilter/xt_gradm.c 2011-04-17 15:56:46.000000000 -0400
75633 @@ -0,0 +1,51 @@
75634 +/*
75635 + * gradm match for netfilter
75636 + * Copyright © Zbigniew Krzystolik, 2010
75637 + *
75638 + * This program is free software; you can redistribute it and/or modify
75639 + * it under the terms of the GNU General Public License; either version
75640 + * 2 or 3 as published by the Free Software Foundation.
75641 + */
75642 +#include <linux/module.h>
75643 +#include <linux/moduleparam.h>
75644 +#include <linux/skbuff.h>
75645 +#include <linux/netfilter/x_tables.h>
75646 +#include <linux/grsecurity.h>
75647 +#include <linux/netfilter/xt_gradm.h>
75648 +
75649 +static bool
75650 +gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
75651 +{
75652 + const struct xt_gradm_mtinfo *info = par->matchinfo;
75653 + bool retval = false;
75654 + if (gr_acl_is_enabled())
75655 + retval = true;
75656 + return retval ^ info->invflags;
75657 +}
75658 +
75659 +static struct xt_match gradm_mt_reg __read_mostly = {
75660 + .name = "gradm",
75661 + .revision = 0,
75662 + .family = NFPROTO_UNSPEC,
75663 + .match = gradm_mt,
75664 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
75665 + .me = THIS_MODULE,
75666 +};
75667 +
75668 +static int __init gradm_mt_init(void)
75669 +{
75670 + return xt_register_match(&gradm_mt_reg);
75671 +}
75672 +
75673 +static void __exit gradm_mt_exit(void)
75674 +{
75675 + xt_unregister_match(&gradm_mt_reg);
75676 +}
75677 +
75678 +module_init(gradm_mt_init);
75679 +module_exit(gradm_mt_exit);
75680 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
75681 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
75682 +MODULE_LICENSE("GPL");
75683 +MODULE_ALIAS("ipt_gradm");
75684 +MODULE_ALIAS("ip6t_gradm");
75685 diff -urNp linux-2.6.32.46/net/netlink/af_netlink.c linux-2.6.32.46/net/netlink/af_netlink.c
75686 --- linux-2.6.32.46/net/netlink/af_netlink.c 2011-03-27 14:31:47.000000000 -0400
75687 +++ linux-2.6.32.46/net/netlink/af_netlink.c 2011-05-04 17:56:28.000000000 -0400
75688 @@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
75689 sk->sk_error_report(sk);
75690 }
75691 }
75692 - atomic_inc(&sk->sk_drops);
75693 + atomic_inc_unchecked(&sk->sk_drops);
75694 }
75695
75696 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
75697 @@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
75698 struct netlink_sock *nlk = nlk_sk(s);
75699
75700 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
75701 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75702 + NULL,
75703 +#else
75704 s,
75705 +#endif
75706 s->sk_protocol,
75707 nlk->pid,
75708 nlk->groups ? (u32)nlk->groups[0] : 0,
75709 sk_rmem_alloc_get(s),
75710 sk_wmem_alloc_get(s),
75711 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75712 + NULL,
75713 +#else
75714 nlk->cb,
75715 +#endif
75716 atomic_read(&s->sk_refcnt),
75717 - atomic_read(&s->sk_drops)
75718 + atomic_read_unchecked(&s->sk_drops)
75719 );
75720
75721 }
75722 diff -urNp linux-2.6.32.46/net/netrom/af_netrom.c linux-2.6.32.46/net/netrom/af_netrom.c
75723 --- linux-2.6.32.46/net/netrom/af_netrom.c 2011-03-27 14:31:47.000000000 -0400
75724 +++ linux-2.6.32.46/net/netrom/af_netrom.c 2011-04-17 15:56:46.000000000 -0400
75725 @@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
75726 struct sock *sk = sock->sk;
75727 struct nr_sock *nr = nr_sk(sk);
75728
75729 + memset(sax, 0, sizeof(*sax));
75730 lock_sock(sk);
75731 if (peer != 0) {
75732 if (sk->sk_state != TCP_ESTABLISHED) {
75733 @@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
75734 *uaddr_len = sizeof(struct full_sockaddr_ax25);
75735 } else {
75736 sax->fsa_ax25.sax25_family = AF_NETROM;
75737 - sax->fsa_ax25.sax25_ndigis = 0;
75738 sax->fsa_ax25.sax25_call = nr->source_addr;
75739 *uaddr_len = sizeof(struct sockaddr_ax25);
75740 }
75741 diff -urNp linux-2.6.32.46/net/packet/af_packet.c linux-2.6.32.46/net/packet/af_packet.c
75742 --- linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:04.000000000 -0400
75743 +++ linux-2.6.32.46/net/packet/af_packet.c 2011-07-13 17:23:27.000000000 -0400
75744 @@ -2429,7 +2429,11 @@ static int packet_seq_show(struct seq_fi
75745
75746 seq_printf(seq,
75747 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
75748 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75749 + NULL,
75750 +#else
75751 s,
75752 +#endif
75753 atomic_read(&s->sk_refcnt),
75754 s->sk_type,
75755 ntohs(po->num),
75756 diff -urNp linux-2.6.32.46/net/phonet/af_phonet.c linux-2.6.32.46/net/phonet/af_phonet.c
75757 --- linux-2.6.32.46/net/phonet/af_phonet.c 2011-03-27 14:31:47.000000000 -0400
75758 +++ linux-2.6.32.46/net/phonet/af_phonet.c 2011-04-17 15:56:46.000000000 -0400
75759 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
75760 {
75761 struct phonet_protocol *pp;
75762
75763 - if (protocol >= PHONET_NPROTO)
75764 + if (protocol < 0 || protocol >= PHONET_NPROTO)
75765 return NULL;
75766
75767 spin_lock(&proto_tab_lock);
75768 @@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
75769 {
75770 int err = 0;
75771
75772 - if (protocol >= PHONET_NPROTO)
75773 + if (protocol < 0 || protocol >= PHONET_NPROTO)
75774 return -EINVAL;
75775
75776 err = proto_register(pp->prot, 1);
75777 diff -urNp linux-2.6.32.46/net/phonet/datagram.c linux-2.6.32.46/net/phonet/datagram.c
75778 --- linux-2.6.32.46/net/phonet/datagram.c 2011-03-27 14:31:47.000000000 -0400
75779 +++ linux-2.6.32.46/net/phonet/datagram.c 2011-05-04 17:56:28.000000000 -0400
75780 @@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
75781 if (err < 0) {
75782 kfree_skb(skb);
75783 if (err == -ENOMEM)
75784 - atomic_inc(&sk->sk_drops);
75785 + atomic_inc_unchecked(&sk->sk_drops);
75786 }
75787 return err ? NET_RX_DROP : NET_RX_SUCCESS;
75788 }
75789 diff -urNp linux-2.6.32.46/net/phonet/pep.c linux-2.6.32.46/net/phonet/pep.c
75790 --- linux-2.6.32.46/net/phonet/pep.c 2011-03-27 14:31:47.000000000 -0400
75791 +++ linux-2.6.32.46/net/phonet/pep.c 2011-05-04 17:56:28.000000000 -0400
75792 @@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
75793
75794 case PNS_PEP_CTRL_REQ:
75795 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
75796 - atomic_inc(&sk->sk_drops);
75797 + atomic_inc_unchecked(&sk->sk_drops);
75798 break;
75799 }
75800 __skb_pull(skb, 4);
75801 @@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
75802 if (!err)
75803 return 0;
75804 if (err == -ENOMEM)
75805 - atomic_inc(&sk->sk_drops);
75806 + atomic_inc_unchecked(&sk->sk_drops);
75807 break;
75808 }
75809
75810 if (pn->rx_credits == 0) {
75811 - atomic_inc(&sk->sk_drops);
75812 + atomic_inc_unchecked(&sk->sk_drops);
75813 err = -ENOBUFS;
75814 break;
75815 }
75816 diff -urNp linux-2.6.32.46/net/phonet/socket.c linux-2.6.32.46/net/phonet/socket.c
75817 --- linux-2.6.32.46/net/phonet/socket.c 2011-03-27 14:31:47.000000000 -0400
75818 +++ linux-2.6.32.46/net/phonet/socket.c 2011-05-04 17:57:07.000000000 -0400
75819 @@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
75820 sk->sk_state,
75821 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
75822 sock_i_uid(sk), sock_i_ino(sk),
75823 - atomic_read(&sk->sk_refcnt), sk,
75824 - atomic_read(&sk->sk_drops), &len);
75825 + atomic_read(&sk->sk_refcnt),
75826 +#ifdef CONFIG_GRKERNSEC_HIDESYM
75827 + NULL,
75828 +#else
75829 + sk,
75830 +#endif
75831 + atomic_read_unchecked(&sk->sk_drops), &len);
75832 }
75833 seq_printf(seq, "%*s\n", 127 - len, "");
75834 return 0;
75835 diff -urNp linux-2.6.32.46/net/rds/cong.c linux-2.6.32.46/net/rds/cong.c
75836 --- linux-2.6.32.46/net/rds/cong.c 2011-03-27 14:31:47.000000000 -0400
75837 +++ linux-2.6.32.46/net/rds/cong.c 2011-05-04 17:56:28.000000000 -0400
75838 @@ -77,7 +77,7 @@
75839 * finds that the saved generation number is smaller than the global generation
75840 * number, it wakes up the process.
75841 */
75842 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
75843 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
75844
75845 /*
75846 * Congestion monitoring
75847 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
75848 rdsdebug("waking map %p for %pI4\n",
75849 map, &map->m_addr);
75850 rds_stats_inc(s_cong_update_received);
75851 - atomic_inc(&rds_cong_generation);
75852 + atomic_inc_unchecked(&rds_cong_generation);
75853 if (waitqueue_active(&map->m_waitq))
75854 wake_up(&map->m_waitq);
75855 if (waitqueue_active(&rds_poll_waitq))
75856 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
75857
75858 int rds_cong_updated_since(unsigned long *recent)
75859 {
75860 - unsigned long gen = atomic_read(&rds_cong_generation);
75861 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
75862
75863 if (likely(*recent == gen))
75864 return 0;
75865 diff -urNp linux-2.6.32.46/net/rds/iw_rdma.c linux-2.6.32.46/net/rds/iw_rdma.c
75866 --- linux-2.6.32.46/net/rds/iw_rdma.c 2011-03-27 14:31:47.000000000 -0400
75867 +++ linux-2.6.32.46/net/rds/iw_rdma.c 2011-05-16 21:46:57.000000000 -0400
75868 @@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
75869 struct rdma_cm_id *pcm_id;
75870 int rc;
75871
75872 + pax_track_stack();
75873 +
75874 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
75875 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
75876
75877 diff -urNp linux-2.6.32.46/net/rds/Kconfig linux-2.6.32.46/net/rds/Kconfig
75878 --- linux-2.6.32.46/net/rds/Kconfig 2011-03-27 14:31:47.000000000 -0400
75879 +++ linux-2.6.32.46/net/rds/Kconfig 2011-04-17 15:56:46.000000000 -0400
75880 @@ -1,7 +1,7 @@
75881
75882 config RDS
75883 tristate "The RDS Protocol (EXPERIMENTAL)"
75884 - depends on INET && EXPERIMENTAL
75885 + depends on INET && EXPERIMENTAL && BROKEN
75886 ---help---
75887 The RDS (Reliable Datagram Sockets) protocol provides reliable,
75888 sequenced delivery of datagrams over Infiniband, iWARP,
75889 diff -urNp linux-2.6.32.46/net/rxrpc/af_rxrpc.c linux-2.6.32.46/net/rxrpc/af_rxrpc.c
75890 --- linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400
75891 +++ linux-2.6.32.46/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400
75892 @@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
75893 __be32 rxrpc_epoch;
75894
75895 /* current debugging ID */
75896 -atomic_t rxrpc_debug_id;
75897 +atomic_unchecked_t rxrpc_debug_id;
75898
75899 /* count of skbs currently in use */
75900 atomic_t rxrpc_n_skbs;
75901 diff -urNp linux-2.6.32.46/net/rxrpc/ar-ack.c linux-2.6.32.46/net/rxrpc/ar-ack.c
75902 --- linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-03-27 14:31:47.000000000 -0400
75903 +++ linux-2.6.32.46/net/rxrpc/ar-ack.c 2011-05-16 21:46:57.000000000 -0400
75904 @@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
75905
75906 _enter("{%d,%d,%d,%d},",
75907 call->acks_hard, call->acks_unacked,
75908 - atomic_read(&call->sequence),
75909 + atomic_read_unchecked(&call->sequence),
75910 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
75911
75912 stop = 0;
75913 @@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
75914
75915 /* each Tx packet has a new serial number */
75916 sp->hdr.serial =
75917 - htonl(atomic_inc_return(&call->conn->serial));
75918 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
75919
75920 hdr = (struct rxrpc_header *) txb->head;
75921 hdr->serial = sp->hdr.serial;
75922 @@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
75923 */
75924 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
75925 {
75926 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
75927 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
75928 }
75929
75930 /*
75931 @@ -627,7 +627,7 @@ process_further:
75932
75933 latest = ntohl(sp->hdr.serial);
75934 hard = ntohl(ack.firstPacket);
75935 - tx = atomic_read(&call->sequence);
75936 + tx = atomic_read_unchecked(&call->sequence);
75937
75938 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
75939 latest,
75940 @@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
75941 u32 abort_code = RX_PROTOCOL_ERROR;
75942 u8 *acks = NULL;
75943
75944 + pax_track_stack();
75945 +
75946 //printk("\n--------------------\n");
75947 _enter("{%d,%s,%lx} [%lu]",
75948 call->debug_id, rxrpc_call_states[call->state], call->events,
75949 @@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
75950 goto maybe_reschedule;
75951
75952 send_ACK_with_skew:
75953 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
75954 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
75955 ntohl(ack.serial));
75956 send_ACK:
75957 mtu = call->conn->trans->peer->if_mtu;
75958 @@ -1171,7 +1173,7 @@ send_ACK:
75959 ackinfo.rxMTU = htonl(5692);
75960 ackinfo.jumbo_max = htonl(4);
75961
75962 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
75963 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
75964 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
75965 ntohl(hdr.serial),
75966 ntohs(ack.maxSkew),
75967 @@ -1189,7 +1191,7 @@ send_ACK:
75968 send_message:
75969 _debug("send message");
75970
75971 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
75972 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
75973 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
75974 send_message_2:
75975
75976 diff -urNp linux-2.6.32.46/net/rxrpc/ar-call.c linux-2.6.32.46/net/rxrpc/ar-call.c
75977 --- linux-2.6.32.46/net/rxrpc/ar-call.c 2011-03-27 14:31:47.000000000 -0400
75978 +++ linux-2.6.32.46/net/rxrpc/ar-call.c 2011-05-04 17:56:28.000000000 -0400
75979 @@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
75980 spin_lock_init(&call->lock);
75981 rwlock_init(&call->state_lock);
75982 atomic_set(&call->usage, 1);
75983 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
75984 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
75985 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
75986
75987 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
75988 diff -urNp linux-2.6.32.46/net/rxrpc/ar-connection.c linux-2.6.32.46/net/rxrpc/ar-connection.c
75989 --- linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-03-27 14:31:47.000000000 -0400
75990 +++ linux-2.6.32.46/net/rxrpc/ar-connection.c 2011-05-04 17:56:28.000000000 -0400
75991 @@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
75992 rwlock_init(&conn->lock);
75993 spin_lock_init(&conn->state_lock);
75994 atomic_set(&conn->usage, 1);
75995 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
75996 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
75997 conn->avail_calls = RXRPC_MAXCALLS;
75998 conn->size_align = 4;
75999 conn->header_size = sizeof(struct rxrpc_header);
76000 diff -urNp linux-2.6.32.46/net/rxrpc/ar-connevent.c linux-2.6.32.46/net/rxrpc/ar-connevent.c
76001 --- linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-03-27 14:31:47.000000000 -0400
76002 +++ linux-2.6.32.46/net/rxrpc/ar-connevent.c 2011-05-04 17:56:28.000000000 -0400
76003 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
76004
76005 len = iov[0].iov_len + iov[1].iov_len;
76006
76007 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
76008 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
76009 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
76010
76011 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
76012 diff -urNp linux-2.6.32.46/net/rxrpc/ar-input.c linux-2.6.32.46/net/rxrpc/ar-input.c
76013 --- linux-2.6.32.46/net/rxrpc/ar-input.c 2011-03-27 14:31:47.000000000 -0400
76014 +++ linux-2.6.32.46/net/rxrpc/ar-input.c 2011-05-04 17:56:28.000000000 -0400
76015 @@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
76016 /* track the latest serial number on this connection for ACK packet
76017 * information */
76018 serial = ntohl(sp->hdr.serial);
76019 - hi_serial = atomic_read(&call->conn->hi_serial);
76020 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
76021 while (serial > hi_serial)
76022 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
76023 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
76024 serial);
76025
76026 /* request ACK generation for any ACK or DATA packet that requests
76027 diff -urNp linux-2.6.32.46/net/rxrpc/ar-internal.h linux-2.6.32.46/net/rxrpc/ar-internal.h
76028 --- linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-03-27 14:31:47.000000000 -0400
76029 +++ linux-2.6.32.46/net/rxrpc/ar-internal.h 2011-05-04 17:56:28.000000000 -0400
76030 @@ -272,8 +272,8 @@ struct rxrpc_connection {
76031 int error; /* error code for local abort */
76032 int debug_id; /* debug ID for printks */
76033 unsigned call_counter; /* call ID counter */
76034 - atomic_t serial; /* packet serial number counter */
76035 - atomic_t hi_serial; /* highest serial number received */
76036 + atomic_unchecked_t serial; /* packet serial number counter */
76037 + atomic_unchecked_t hi_serial; /* highest serial number received */
76038 u8 avail_calls; /* number of calls available */
76039 u8 size_align; /* data size alignment (for security) */
76040 u8 header_size; /* rxrpc + security header size */
76041 @@ -346,7 +346,7 @@ struct rxrpc_call {
76042 spinlock_t lock;
76043 rwlock_t state_lock; /* lock for state transition */
76044 atomic_t usage;
76045 - atomic_t sequence; /* Tx data packet sequence counter */
76046 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
76047 u32 abort_code; /* local/remote abort code */
76048 enum { /* current state of call */
76049 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
76050 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
76051 */
76052 extern atomic_t rxrpc_n_skbs;
76053 extern __be32 rxrpc_epoch;
76054 -extern atomic_t rxrpc_debug_id;
76055 +extern atomic_unchecked_t rxrpc_debug_id;
76056 extern struct workqueue_struct *rxrpc_workqueue;
76057
76058 /*
76059 diff -urNp linux-2.6.32.46/net/rxrpc/ar-key.c linux-2.6.32.46/net/rxrpc/ar-key.c
76060 --- linux-2.6.32.46/net/rxrpc/ar-key.c 2011-03-27 14:31:47.000000000 -0400
76061 +++ linux-2.6.32.46/net/rxrpc/ar-key.c 2011-04-17 15:56:46.000000000 -0400
76062 @@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
76063 return ret;
76064
76065 plen -= sizeof(*token);
76066 - token = kmalloc(sizeof(*token), GFP_KERNEL);
76067 + token = kzalloc(sizeof(*token), GFP_KERNEL);
76068 if (!token)
76069 return -ENOMEM;
76070
76071 - token->kad = kmalloc(plen, GFP_KERNEL);
76072 + token->kad = kzalloc(plen, GFP_KERNEL);
76073 if (!token->kad) {
76074 kfree(token);
76075 return -ENOMEM;
76076 @@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
76077 goto error;
76078
76079 ret = -ENOMEM;
76080 - token = kmalloc(sizeof(*token), GFP_KERNEL);
76081 + token = kzalloc(sizeof(*token), GFP_KERNEL);
76082 if (!token)
76083 goto error;
76084 - token->kad = kmalloc(plen, GFP_KERNEL);
76085 + token->kad = kzalloc(plen, GFP_KERNEL);
76086 if (!token->kad)
76087 goto error_free;
76088
76089 diff -urNp linux-2.6.32.46/net/rxrpc/ar-local.c linux-2.6.32.46/net/rxrpc/ar-local.c
76090 --- linux-2.6.32.46/net/rxrpc/ar-local.c 2011-03-27 14:31:47.000000000 -0400
76091 +++ linux-2.6.32.46/net/rxrpc/ar-local.c 2011-05-04 17:56:28.000000000 -0400
76092 @@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
76093 spin_lock_init(&local->lock);
76094 rwlock_init(&local->services_lock);
76095 atomic_set(&local->usage, 1);
76096 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
76097 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
76098 memcpy(&local->srx, srx, sizeof(*srx));
76099 }
76100
76101 diff -urNp linux-2.6.32.46/net/rxrpc/ar-output.c linux-2.6.32.46/net/rxrpc/ar-output.c
76102 --- linux-2.6.32.46/net/rxrpc/ar-output.c 2011-03-27 14:31:47.000000000 -0400
76103 +++ linux-2.6.32.46/net/rxrpc/ar-output.c 2011-05-04 17:56:28.000000000 -0400
76104 @@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
76105 sp->hdr.cid = call->cid;
76106 sp->hdr.callNumber = call->call_id;
76107 sp->hdr.seq =
76108 - htonl(atomic_inc_return(&call->sequence));
76109 + htonl(atomic_inc_return_unchecked(&call->sequence));
76110 sp->hdr.serial =
76111 - htonl(atomic_inc_return(&conn->serial));
76112 + htonl(atomic_inc_return_unchecked(&conn->serial));
76113 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
76114 sp->hdr.userStatus = 0;
76115 sp->hdr.securityIndex = conn->security_ix;
76116 diff -urNp linux-2.6.32.46/net/rxrpc/ar-peer.c linux-2.6.32.46/net/rxrpc/ar-peer.c
76117 --- linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-03-27 14:31:47.000000000 -0400
76118 +++ linux-2.6.32.46/net/rxrpc/ar-peer.c 2011-05-04 17:56:28.000000000 -0400
76119 @@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
76120 INIT_LIST_HEAD(&peer->error_targets);
76121 spin_lock_init(&peer->lock);
76122 atomic_set(&peer->usage, 1);
76123 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
76124 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
76125 memcpy(&peer->srx, srx, sizeof(*srx));
76126
76127 rxrpc_assess_MTU_size(peer);
76128 diff -urNp linux-2.6.32.46/net/rxrpc/ar-proc.c linux-2.6.32.46/net/rxrpc/ar-proc.c
76129 --- linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-03-27 14:31:47.000000000 -0400
76130 +++ linux-2.6.32.46/net/rxrpc/ar-proc.c 2011-05-04 17:56:28.000000000 -0400
76131 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
76132 atomic_read(&conn->usage),
76133 rxrpc_conn_states[conn->state],
76134 key_serial(conn->key),
76135 - atomic_read(&conn->serial),
76136 - atomic_read(&conn->hi_serial));
76137 + atomic_read_unchecked(&conn->serial),
76138 + atomic_read_unchecked(&conn->hi_serial));
76139
76140 return 0;
76141 }
76142 diff -urNp linux-2.6.32.46/net/rxrpc/ar-transport.c linux-2.6.32.46/net/rxrpc/ar-transport.c
76143 --- linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-03-27 14:31:47.000000000 -0400
76144 +++ linux-2.6.32.46/net/rxrpc/ar-transport.c 2011-05-04 17:56:28.000000000 -0400
76145 @@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
76146 spin_lock_init(&trans->client_lock);
76147 rwlock_init(&trans->conn_lock);
76148 atomic_set(&trans->usage, 1);
76149 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
76150 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
76151
76152 if (peer->srx.transport.family == AF_INET) {
76153 switch (peer->srx.transport_type) {
76154 diff -urNp linux-2.6.32.46/net/rxrpc/rxkad.c linux-2.6.32.46/net/rxrpc/rxkad.c
76155 --- linux-2.6.32.46/net/rxrpc/rxkad.c 2011-03-27 14:31:47.000000000 -0400
76156 +++ linux-2.6.32.46/net/rxrpc/rxkad.c 2011-05-16 21:46:57.000000000 -0400
76157 @@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
76158 u16 check;
76159 int nsg;
76160
76161 + pax_track_stack();
76162 +
76163 sp = rxrpc_skb(skb);
76164
76165 _enter("");
76166 @@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
76167 u16 check;
76168 int nsg;
76169
76170 + pax_track_stack();
76171 +
76172 _enter("");
76173
76174 sp = rxrpc_skb(skb);
76175 @@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
76176
76177 len = iov[0].iov_len + iov[1].iov_len;
76178
76179 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
76180 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
76181 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
76182
76183 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
76184 @@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
76185
76186 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
76187
76188 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
76189 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
76190 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
76191
76192 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
76193 diff -urNp linux-2.6.32.46/net/sctp/proc.c linux-2.6.32.46/net/sctp/proc.c
76194 --- linux-2.6.32.46/net/sctp/proc.c 2011-03-27 14:31:47.000000000 -0400
76195 +++ linux-2.6.32.46/net/sctp/proc.c 2011-04-17 15:56:46.000000000 -0400
76196 @@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
76197 sctp_for_each_hentry(epb, node, &head->chain) {
76198 ep = sctp_ep(epb);
76199 sk = epb->sk;
76200 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
76201 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
76202 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76203 + NULL, NULL,
76204 +#else
76205 + ep, sk,
76206 +#endif
76207 sctp_sk(sk)->type, sk->sk_state, hash,
76208 epb->bind_addr.port,
76209 sock_i_uid(sk), sock_i_ino(sk));
76210 @@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
76211 seq_printf(seq,
76212 "%8p %8p %-3d %-3d %-2d %-4d "
76213 "%4d %8d %8d %7d %5lu %-5d %5d ",
76214 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
76215 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76216 + NULL, NULL,
76217 +#else
76218 + assoc, sk,
76219 +#endif
76220 + sctp_sk(sk)->type, sk->sk_state,
76221 assoc->state, hash,
76222 assoc->assoc_id,
76223 assoc->sndbuf_used,
76224 diff -urNp linux-2.6.32.46/net/sctp/socket.c linux-2.6.32.46/net/sctp/socket.c
76225 --- linux-2.6.32.46/net/sctp/socket.c 2011-03-27 14:31:47.000000000 -0400
76226 +++ linux-2.6.32.46/net/sctp/socket.c 2011-04-23 12:56:11.000000000 -0400
76227 @@ -5802,7 +5802,6 @@ pp_found:
76228 */
76229 int reuse = sk->sk_reuse;
76230 struct sock *sk2;
76231 - struct hlist_node *node;
76232
76233 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
76234 if (pp->fastreuse && sk->sk_reuse &&
76235 diff -urNp linux-2.6.32.46/net/socket.c linux-2.6.32.46/net/socket.c
76236 --- linux-2.6.32.46/net/socket.c 2011-03-27 14:31:47.000000000 -0400
76237 +++ linux-2.6.32.46/net/socket.c 2011-05-16 21:46:57.000000000 -0400
76238 @@ -87,6 +87,7 @@
76239 #include <linux/wireless.h>
76240 #include <linux/nsproxy.h>
76241 #include <linux/magic.h>
76242 +#include <linux/in.h>
76243
76244 #include <asm/uaccess.h>
76245 #include <asm/unistd.h>
76246 @@ -97,6 +98,21 @@
76247 #include <net/sock.h>
76248 #include <linux/netfilter.h>
76249
76250 +extern void gr_attach_curr_ip(const struct sock *sk);
76251 +extern int gr_handle_sock_all(const int family, const int type,
76252 + const int protocol);
76253 +extern int gr_handle_sock_server(const struct sockaddr *sck);
76254 +extern int gr_handle_sock_server_other(const struct sock *sck);
76255 +extern int gr_handle_sock_client(const struct sockaddr *sck);
76256 +extern int gr_search_connect(struct socket * sock,
76257 + struct sockaddr_in * addr);
76258 +extern int gr_search_bind(struct socket * sock,
76259 + struct sockaddr_in * addr);
76260 +extern int gr_search_listen(struct socket * sock);
76261 +extern int gr_search_accept(struct socket * sock);
76262 +extern int gr_search_socket(const int domain, const int type,
76263 + const int protocol);
76264 +
76265 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
76266 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
76267 unsigned long nr_segs, loff_t pos);
76268 @@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
76269 mnt);
76270 }
76271
76272 -static struct vfsmount *sock_mnt __read_mostly;
76273 +struct vfsmount *sock_mnt __read_mostly;
76274
76275 static struct file_system_type sock_fs_type = {
76276 .name = "sockfs",
76277 @@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
76278 return -EAFNOSUPPORT;
76279 if (type < 0 || type >= SOCK_MAX)
76280 return -EINVAL;
76281 + if (protocol < 0)
76282 + return -EINVAL;
76283
76284 /* Compatibility.
76285
76286 @@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
76287 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
76288 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
76289
76290 + if(!gr_search_socket(family, type, protocol)) {
76291 + retval = -EACCES;
76292 + goto out;
76293 + }
76294 +
76295 + if (gr_handle_sock_all(family, type, protocol)) {
76296 + retval = -EACCES;
76297 + goto out;
76298 + }
76299 +
76300 retval = sock_create(family, type, protocol, &sock);
76301 if (retval < 0)
76302 goto out;
76303 @@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
76304 if (sock) {
76305 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
76306 if (err >= 0) {
76307 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
76308 + err = -EACCES;
76309 + goto error;
76310 + }
76311 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
76312 + if (err)
76313 + goto error;
76314 +
76315 err = security_socket_bind(sock,
76316 (struct sockaddr *)&address,
76317 addrlen);
76318 @@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
76319 (struct sockaddr *)
76320 &address, addrlen);
76321 }
76322 +error:
76323 fput_light(sock->file, fput_needed);
76324 }
76325 return err;
76326 @@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
76327 if ((unsigned)backlog > somaxconn)
76328 backlog = somaxconn;
76329
76330 + if (gr_handle_sock_server_other(sock->sk)) {
76331 + err = -EPERM;
76332 + goto error;
76333 + }
76334 +
76335 + err = gr_search_listen(sock);
76336 + if (err)
76337 + goto error;
76338 +
76339 err = security_socket_listen(sock, backlog);
76340 if (!err)
76341 err = sock->ops->listen(sock, backlog);
76342
76343 +error:
76344 fput_light(sock->file, fput_needed);
76345 }
76346 return err;
76347 @@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
76348 newsock->type = sock->type;
76349 newsock->ops = sock->ops;
76350
76351 + if (gr_handle_sock_server_other(sock->sk)) {
76352 + err = -EPERM;
76353 + sock_release(newsock);
76354 + goto out_put;
76355 + }
76356 +
76357 + err = gr_search_accept(sock);
76358 + if (err) {
76359 + sock_release(newsock);
76360 + goto out_put;
76361 + }
76362 +
76363 /*
76364 * We don't need try_module_get here, as the listening socket (sock)
76365 * has the protocol module (sock->ops->owner) held.
76366 @@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
76367 fd_install(newfd, newfile);
76368 err = newfd;
76369
76370 + gr_attach_curr_ip(newsock->sk);
76371 +
76372 out_put:
76373 fput_light(sock->file, fput_needed);
76374 out:
76375 @@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
76376 int, addrlen)
76377 {
76378 struct socket *sock;
76379 + struct sockaddr *sck;
76380 struct sockaddr_storage address;
76381 int err, fput_needed;
76382
76383 @@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
76384 if (err < 0)
76385 goto out_put;
76386
76387 + sck = (struct sockaddr *)&address;
76388 +
76389 + if (gr_handle_sock_client(sck)) {
76390 + err = -EACCES;
76391 + goto out_put;
76392 + }
76393 +
76394 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
76395 + if (err)
76396 + goto out_put;
76397 +
76398 err =
76399 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
76400 if (err)
76401 @@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
76402 int err, ctl_len, iov_size, total_len;
76403 int fput_needed;
76404
76405 + pax_track_stack();
76406 +
76407 err = -EFAULT;
76408 if (MSG_CMSG_COMPAT & flags) {
76409 if (get_compat_msghdr(&msg_sys, msg_compat))
76410 diff -urNp linux-2.6.32.46/net/sunrpc/sched.c linux-2.6.32.46/net/sunrpc/sched.c
76411 --- linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:35:30.000000000 -0400
76412 +++ linux-2.6.32.46/net/sunrpc/sched.c 2011-08-09 18:34:01.000000000 -0400
76413 @@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
76414 #ifdef RPC_DEBUG
76415 static void rpc_task_set_debuginfo(struct rpc_task *task)
76416 {
76417 - static atomic_t rpc_pid;
76418 + static atomic_unchecked_t rpc_pid;
76419
76420 task->tk_magic = RPC_TASK_MAGIC_ID;
76421 - task->tk_pid = atomic_inc_return(&rpc_pid);
76422 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
76423 }
76424 #else
76425 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
76426 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c
76427 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-27 14:31:47.000000000 -0400
76428 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-04 17:56:20.000000000 -0400
76429 @@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
76430 static unsigned int min_max_inline = 4096;
76431 static unsigned int max_max_inline = 65536;
76432
76433 -atomic_t rdma_stat_recv;
76434 -atomic_t rdma_stat_read;
76435 -atomic_t rdma_stat_write;
76436 -atomic_t rdma_stat_sq_starve;
76437 -atomic_t rdma_stat_rq_starve;
76438 -atomic_t rdma_stat_rq_poll;
76439 -atomic_t rdma_stat_rq_prod;
76440 -atomic_t rdma_stat_sq_poll;
76441 -atomic_t rdma_stat_sq_prod;
76442 +atomic_unchecked_t rdma_stat_recv;
76443 +atomic_unchecked_t rdma_stat_read;
76444 +atomic_unchecked_t rdma_stat_write;
76445 +atomic_unchecked_t rdma_stat_sq_starve;
76446 +atomic_unchecked_t rdma_stat_rq_starve;
76447 +atomic_unchecked_t rdma_stat_rq_poll;
76448 +atomic_unchecked_t rdma_stat_rq_prod;
76449 +atomic_unchecked_t rdma_stat_sq_poll;
76450 +atomic_unchecked_t rdma_stat_sq_prod;
76451
76452 /* Temporary NFS request map and context caches */
76453 struct kmem_cache *svc_rdma_map_cachep;
76454 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
76455 len -= *ppos;
76456 if (len > *lenp)
76457 len = *lenp;
76458 - if (len && copy_to_user(buffer, str_buf, len))
76459 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
76460 return -EFAULT;
76461 *lenp = len;
76462 *ppos += len;
76463 @@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
76464 {
76465 .procname = "rdma_stat_read",
76466 .data = &rdma_stat_read,
76467 - .maxlen = sizeof(atomic_t),
76468 + .maxlen = sizeof(atomic_unchecked_t),
76469 .mode = 0644,
76470 .proc_handler = &read_reset_stat,
76471 },
76472 {
76473 .procname = "rdma_stat_recv",
76474 .data = &rdma_stat_recv,
76475 - .maxlen = sizeof(atomic_t),
76476 + .maxlen = sizeof(atomic_unchecked_t),
76477 .mode = 0644,
76478 .proc_handler = &read_reset_stat,
76479 },
76480 {
76481 .procname = "rdma_stat_write",
76482 .data = &rdma_stat_write,
76483 - .maxlen = sizeof(atomic_t),
76484 + .maxlen = sizeof(atomic_unchecked_t),
76485 .mode = 0644,
76486 .proc_handler = &read_reset_stat,
76487 },
76488 {
76489 .procname = "rdma_stat_sq_starve",
76490 .data = &rdma_stat_sq_starve,
76491 - .maxlen = sizeof(atomic_t),
76492 + .maxlen = sizeof(atomic_unchecked_t),
76493 .mode = 0644,
76494 .proc_handler = &read_reset_stat,
76495 },
76496 {
76497 .procname = "rdma_stat_rq_starve",
76498 .data = &rdma_stat_rq_starve,
76499 - .maxlen = sizeof(atomic_t),
76500 + .maxlen = sizeof(atomic_unchecked_t),
76501 .mode = 0644,
76502 .proc_handler = &read_reset_stat,
76503 },
76504 {
76505 .procname = "rdma_stat_rq_poll",
76506 .data = &rdma_stat_rq_poll,
76507 - .maxlen = sizeof(atomic_t),
76508 + .maxlen = sizeof(atomic_unchecked_t),
76509 .mode = 0644,
76510 .proc_handler = &read_reset_stat,
76511 },
76512 {
76513 .procname = "rdma_stat_rq_prod",
76514 .data = &rdma_stat_rq_prod,
76515 - .maxlen = sizeof(atomic_t),
76516 + .maxlen = sizeof(atomic_unchecked_t),
76517 .mode = 0644,
76518 .proc_handler = &read_reset_stat,
76519 },
76520 {
76521 .procname = "rdma_stat_sq_poll",
76522 .data = &rdma_stat_sq_poll,
76523 - .maxlen = sizeof(atomic_t),
76524 + .maxlen = sizeof(atomic_unchecked_t),
76525 .mode = 0644,
76526 .proc_handler = &read_reset_stat,
76527 },
76528 {
76529 .procname = "rdma_stat_sq_prod",
76530 .data = &rdma_stat_sq_prod,
76531 - .maxlen = sizeof(atomic_t),
76532 + .maxlen = sizeof(atomic_unchecked_t),
76533 .mode = 0644,
76534 .proc_handler = &read_reset_stat,
76535 },
76536 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
76537 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-27 14:31:47.000000000 -0400
76538 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-04 17:56:28.000000000 -0400
76539 @@ -495,7 +495,7 @@ next_sge:
76540 svc_rdma_put_context(ctxt, 0);
76541 goto out;
76542 }
76543 - atomic_inc(&rdma_stat_read);
76544 + atomic_inc_unchecked(&rdma_stat_read);
76545
76546 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
76547 chl_map->ch[ch_no].count -= read_wr.num_sge;
76548 @@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
76549 dto_q);
76550 list_del_init(&ctxt->dto_q);
76551 } else {
76552 - atomic_inc(&rdma_stat_rq_starve);
76553 + atomic_inc_unchecked(&rdma_stat_rq_starve);
76554 clear_bit(XPT_DATA, &xprt->xpt_flags);
76555 ctxt = NULL;
76556 }
76557 @@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
76558 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
76559 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
76560 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
76561 - atomic_inc(&rdma_stat_recv);
76562 + atomic_inc_unchecked(&rdma_stat_recv);
76563
76564 /* Build up the XDR from the receive buffers. */
76565 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
76566 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c
76567 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-27 14:31:47.000000000 -0400
76568 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-04 17:56:28.000000000 -0400
76569 @@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
76570 write_wr.wr.rdma.remote_addr = to;
76571
76572 /* Post It */
76573 - atomic_inc(&rdma_stat_write);
76574 + atomic_inc_unchecked(&rdma_stat_write);
76575 if (svc_rdma_send(xprt, &write_wr))
76576 goto err;
76577 return 0;
76578 diff -urNp linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c
76579 --- linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-27 14:31:47.000000000 -0400
76580 +++ linux-2.6.32.46/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-04 17:56:28.000000000 -0400
76581 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
76582 return;
76583
76584 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
76585 - atomic_inc(&rdma_stat_rq_poll);
76586 + atomic_inc_unchecked(&rdma_stat_rq_poll);
76587
76588 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
76589 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
76590 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
76591 }
76592
76593 if (ctxt)
76594 - atomic_inc(&rdma_stat_rq_prod);
76595 + atomic_inc_unchecked(&rdma_stat_rq_prod);
76596
76597 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
76598 /*
76599 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
76600 return;
76601
76602 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
76603 - atomic_inc(&rdma_stat_sq_poll);
76604 + atomic_inc_unchecked(&rdma_stat_sq_poll);
76605 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
76606 if (wc.status != IB_WC_SUCCESS)
76607 /* Close the transport */
76608 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
76609 }
76610
76611 if (ctxt)
76612 - atomic_inc(&rdma_stat_sq_prod);
76613 + atomic_inc_unchecked(&rdma_stat_sq_prod);
76614 }
76615
76616 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
76617 @@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
76618 spin_lock_bh(&xprt->sc_lock);
76619 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
76620 spin_unlock_bh(&xprt->sc_lock);
76621 - atomic_inc(&rdma_stat_sq_starve);
76622 + atomic_inc_unchecked(&rdma_stat_sq_starve);
76623
76624 /* See if we can opportunistically reap SQ WR to make room */
76625 sq_cq_reap(xprt);
76626 diff -urNp linux-2.6.32.46/net/sysctl_net.c linux-2.6.32.46/net/sysctl_net.c
76627 --- linux-2.6.32.46/net/sysctl_net.c 2011-03-27 14:31:47.000000000 -0400
76628 +++ linux-2.6.32.46/net/sysctl_net.c 2011-04-17 15:56:46.000000000 -0400
76629 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
76630 struct ctl_table *table)
76631 {
76632 /* Allow network administrator to have same access as root. */
76633 - if (capable(CAP_NET_ADMIN)) {
76634 + if (capable_nolog(CAP_NET_ADMIN)) {
76635 int mode = (table->mode >> 6) & 7;
76636 return (mode << 6) | (mode << 3) | mode;
76637 }
76638 diff -urNp linux-2.6.32.46/net/unix/af_unix.c linux-2.6.32.46/net/unix/af_unix.c
76639 --- linux-2.6.32.46/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400
76640 +++ linux-2.6.32.46/net/unix/af_unix.c 2011-07-18 18:17:33.000000000 -0400
76641 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
76642 err = -ECONNREFUSED;
76643 if (!S_ISSOCK(inode->i_mode))
76644 goto put_fail;
76645 +
76646 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
76647 + err = -EACCES;
76648 + goto put_fail;
76649 + }
76650 +
76651 u = unix_find_socket_byinode(net, inode);
76652 if (!u)
76653 goto put_fail;
76654 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
76655 if (u) {
76656 struct dentry *dentry;
76657 dentry = unix_sk(u)->dentry;
76658 +
76659 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
76660 + err = -EPERM;
76661 + sock_put(u);
76662 + goto fail;
76663 + }
76664 +
76665 if (dentry)
76666 touch_atime(unix_sk(u)->mnt, dentry);
76667 } else
76668 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
76669 err = security_path_mknod(&nd.path, dentry, mode, 0);
76670 if (err)
76671 goto out_mknod_drop_write;
76672 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
76673 + err = -EACCES;
76674 + goto out_mknod_drop_write;
76675 + }
76676 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
76677 out_mknod_drop_write:
76678 mnt_drop_write(nd.path.mnt);
76679 if (err)
76680 goto out_mknod_dput;
76681 +
76682 + gr_handle_create(dentry, nd.path.mnt);
76683 +
76684 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
76685 dput(nd.path.dentry);
76686 nd.path.dentry = dentry;
76687 @@ -2211,7 +2231,11 @@ static int unix_seq_show(struct seq_file
76688 unix_state_lock(s);
76689
76690 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
76691 +#ifdef CONFIG_GRKERNSEC_HIDESYM
76692 + NULL,
76693 +#else
76694 s,
76695 +#endif
76696 atomic_read(&s->sk_refcnt),
76697 0,
76698 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
76699 diff -urNp linux-2.6.32.46/net/wireless/core.h linux-2.6.32.46/net/wireless/core.h
76700 --- linux-2.6.32.46/net/wireless/core.h 2011-03-27 14:31:47.000000000 -0400
76701 +++ linux-2.6.32.46/net/wireless/core.h 2011-08-23 21:22:38.000000000 -0400
76702 @@ -27,7 +27,7 @@ struct cfg80211_registered_device {
76703 struct mutex mtx;
76704
76705 /* rfkill support */
76706 - struct rfkill_ops rfkill_ops;
76707 + rfkill_ops_no_const rfkill_ops;
76708 struct rfkill *rfkill;
76709 struct work_struct rfkill_sync;
76710
76711 diff -urNp linux-2.6.32.46/net/wireless/wext.c linux-2.6.32.46/net/wireless/wext.c
76712 --- linux-2.6.32.46/net/wireless/wext.c 2011-03-27 14:31:47.000000000 -0400
76713 +++ linux-2.6.32.46/net/wireless/wext.c 2011-04-17 15:56:46.000000000 -0400
76714 @@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
76715 */
76716
76717 /* Support for very large requests */
76718 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
76719 - (user_length > descr->max_tokens)) {
76720 + if (user_length > descr->max_tokens) {
76721 /* Allow userspace to GET more than max so
76722 * we can support any size GET requests.
76723 * There is still a limit : -ENOMEM.
76724 @@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
76725 }
76726 }
76727
76728 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
76729 - /*
76730 - * If this is a GET, but not NOMAX, it means that the extra
76731 - * data is not bounded by userspace, but by max_tokens. Thus
76732 - * set the length to max_tokens. This matches the extra data
76733 - * allocation.
76734 - * The driver should fill it with the number of tokens it
76735 - * provided, and it may check iwp->length rather than having
76736 - * knowledge of max_tokens. If the driver doesn't change the
76737 - * iwp->length, this ioctl just copies back max_token tokens
76738 - * filled with zeroes. Hopefully the driver isn't claiming
76739 - * them to be valid data.
76740 - */
76741 - iwp->length = descr->max_tokens;
76742 - }
76743 -
76744 err = handler(dev, info, (union iwreq_data *) iwp, extra);
76745
76746 iwp->length += essid_compat;
76747 diff -urNp linux-2.6.32.46/net/xfrm/xfrm_policy.c linux-2.6.32.46/net/xfrm/xfrm_policy.c
76748 --- linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-03-27 14:31:47.000000000 -0400
76749 +++ linux-2.6.32.46/net/xfrm/xfrm_policy.c 2011-05-04 17:56:20.000000000 -0400
76750 @@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
76751 hlist_add_head(&policy->bydst, chain);
76752 xfrm_pol_hold(policy);
76753 net->xfrm.policy_count[dir]++;
76754 - atomic_inc(&flow_cache_genid);
76755 + atomic_inc_unchecked(&flow_cache_genid);
76756 if (delpol)
76757 __xfrm_policy_unlink(delpol, dir);
76758 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
76759 @@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
76760 write_unlock_bh(&xfrm_policy_lock);
76761
76762 if (ret && delete) {
76763 - atomic_inc(&flow_cache_genid);
76764 + atomic_inc_unchecked(&flow_cache_genid);
76765 xfrm_policy_kill(ret);
76766 }
76767 return ret;
76768 @@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
76769 write_unlock_bh(&xfrm_policy_lock);
76770
76771 if (ret && delete) {
76772 - atomic_inc(&flow_cache_genid);
76773 + atomic_inc_unchecked(&flow_cache_genid);
76774 xfrm_policy_kill(ret);
76775 }
76776 return ret;
76777 @@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
76778 }
76779
76780 }
76781 - atomic_inc(&flow_cache_genid);
76782 + atomic_inc_unchecked(&flow_cache_genid);
76783 out:
76784 write_unlock_bh(&xfrm_policy_lock);
76785 return err;
76786 @@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
76787 write_unlock_bh(&xfrm_policy_lock);
76788 if (pol) {
76789 if (dir < XFRM_POLICY_MAX)
76790 - atomic_inc(&flow_cache_genid);
76791 + atomic_inc_unchecked(&flow_cache_genid);
76792 xfrm_policy_kill(pol);
76793 return 0;
76794 }
76795 @@ -1477,7 +1477,7 @@ free_dst:
76796 goto out;
76797 }
76798
76799 -static int inline
76800 +static inline int
76801 xfrm_dst_alloc_copy(void **target, void *src, int size)
76802 {
76803 if (!*target) {
76804 @@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
76805 return 0;
76806 }
76807
76808 -static int inline
76809 +static inline int
76810 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
76811 {
76812 #ifdef CONFIG_XFRM_SUB_POLICY
76813 @@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
76814 #endif
76815 }
76816
76817 -static int inline
76818 +static inline int
76819 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
76820 {
76821 #ifdef CONFIG_XFRM_SUB_POLICY
76822 @@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
76823 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
76824
76825 restart:
76826 - genid = atomic_read(&flow_cache_genid);
76827 + genid = atomic_read_unchecked(&flow_cache_genid);
76828 policy = NULL;
76829 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
76830 pols[pi] = NULL;
76831 @@ -1680,7 +1680,7 @@ restart:
76832 goto error;
76833 }
76834 if (nx == -EAGAIN ||
76835 - genid != atomic_read(&flow_cache_genid)) {
76836 + genid != atomic_read_unchecked(&flow_cache_genid)) {
76837 xfrm_pols_put(pols, npols);
76838 goto restart;
76839 }
76840 diff -urNp linux-2.6.32.46/net/xfrm/xfrm_user.c linux-2.6.32.46/net/xfrm/xfrm_user.c
76841 --- linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-03-27 14:31:47.000000000 -0400
76842 +++ linux-2.6.32.46/net/xfrm/xfrm_user.c 2011-05-16 21:46:57.000000000 -0400
76843 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
76844 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
76845 int i;
76846
76847 + pax_track_stack();
76848 +
76849 if (xp->xfrm_nr == 0)
76850 return 0;
76851
76852 @@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
76853 int err;
76854 int n = 0;
76855
76856 + pax_track_stack();
76857 +
76858 if (attrs[XFRMA_MIGRATE] == NULL)
76859 return -EINVAL;
76860
76861 diff -urNp linux-2.6.32.46/samples/kobject/kset-example.c linux-2.6.32.46/samples/kobject/kset-example.c
76862 --- linux-2.6.32.46/samples/kobject/kset-example.c 2011-03-27 14:31:47.000000000 -0400
76863 +++ linux-2.6.32.46/samples/kobject/kset-example.c 2011-04-17 15:56:46.000000000 -0400
76864 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
76865 }
76866
76867 /* Our custom sysfs_ops that we will associate with our ktype later on */
76868 -static struct sysfs_ops foo_sysfs_ops = {
76869 +static const struct sysfs_ops foo_sysfs_ops = {
76870 .show = foo_attr_show,
76871 .store = foo_attr_store,
76872 };
76873 diff -urNp linux-2.6.32.46/scripts/basic/fixdep.c linux-2.6.32.46/scripts/basic/fixdep.c
76874 --- linux-2.6.32.46/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400
76875 +++ linux-2.6.32.46/scripts/basic/fixdep.c 2011-04-17 15:56:46.000000000 -0400
76876 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
76877
76878 static void parse_config_file(char *map, size_t len)
76879 {
76880 - int *end = (int *) (map + len);
76881 + unsigned int *end = (unsigned int *) (map + len);
76882 /* start at +1, so that p can never be < map */
76883 - int *m = (int *) map + 1;
76884 + unsigned int *m = (unsigned int *) map + 1;
76885 char *p, *q;
76886
76887 for (; m < end; m++) {
76888 @@ -371,7 +371,7 @@ static void print_deps(void)
76889 static void traps(void)
76890 {
76891 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
76892 - int *p = (int *)test;
76893 + unsigned int *p = (unsigned int *)test;
76894
76895 if (*p != INT_CONF) {
76896 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
76897 diff -urNp linux-2.6.32.46/scripts/gcc-plugin.sh linux-2.6.32.46/scripts/gcc-plugin.sh
76898 --- linux-2.6.32.46/scripts/gcc-plugin.sh 1969-12-31 19:00:00.000000000 -0500
76899 +++ linux-2.6.32.46/scripts/gcc-plugin.sh 2011-08-23 20:24:19.000000000 -0400
76900 @@ -0,0 +1,2 @@
76901 +#!/bin/sh
76902 +echo "#include \"gcc-plugin.h\"" | $* -x c -shared - -o /dev/null -I`$* -print-file-name=plugin`/include >/dev/null 2>&1 && echo "y"
76903 diff -urNp linux-2.6.32.46/scripts/Makefile.build linux-2.6.32.46/scripts/Makefile.build
76904 --- linux-2.6.32.46/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400
76905 +++ linux-2.6.32.46/scripts/Makefile.build 2011-08-23 20:45:11.000000000 -0400
76906 @@ -59,7 +59,7 @@ endif
76907 endif
76908
76909 # Do not include host rules unless needed
76910 -ifneq ($(hostprogs-y)$(hostprogs-m),)
76911 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
76912 include scripts/Makefile.host
76913 endif
76914
76915 diff -urNp linux-2.6.32.46/scripts/Makefile.clean linux-2.6.32.46/scripts/Makefile.clean
76916 --- linux-2.6.32.46/scripts/Makefile.clean 2011-03-27 14:31:47.000000000 -0400
76917 +++ linux-2.6.32.46/scripts/Makefile.clean 2011-06-04 20:47:19.000000000 -0400
76918 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
76919 __clean-files := $(extra-y) $(always) \
76920 $(targets) $(clean-files) \
76921 $(host-progs) \
76922 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
76923 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
76924 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
76925
76926 # as clean-files is given relative to the current directory, this adds
76927 # a $(obj) prefix, except for absolute paths
76928 diff -urNp linux-2.6.32.46/scripts/Makefile.host linux-2.6.32.46/scripts/Makefile.host
76929 --- linux-2.6.32.46/scripts/Makefile.host 2011-03-27 14:31:47.000000000 -0400
76930 +++ linux-2.6.32.46/scripts/Makefile.host 2011-06-04 20:48:22.000000000 -0400
76931 @@ -31,6 +31,7 @@
76932 # Note: Shared libraries consisting of C++ files are not supported
76933
76934 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
76935 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
76936
76937 # C code
76938 # Executables compiled from a single .c file
76939 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
76940 # Shared libaries (only .c supported)
76941 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
76942 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
76943 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
76944 # Remove .so files from "xxx-objs"
76945 host-cobjs := $(filter-out %.so,$(host-cobjs))
76946
76947 diff -urNp linux-2.6.32.46/scripts/mod/file2alias.c linux-2.6.32.46/scripts/mod/file2alias.c
76948 --- linux-2.6.32.46/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400
76949 +++ linux-2.6.32.46/scripts/mod/file2alias.c 2011-04-17 15:56:46.000000000 -0400
76950 @@ -72,7 +72,7 @@ static void device_id_check(const char *
76951 unsigned long size, unsigned long id_size,
76952 void *symval)
76953 {
76954 - int i;
76955 + unsigned int i;
76956
76957 if (size % id_size || size < id_size) {
76958 if (cross_build != 0)
76959 @@ -102,7 +102,7 @@ static void device_id_check(const char *
76960 /* USB is special because the bcdDevice can be matched against a numeric range */
76961 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
76962 static void do_usb_entry(struct usb_device_id *id,
76963 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
76964 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
76965 unsigned char range_lo, unsigned char range_hi,
76966 struct module *mod)
76967 {
76968 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
76969 for (i = 0; i < count; i++) {
76970 const char *id = (char *)devs[i].id;
76971 char acpi_id[sizeof(devs[0].id)];
76972 - int j;
76973 + unsigned int j;
76974
76975 buf_printf(&mod->dev_table_buf,
76976 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
76977 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
76978
76979 for (j = 0; j < PNP_MAX_DEVICES; j++) {
76980 const char *id = (char *)card->devs[j].id;
76981 - int i2, j2;
76982 + unsigned int i2, j2;
76983 int dup = 0;
76984
76985 if (!id[0])
76986 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
76987 /* add an individual alias for every device entry */
76988 if (!dup) {
76989 char acpi_id[sizeof(card->devs[0].id)];
76990 - int k;
76991 + unsigned int k;
76992
76993 buf_printf(&mod->dev_table_buf,
76994 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
76995 @@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
76996 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
76997 char *alias)
76998 {
76999 - int i, j;
77000 + unsigned int i, j;
77001
77002 sprintf(alias, "dmi*");
77003
77004 diff -urNp linux-2.6.32.46/scripts/mod/modpost.c linux-2.6.32.46/scripts/mod/modpost.c
77005 --- linux-2.6.32.46/scripts/mod/modpost.c 2011-03-27 14:31:47.000000000 -0400
77006 +++ linux-2.6.32.46/scripts/mod/modpost.c 2011-07-06 19:53:33.000000000 -0400
77007 @@ -835,6 +835,7 @@ enum mismatch {
77008 INIT_TO_EXIT,
77009 EXIT_TO_INIT,
77010 EXPORT_TO_INIT_EXIT,
77011 + DATA_TO_TEXT
77012 };
77013
77014 struct sectioncheck {
77015 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
77016 .fromsec = { "__ksymtab*", NULL },
77017 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
77018 .mismatch = EXPORT_TO_INIT_EXIT
77019 +},
77020 +/* Do not reference code from writable data */
77021 +{
77022 + .fromsec = { DATA_SECTIONS, NULL },
77023 + .tosec = { TEXT_SECTIONS, NULL },
77024 + .mismatch = DATA_TO_TEXT
77025 }
77026 };
77027
77028 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
77029 continue;
77030 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
77031 continue;
77032 - if (sym->st_value == addr)
77033 - return sym;
77034 /* Find a symbol nearby - addr are maybe negative */
77035 d = sym->st_value - addr;
77036 + if (d == 0)
77037 + return sym;
77038 if (d < 0)
77039 d = addr - sym->st_value;
77040 if (d < distance) {
77041 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
77042 "Fix this by removing the %sannotation of %s "
77043 "or drop the export.\n",
77044 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
77045 + case DATA_TO_TEXT:
77046 +/*
77047 + fprintf(stderr,
77048 + "The variable %s references\n"
77049 + "the %s %s%s%s\n",
77050 + fromsym, to, sec2annotation(tosec), tosym, to_p);
77051 +*/
77052 + break;
77053 case NO_MISMATCH:
77054 /* To get warnings on missing members */
77055 break;
77056 @@ -1495,7 +1510,7 @@ static void section_rel(const char *modn
77057 static void check_sec_ref(struct module *mod, const char *modname,
77058 struct elf_info *elf)
77059 {
77060 - int i;
77061 + unsigned int i;
77062 Elf_Shdr *sechdrs = elf->sechdrs;
77063
77064 /* Walk through all sections */
77065 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
77066 va_end(ap);
77067 }
77068
77069 -void buf_write(struct buffer *buf, const char *s, int len)
77070 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
77071 {
77072 if (buf->size - buf->pos < len) {
77073 buf->size += len + SZ;
77074 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
77075 if (fstat(fileno(file), &st) < 0)
77076 goto close_write;
77077
77078 - if (st.st_size != b->pos)
77079 + if (st.st_size != (off_t)b->pos)
77080 goto close_write;
77081
77082 tmp = NOFAIL(malloc(b->pos));
77083 diff -urNp linux-2.6.32.46/scripts/mod/modpost.h linux-2.6.32.46/scripts/mod/modpost.h
77084 --- linux-2.6.32.46/scripts/mod/modpost.h 2011-03-27 14:31:47.000000000 -0400
77085 +++ linux-2.6.32.46/scripts/mod/modpost.h 2011-04-17 15:56:46.000000000 -0400
77086 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
77087
77088 struct buffer {
77089 char *p;
77090 - int pos;
77091 - int size;
77092 + unsigned int pos;
77093 + unsigned int size;
77094 };
77095
77096 void __attribute__((format(printf, 2, 3)))
77097 buf_printf(struct buffer *buf, const char *fmt, ...);
77098
77099 void
77100 -buf_write(struct buffer *buf, const char *s, int len);
77101 +buf_write(struct buffer *buf, const char *s, unsigned int len);
77102
77103 struct module {
77104 struct module *next;
77105 diff -urNp linux-2.6.32.46/scripts/mod/sumversion.c linux-2.6.32.46/scripts/mod/sumversion.c
77106 --- linux-2.6.32.46/scripts/mod/sumversion.c 2011-03-27 14:31:47.000000000 -0400
77107 +++ linux-2.6.32.46/scripts/mod/sumversion.c 2011-04-17 15:56:46.000000000 -0400
77108 @@ -455,7 +455,7 @@ static void write_version(const char *fi
77109 goto out;
77110 }
77111
77112 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
77113 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
77114 warn("writing sum in %s failed: %s\n",
77115 filename, strerror(errno));
77116 goto out;
77117 diff -urNp linux-2.6.32.46/scripts/package/mkspec linux-2.6.32.46/scripts/package/mkspec
77118 --- linux-2.6.32.46/scripts/package/mkspec 2011-03-27 14:31:47.000000000 -0400
77119 +++ linux-2.6.32.46/scripts/package/mkspec 2011-07-19 18:19:12.000000000 -0400
77120 @@ -70,7 +70,7 @@ echo 'mkdir -p $RPM_BUILD_ROOT/boot $RPM
77121 echo 'mkdir -p $RPM_BUILD_ROOT/lib/firmware'
77122 echo "%endif"
77123
77124 -echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{_smp_mflags} KBUILD_SRC= modules_install'
77125 +echo 'INSTALL_MOD_PATH=$RPM_BUILD_ROOT make %{?_smp_mflags} KBUILD_SRC= modules_install'
77126 echo "%ifarch ia64"
77127 echo 'cp $KBUILD_IMAGE $RPM_BUILD_ROOT'"/boot/efi/vmlinuz-$KERNELRELEASE"
77128 echo 'ln -s '"efi/vmlinuz-$KERNELRELEASE" '$RPM_BUILD_ROOT'"/boot/"
77129 diff -urNp linux-2.6.32.46/scripts/pnmtologo.c linux-2.6.32.46/scripts/pnmtologo.c
77130 --- linux-2.6.32.46/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0400
77131 +++ linux-2.6.32.46/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0400
77132 @@ -237,14 +237,14 @@ static void write_header(void)
77133 fprintf(out, " * Linux logo %s\n", logoname);
77134 fputs(" */\n\n", out);
77135 fputs("#include <linux/linux_logo.h>\n\n", out);
77136 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
77137 + fprintf(out, "static unsigned char %s_data[] = {\n",
77138 logoname);
77139 }
77140
77141 static void write_footer(void)
77142 {
77143 fputs("\n};\n\n", out);
77144 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
77145 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
77146 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
77147 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
77148 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
77149 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
77150 fputs("\n};\n\n", out);
77151
77152 /* write logo clut */
77153 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
77154 + fprintf(out, "static unsigned char %s_clut[] = {\n",
77155 logoname);
77156 write_hex_cnt = 0;
77157 for (i = 0; i < logo_clutsize; i++) {
77158 diff -urNp linux-2.6.32.46/scripts/tags.sh linux-2.6.32.46/scripts/tags.sh
77159 --- linux-2.6.32.46/scripts/tags.sh 2011-03-27 14:31:47.000000000 -0400
77160 +++ linux-2.6.32.46/scripts/tags.sh 2011-06-07 18:06:04.000000000 -0400
77161 @@ -93,6 +93,11 @@ docscope()
77162 cscope -b -f cscope.out
77163 }
77164
77165 +dogtags()
77166 +{
77167 + all_sources | gtags -f -
77168 +}
77169 +
77170 exuberant()
77171 {
77172 all_sources | xargs $1 -a \
77173 @@ -164,6 +169,10 @@ case "$1" in
77174 docscope
77175 ;;
77176
77177 + "gtags")
77178 + dogtags
77179 + ;;
77180 +
77181 "tags")
77182 rm -f tags
77183 xtags ctags
77184 diff -urNp linux-2.6.32.46/security/capability.c linux-2.6.32.46/security/capability.c
77185 --- linux-2.6.32.46/security/capability.c 2011-03-27 14:31:47.000000000 -0400
77186 +++ linux-2.6.32.46/security/capability.c 2011-04-17 15:56:46.000000000 -0400
77187 @@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
77188 }
77189 #endif /* CONFIG_AUDIT */
77190
77191 -struct security_operations default_security_ops = {
77192 +struct security_operations default_security_ops __read_only = {
77193 .name = "default",
77194 };
77195
77196 diff -urNp linux-2.6.32.46/security/commoncap.c linux-2.6.32.46/security/commoncap.c
77197 --- linux-2.6.32.46/security/commoncap.c 2011-03-27 14:31:47.000000000 -0400
77198 +++ linux-2.6.32.46/security/commoncap.c 2011-08-17 19:22:13.000000000 -0400
77199 @@ -27,7 +27,7 @@
77200 #include <linux/sched.h>
77201 #include <linux/prctl.h>
77202 #include <linux/securebits.h>
77203 -
77204 +#include <net/sock.h>
77205 /*
77206 * If a non-root user executes a setuid-root binary in
77207 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
77208 @@ -50,9 +50,18 @@ static void warn_setuid_and_fcaps_mixed(
77209 }
77210 }
77211
77212 +#ifdef CONFIG_NET
77213 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
77214 +#endif
77215 +
77216 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
77217 {
77218 +#ifdef CONFIG_NET
77219 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
77220 +#else
77221 NETLINK_CB(skb).eff_cap = current_cap();
77222 +#endif
77223 +
77224 return 0;
77225 }
77226
77227 @@ -582,6 +591,9 @@ int cap_bprm_secureexec(struct linux_bin
77228 {
77229 const struct cred *cred = current_cred();
77230
77231 + if (gr_acl_enable_at_secure())
77232 + return 1;
77233 +
77234 if (cred->uid != 0) {
77235 if (bprm->cap_effective)
77236 return 1;
77237 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_api.c linux-2.6.32.46/security/integrity/ima/ima_api.c
77238 --- linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-03-27 14:31:47.000000000 -0400
77239 +++ linux-2.6.32.46/security/integrity/ima/ima_api.c 2011-04-17 15:56:46.000000000 -0400
77240 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
77241 int result;
77242
77243 /* can overflow, only indicator */
77244 - atomic_long_inc(&ima_htable.violations);
77245 + atomic_long_inc_unchecked(&ima_htable.violations);
77246
77247 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
77248 if (!entry) {
77249 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_fs.c linux-2.6.32.46/security/integrity/ima/ima_fs.c
77250 --- linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-03-27 14:31:47.000000000 -0400
77251 +++ linux-2.6.32.46/security/integrity/ima/ima_fs.c 2011-04-17 15:56:46.000000000 -0400
77252 @@ -27,12 +27,12 @@
77253 static int valid_policy = 1;
77254 #define TMPBUFLEN 12
77255 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
77256 - loff_t *ppos, atomic_long_t *val)
77257 + loff_t *ppos, atomic_long_unchecked_t *val)
77258 {
77259 char tmpbuf[TMPBUFLEN];
77260 ssize_t len;
77261
77262 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
77263 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
77264 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
77265 }
77266
77267 diff -urNp linux-2.6.32.46/security/integrity/ima/ima.h linux-2.6.32.46/security/integrity/ima/ima.h
77268 --- linux-2.6.32.46/security/integrity/ima/ima.h 2011-03-27 14:31:47.000000000 -0400
77269 +++ linux-2.6.32.46/security/integrity/ima/ima.h 2011-04-17 15:56:46.000000000 -0400
77270 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
77271 extern spinlock_t ima_queue_lock;
77272
77273 struct ima_h_table {
77274 - atomic_long_t len; /* number of stored measurements in the list */
77275 - atomic_long_t violations;
77276 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
77277 + atomic_long_unchecked_t violations;
77278 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
77279 };
77280 extern struct ima_h_table ima_htable;
77281 diff -urNp linux-2.6.32.46/security/integrity/ima/ima_queue.c linux-2.6.32.46/security/integrity/ima/ima_queue.c
77282 --- linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-03-27 14:31:47.000000000 -0400
77283 +++ linux-2.6.32.46/security/integrity/ima/ima_queue.c 2011-04-17 15:56:46.000000000 -0400
77284 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
77285 INIT_LIST_HEAD(&qe->later);
77286 list_add_tail_rcu(&qe->later, &ima_measurements);
77287
77288 - atomic_long_inc(&ima_htable.len);
77289 + atomic_long_inc_unchecked(&ima_htable.len);
77290 key = ima_hash_key(entry->digest);
77291 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
77292 return 0;
77293 diff -urNp linux-2.6.32.46/security/Kconfig linux-2.6.32.46/security/Kconfig
77294 --- linux-2.6.32.46/security/Kconfig 2011-03-27 14:31:47.000000000 -0400
77295 +++ linux-2.6.32.46/security/Kconfig 2011-07-06 19:58:11.000000000 -0400
77296 @@ -4,6 +4,555 @@
77297
77298 menu "Security options"
77299
77300 +source grsecurity/Kconfig
77301 +
77302 +menu "PaX"
77303 +
77304 + config ARCH_TRACK_EXEC_LIMIT
77305 + bool
77306 +
77307 + config PAX_PER_CPU_PGD
77308 + bool
77309 +
77310 + config TASK_SIZE_MAX_SHIFT
77311 + int
77312 + depends on X86_64
77313 + default 47 if !PAX_PER_CPU_PGD
77314 + default 42 if PAX_PER_CPU_PGD
77315 +
77316 + config PAX_ENABLE_PAE
77317 + bool
77318 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
77319 +
77320 +config PAX
77321 + bool "Enable various PaX features"
77322 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
77323 + help
77324 + This allows you to enable various PaX features. PaX adds
77325 + intrusion prevention mechanisms to the kernel that reduce
77326 + the risks posed by exploitable memory corruption bugs.
77327 +
77328 +menu "PaX Control"
77329 + depends on PAX
77330 +
77331 +config PAX_SOFTMODE
77332 + bool 'Support soft mode'
77333 + select PAX_PT_PAX_FLAGS
77334 + help
77335 + Enabling this option will allow you to run PaX in soft mode, that
77336 + is, PaX features will not be enforced by default, only on executables
77337 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
77338 + is the only way to mark executables for soft mode use.
77339 +
77340 + Soft mode can be activated by using the "pax_softmode=1" kernel command
77341 + line option on boot. Furthermore you can control various PaX features
77342 + at runtime via the entries in /proc/sys/kernel/pax.
77343 +
77344 +config PAX_EI_PAX
77345 + bool 'Use legacy ELF header marking'
77346 + help
77347 + Enabling this option will allow you to control PaX features on
77348 + a per executable basis via the 'chpax' utility available at
77349 + http://pax.grsecurity.net/. The control flags will be read from
77350 + an otherwise reserved part of the ELF header. This marking has
77351 + numerous drawbacks (no support for soft-mode, toolchain does not
77352 + know about the non-standard use of the ELF header) therefore it
77353 + has been deprecated in favour of PT_PAX_FLAGS support.
77354 +
77355 + Note that if you enable PT_PAX_FLAGS marking support as well,
77356 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
77357 +
77358 +config PAX_PT_PAX_FLAGS
77359 + bool 'Use ELF program header marking'
77360 + help
77361 + Enabling this option will allow you to control PaX features on
77362 + a per executable basis via the 'paxctl' utility available at
77363 + http://pax.grsecurity.net/. The control flags will be read from
77364 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
77365 + has the benefits of supporting both soft mode and being fully
77366 + integrated into the toolchain (the binutils patch is available
77367 + from http://pax.grsecurity.net).
77368 +
77369 + If your toolchain does not support PT_PAX_FLAGS markings,
77370 + you can create one in most cases with 'paxctl -C'.
77371 +
77372 + Note that if you enable the legacy EI_PAX marking support as well,
77373 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
77374 +
77375 +choice
77376 + prompt 'MAC system integration'
77377 + default PAX_HAVE_ACL_FLAGS
77378 + help
77379 + Mandatory Access Control systems have the option of controlling
77380 + PaX flags on a per executable basis, choose the method supported
77381 + by your particular system.
77382 +
77383 + - "none": if your MAC system does not interact with PaX,
77384 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
77385 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
77386 +
77387 + NOTE: this option is for developers/integrators only.
77388 +
77389 + config PAX_NO_ACL_FLAGS
77390 + bool 'none'
77391 +
77392 + config PAX_HAVE_ACL_FLAGS
77393 + bool 'direct'
77394 +
77395 + config PAX_HOOK_ACL_FLAGS
77396 + bool 'hook'
77397 +endchoice
77398 +
77399 +endmenu
77400 +
77401 +menu "Non-executable pages"
77402 + depends on PAX
77403 +
77404 +config PAX_NOEXEC
77405 + bool "Enforce non-executable pages"
77406 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
77407 + help
77408 + By design some architectures do not allow for protecting memory
77409 + pages against execution or even if they do, Linux does not make
77410 + use of this feature. In practice this means that if a page is
77411 + readable (such as the stack or heap) it is also executable.
77412 +
77413 + There is a well known exploit technique that makes use of this
77414 + fact and a common programming mistake where an attacker can
77415 + introduce code of his choice somewhere in the attacked program's
77416 + memory (typically the stack or the heap) and then execute it.
77417 +
77418 + If the attacked program was running with different (typically
77419 + higher) privileges than that of the attacker, then he can elevate
77420 + his own privilege level (e.g. get a root shell, write to files for
77421 + which he does not have write access to, etc).
77422 +
77423 + Enabling this option will let you choose from various features
77424 + that prevent the injection and execution of 'foreign' code in
77425 + a program.
77426 +
77427 + This will also break programs that rely on the old behaviour and
77428 + expect that dynamically allocated memory via the malloc() family
77429 + of functions is executable (which it is not). Notable examples
77430 + are the XFree86 4.x server, the java runtime and wine.
77431 +
77432 +config PAX_PAGEEXEC
77433 + bool "Paging based non-executable pages"
77434 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
77435 + select S390_SWITCH_AMODE if S390
77436 + select S390_EXEC_PROTECT if S390
77437 + select ARCH_TRACK_EXEC_LIMIT if X86_32
77438 + help
77439 + This implementation is based on the paging feature of the CPU.
77440 + On i386 without hardware non-executable bit support there is a
77441 + variable but usually low performance impact, however on Intel's
77442 + P4 core based CPUs it is very high so you should not enable this
77443 + for kernels meant to be used on such CPUs.
77444 +
77445 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
77446 + with hardware non-executable bit support there is no performance
77447 + impact, on ppc the impact is negligible.
77448 +
77449 + Note that several architectures require various emulations due to
77450 + badly designed userland ABIs, this will cause a performance impact
77451 + but will disappear as soon as userland is fixed. For example, ppc
77452 + userland MUST have been built with secure-plt by a recent toolchain.
77453 +
77454 +config PAX_SEGMEXEC
77455 + bool "Segmentation based non-executable pages"
77456 + depends on PAX_NOEXEC && X86_32
77457 + help
77458 + This implementation is based on the segmentation feature of the
77459 + CPU and has a very small performance impact, however applications
77460 + will be limited to a 1.5 GB address space instead of the normal
77461 + 3 GB.
77462 +
77463 +config PAX_EMUTRAMP
77464 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
77465 + default y if PARISC
77466 + help
77467 + There are some programs and libraries that for one reason or
77468 + another attempt to execute special small code snippets from
77469 + non-executable memory pages. Most notable examples are the
77470 + signal handler return code generated by the kernel itself and
77471 + the GCC trampolines.
77472 +
77473 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
77474 + such programs will no longer work under your kernel.
77475 +
77476 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
77477 + utilities to enable trampoline emulation for the affected programs
77478 + yet still have the protection provided by the non-executable pages.
77479 +
77480 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
77481 + your system will not even boot.
77482 +
77483 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
77484 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
77485 + for the affected files.
77486 +
77487 + NOTE: enabling this feature *may* open up a loophole in the
77488 + protection provided by non-executable pages that an attacker
77489 + could abuse. Therefore the best solution is to not have any
77490 + files on your system that would require this option. This can
77491 + be achieved by not using libc5 (which relies on the kernel
77492 + signal handler return code) and not using or rewriting programs
77493 + that make use of the nested function implementation of GCC.
77494 + Skilled users can just fix GCC itself so that it implements
77495 + nested function calls in a way that does not interfere with PaX.
77496 +
77497 +config PAX_EMUSIGRT
77498 + bool "Automatically emulate sigreturn trampolines"
77499 + depends on PAX_EMUTRAMP && PARISC
77500 + default y
77501 + help
77502 + Enabling this option will have the kernel automatically detect
77503 + and emulate signal return trampolines executing on the stack
77504 + that would otherwise lead to task termination.
77505 +
77506 + This solution is intended as a temporary one for users with
77507 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
77508 + Modula-3 runtime, etc) or executables linked to such, basically
77509 + everything that does not specify its own SA_RESTORER function in
77510 + normal executable memory like glibc 2.1+ does.
77511 +
77512 + On parisc you MUST enable this option, otherwise your system will
77513 + not even boot.
77514 +
77515 + NOTE: this feature cannot be disabled on a per executable basis
77516 + and since it *does* open up a loophole in the protection provided
77517 + by non-executable pages, the best solution is to not have any
77518 + files on your system that would require this option.
77519 +
77520 +config PAX_MPROTECT
77521 + bool "Restrict mprotect()"
77522 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
77523 + help
77524 + Enabling this option will prevent programs from
77525 + - changing the executable status of memory pages that were
77526 + not originally created as executable,
77527 + - making read-only executable pages writable again,
77528 + - creating executable pages from anonymous memory,
77529 + - making read-only-after-relocations (RELRO) data pages writable again.
77530 +
77531 + You should say Y here to complete the protection provided by
77532 + the enforcement of non-executable pages.
77533 +
77534 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
77535 + this feature on a per file basis.
77536 +
77537 +config PAX_MPROTECT_COMPAT
77538 + bool "Use legacy/compat protection demoting (read help)"
77539 + depends on PAX_MPROTECT
77540 + default n
77541 + help
77542 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
77543 + by sending the proper error code to the application. For some broken
77544 + userland, this can cause problems with Python or other applications. The
77545 + current implementation however allows for applications like clamav to
77546 + detect if JIT compilation/execution is allowed and to fall back gracefully
77547 + to an interpreter-based mode if it does not. While we encourage everyone
77548 + to use the current implementation as-is and push upstream to fix broken
77549 + userland (note that the RWX logging option can assist with this), in some
77550 + environments this may not be possible. Having to disable MPROTECT
77551 + completely on certain binaries reduces the security benefit of PaX,
77552 + so this option is provided for those environments to revert to the old
77553 + behavior.
77554 +
77555 +config PAX_ELFRELOCS
77556 + bool "Allow ELF text relocations (read help)"
77557 + depends on PAX_MPROTECT
77558 + default n
77559 + help
77560 + Non-executable pages and mprotect() restrictions are effective
77561 + in preventing the introduction of new executable code into an
77562 + attacked task's address space. There remain only two venues
77563 + for this kind of attack: if the attacker can execute already
77564 + existing code in the attacked task then he can either have it
77565 + create and mmap() a file containing his code or have it mmap()
77566 + an already existing ELF library that does not have position
77567 + independent code in it and use mprotect() on it to make it
77568 + writable and copy his code there. While protecting against
77569 + the former approach is beyond PaX, the latter can be prevented
77570 + by having only PIC ELF libraries on one's system (which do not
77571 + need to relocate their code). If you are sure this is your case,
77572 + as is the case with all modern Linux distributions, then leave
77573 + this option disabled. You should say 'n' here.
77574 +
77575 +config PAX_ETEXECRELOCS
77576 + bool "Allow ELF ET_EXEC text relocations"
77577 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
77578 + select PAX_ELFRELOCS
77579 + default y
77580 + help
77581 + On some architectures there are incorrectly created applications
77582 + that require text relocations and would not work without enabling
77583 + this option. If you are an alpha, ia64 or parisc user, you should
77584 + enable this option and disable it once you have made sure that
77585 + none of your applications need it.
77586 +
77587 +config PAX_EMUPLT
77588 + bool "Automatically emulate ELF PLT"
77589 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
77590 + default y
77591 + help
77592 + Enabling this option will have the kernel automatically detect
77593 + and emulate the Procedure Linkage Table entries in ELF files.
77594 + On some architectures such entries are in writable memory, and
77595 + become non-executable leading to task termination. Therefore
77596 + it is mandatory that you enable this option on alpha, parisc,
77597 + sparc and sparc64, otherwise your system would not even boot.
77598 +
77599 + NOTE: this feature *does* open up a loophole in the protection
77600 + provided by the non-executable pages, therefore the proper
77601 + solution is to modify the toolchain to produce a PLT that does
77602 + not need to be writable.
77603 +
77604 +config PAX_DLRESOLVE
77605 + bool 'Emulate old glibc resolver stub'
77606 + depends on PAX_EMUPLT && SPARC
77607 + default n
77608 + help
77609 + This option is needed if userland has an old glibc (before 2.4)
77610 + that puts a 'save' instruction into the runtime generated resolver
77611 + stub that needs special emulation.
77612 +
77613 +config PAX_KERNEXEC
77614 + bool "Enforce non-executable kernel pages"
77615 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
77616 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
77617 + help
77618 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
77619 + that is, enabling this option will make it harder to inject
77620 + and execute 'foreign' code in kernel memory itself.
77621 +
77622 + Note that on x86_64 kernels there is a known regression when
77623 + this feature and KVM/VMX are both enabled in the host kernel.
77624 +
77625 +config PAX_KERNEXEC_MODULE_TEXT
77626 + int "Minimum amount of memory reserved for module code"
77627 + default "4"
77628 + depends on PAX_KERNEXEC && X86_32 && MODULES
77629 + help
77630 + Due to implementation details the kernel must reserve a fixed
77631 + amount of memory for module code at compile time that cannot be
77632 + changed at runtime. Here you can specify the minimum amount
77633 + in MB that will be reserved. Due to the same implementation
77634 + details this size will always be rounded up to the next 2/4 MB
77635 + boundary (depends on PAE) so the actually available memory for
77636 + module code will usually be more than this minimum.
77637 +
77638 + The default 4 MB should be enough for most users but if you have
77639 + an excessive number of modules (e.g., most distribution configs
77640 + compile many drivers as modules) or use huge modules such as
77641 + nvidia's kernel driver, you will need to adjust this amount.
77642 + A good rule of thumb is to look at your currently loaded kernel
77643 + modules and add up their sizes.
77644 +
77645 +endmenu
77646 +
77647 +menu "Address Space Layout Randomization"
77648 + depends on PAX
77649 +
77650 +config PAX_ASLR
77651 + bool "Address Space Layout Randomization"
77652 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
77653 + help
77654 + Many if not most exploit techniques rely on the knowledge of
77655 + certain addresses in the attacked program. The following options
77656 + will allow the kernel to apply a certain amount of randomization
77657 + to specific parts of the program thereby forcing an attacker to
77658 + guess them in most cases. Any failed guess will most likely crash
77659 + the attacked program which allows the kernel to detect such attempts
77660 + and react on them. PaX itself provides no reaction mechanisms,
77661 + instead it is strongly encouraged that you make use of Nergal's
77662 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
77663 + (http://www.grsecurity.net/) built-in crash detection features or
77664 + develop one yourself.
77665 +
77666 + By saying Y here you can choose to randomize the following areas:
77667 + - top of the task's kernel stack
77668 + - top of the task's userland stack
77669 + - base address for mmap() requests that do not specify one
77670 + (this includes all libraries)
77671 + - base address of the main executable
77672 +
77673 + It is strongly recommended to say Y here as address space layout
77674 + randomization has negligible impact on performance yet it provides
77675 + a very effective protection.
77676 +
77677 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
77678 + this feature on a per file basis.
77679 +
77680 +config PAX_RANDKSTACK
77681 + bool "Randomize kernel stack base"
77682 + depends on PAX_ASLR && X86_TSC && X86
77683 + help
77684 + By saying Y here the kernel will randomize every task's kernel
77685 + stack on every system call. This will not only force an attacker
77686 + to guess it but also prevent him from making use of possible
77687 + leaked information about it.
77688 +
77689 + Since the kernel stack is a rather scarce resource, randomization
77690 + may cause unexpected stack overflows, therefore you should very
77691 + carefully test your system. Note that once enabled in the kernel
77692 + configuration, this feature cannot be disabled on a per file basis.
77693 +
77694 +config PAX_RANDUSTACK
77695 + bool "Randomize user stack base"
77696 + depends on PAX_ASLR
77697 + help
77698 + By saying Y here the kernel will randomize every task's userland
77699 + stack. The randomization is done in two steps where the second
77700 + one may apply a big amount of shift to the top of the stack and
77701 + cause problems for programs that want to use lots of memory (more
77702 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
77703 + For this reason the second step can be controlled by 'chpax' or
77704 + 'paxctl' on a per file basis.
77705 +
77706 +config PAX_RANDMMAP
77707 + bool "Randomize mmap() base"
77708 + depends on PAX_ASLR
77709 + help
77710 + By saying Y here the kernel will use a randomized base address for
77711 + mmap() requests that do not specify one themselves. As a result
77712 + all dynamically loaded libraries will appear at random addresses
77713 + and therefore be harder to exploit by a technique where an attacker
77714 + attempts to execute library code for his purposes (e.g. spawn a
77715 + shell from an exploited program that is running at an elevated
77716 + privilege level).
77717 +
77718 + Furthermore, if a program is relinked as a dynamic ELF file, its
77719 + base address will be randomized as well, completing the full
77720 + randomization of the address space layout. Attacking such programs
77721 + becomes a guess game. You can find an example of doing this at
77722 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
77723 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
77724 +
77725 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
77726 + feature on a per file basis.
77727 +
77728 +endmenu
77729 +
77730 +menu "Miscellaneous hardening features"
77731 +
77732 +config PAX_MEMORY_SANITIZE
77733 + bool "Sanitize all freed memory"
77734 + help
77735 + By saying Y here the kernel will erase memory pages as soon as they
77736 + are freed. This in turn reduces the lifetime of data stored in the
77737 + pages, making it less likely that sensitive information such as
77738 + passwords, cryptographic secrets, etc stay in memory for too long.
77739 +
77740 + This is especially useful for programs whose runtime is short, long
77741 + lived processes and the kernel itself benefit from this as long as
77742 + they operate on whole memory pages and ensure timely freeing of pages
77743 + that may hold sensitive information.
77744 +
77745 + The tradeoff is performance impact, on a single CPU system kernel
77746 + compilation sees a 3% slowdown, other systems and workloads may vary
77747 + and you are advised to test this feature on your expected workload
77748 + before deploying it.
77749 +
77750 + Note that this feature does not protect data stored in live pages,
77751 + e.g., process memory swapped to disk may stay there for a long time.
77752 +
77753 +config PAX_MEMORY_STACKLEAK
77754 + bool "Sanitize kernel stack"
77755 + depends on X86
77756 + help
77757 + By saying Y here the kernel will erase the kernel stack before it
77758 + returns from a system call. This in turn reduces the information
77759 + that a kernel stack leak bug can reveal.
77760 +
77761 + Note that such a bug can still leak information that was put on
77762 + the stack by the current system call (the one eventually triggering
77763 + the bug) but traces of earlier system calls on the kernel stack
77764 + cannot leak anymore.
77765 +
77766 + The tradeoff is performance impact, on a single CPU system kernel
77767 + compilation sees a 1% slowdown, other systems and workloads may vary
77768 + and you are advised to test this feature on your expected workload
77769 + before deploying it.
77770 +
77771 + Note: full support for this feature requires gcc with plugin support
77772 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
77773 + is not supported). Using older gcc versions means that functions
77774 + with large enough stack frames may leave uninitialized memory behind
77775 + that may be exposed to a later syscall leaking the stack.
77776 +
77777 +config PAX_MEMORY_UDEREF
77778 + bool "Prevent invalid userland pointer dereference"
77779 + depends on X86 && !UML_X86 && !XEN
77780 + select PAX_PER_CPU_PGD if X86_64
77781 + help
77782 + By saying Y here the kernel will be prevented from dereferencing
77783 + userland pointers in contexts where the kernel expects only kernel
77784 + pointers. This is both a useful runtime debugging feature and a
77785 + security measure that prevents exploiting a class of kernel bugs.
77786 +
77787 + The tradeoff is that some virtualization solutions may experience
77788 + a huge slowdown and therefore you should not enable this feature
77789 + for kernels meant to run in such environments. Whether a given VM
77790 + solution is affected or not is best determined by simply trying it
77791 + out, the performance impact will be obvious right on boot as this
77792 + mechanism engages from very early on. A good rule of thumb is that
77793 + VMs running on CPUs without hardware virtualization support (i.e.,
77794 + the majority of IA-32 CPUs) will likely experience the slowdown.
77795 +
77796 +config PAX_REFCOUNT
77797 + bool "Prevent various kernel object reference counter overflows"
77798 + depends on GRKERNSEC && (X86 || SPARC64)
77799 + help
77800 + By saying Y here the kernel will detect and prevent overflowing
77801 + various (but not all) kinds of object reference counters. Such
77802 + overflows can normally occur due to bugs only and are often, if
77803 + not always, exploitable.
77804 +
77805 + The tradeoff is that data structures protected by an overflowed
77806 + refcount will never be freed and therefore will leak memory. Note
77807 + that this leak also happens even without this protection but in
77808 + that case the overflow can eventually trigger the freeing of the
77809 + data structure while it is still being used elsewhere, resulting
77810 + in the exploitable situation that this feature prevents.
77811 +
77812 + Since this has a negligible performance impact, you should enable
77813 + this feature.
77814 +
77815 +config PAX_USERCOPY
77816 + bool "Harden heap object copies between kernel and userland"
77817 + depends on X86 || PPC || SPARC || ARM
77818 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
77819 + help
77820 + By saying Y here the kernel will enforce the size of heap objects
77821 + when they are copied in either direction between the kernel and
77822 + userland, even if only a part of the heap object is copied.
77823 +
77824 + Specifically, this checking prevents information leaking from the
77825 + kernel heap during kernel to userland copies (if the kernel heap
77826 + object is otherwise fully initialized) and prevents kernel heap
77827 + overflows during userland to kernel copies.
77828 +
77829 + Note that the current implementation provides the strictest bounds
77830 + checks for the SLUB allocator.
77831 +
77832 + Enabling this option also enables per-slab cache protection against
77833 + data in a given cache being copied into/out of via userland
77834 + accessors. Though the whitelist of regions will be reduced over
77835 + time, it notably protects important data structures like task structs.
77836 +
77837 +
77838 + If frame pointers are enabled on x86, this option will also
77839 + restrict copies into and out of the kernel stack to local variables
77840 + within a single frame.
77841 +
77842 + Since this has a negligible performance impact, you should enable
77843 + this feature.
77844 +
77845 +endmenu
77846 +
77847 +endmenu
77848 +
77849 config KEYS
77850 bool "Enable access key retention support"
77851 help
77852 @@ -146,7 +695,7 @@ config INTEL_TXT
77853 config LSM_MMAP_MIN_ADDR
77854 int "Low address space for LSM to protect from user allocation"
77855 depends on SECURITY && SECURITY_SELINUX
77856 - default 65536
77857 + default 32768
77858 help
77859 This is the portion of low virtual memory which should be protected
77860 from userspace allocation. Keeping a user from writing to low pages
77861 diff -urNp linux-2.6.32.46/security/keys/keyring.c linux-2.6.32.46/security/keys/keyring.c
77862 --- linux-2.6.32.46/security/keys/keyring.c 2011-03-27 14:31:47.000000000 -0400
77863 +++ linux-2.6.32.46/security/keys/keyring.c 2011-04-18 22:03:00.000000000 -0400
77864 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
77865 ret = -EFAULT;
77866
77867 for (loop = 0; loop < klist->nkeys; loop++) {
77868 + key_serial_t serial;
77869 key = klist->keys[loop];
77870 + serial = key->serial;
77871
77872 tmp = sizeof(key_serial_t);
77873 if (tmp > buflen)
77874 tmp = buflen;
77875
77876 - if (copy_to_user(buffer,
77877 - &key->serial,
77878 - tmp) != 0)
77879 + if (copy_to_user(buffer, &serial, tmp))
77880 goto error;
77881
77882 buflen -= tmp;
77883 diff -urNp linux-2.6.32.46/security/min_addr.c linux-2.6.32.46/security/min_addr.c
77884 --- linux-2.6.32.46/security/min_addr.c 2011-03-27 14:31:47.000000000 -0400
77885 +++ linux-2.6.32.46/security/min_addr.c 2011-04-17 15:56:46.000000000 -0400
77886 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
77887 */
77888 static void update_mmap_min_addr(void)
77889 {
77890 +#ifndef SPARC
77891 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
77892 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
77893 mmap_min_addr = dac_mmap_min_addr;
77894 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
77895 #else
77896 mmap_min_addr = dac_mmap_min_addr;
77897 #endif
77898 +#endif
77899 }
77900
77901 /*
77902 diff -urNp linux-2.6.32.46/security/root_plug.c linux-2.6.32.46/security/root_plug.c
77903 --- linux-2.6.32.46/security/root_plug.c 2011-03-27 14:31:47.000000000 -0400
77904 +++ linux-2.6.32.46/security/root_plug.c 2011-04-17 15:56:46.000000000 -0400
77905 @@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
77906 return 0;
77907 }
77908
77909 -static struct security_operations rootplug_security_ops = {
77910 +static struct security_operations rootplug_security_ops __read_only = {
77911 .bprm_check_security = rootplug_bprm_check_security,
77912 };
77913
77914 diff -urNp linux-2.6.32.46/security/security.c linux-2.6.32.46/security/security.c
77915 --- linux-2.6.32.46/security/security.c 2011-03-27 14:31:47.000000000 -0400
77916 +++ linux-2.6.32.46/security/security.c 2011-04-17 15:56:46.000000000 -0400
77917 @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
77918 extern struct security_operations default_security_ops;
77919 extern void security_fixup_ops(struct security_operations *ops);
77920
77921 -struct security_operations *security_ops; /* Initialized to NULL */
77922 +struct security_operations *security_ops __read_only; /* Initialized to NULL */
77923
77924 static inline int verify(struct security_operations *ops)
77925 {
77926 @@ -106,7 +106,7 @@ int __init security_module_enable(struct
77927 * If there is already a security module registered with the kernel,
77928 * an error will be returned. Otherwise %0 is returned on success.
77929 */
77930 -int register_security(struct security_operations *ops)
77931 +int __init register_security(struct security_operations *ops)
77932 {
77933 if (verify(ops)) {
77934 printk(KERN_DEBUG "%s could not verify "
77935 diff -urNp linux-2.6.32.46/security/selinux/hooks.c linux-2.6.32.46/security/selinux/hooks.c
77936 --- linux-2.6.32.46/security/selinux/hooks.c 2011-03-27 14:31:47.000000000 -0400
77937 +++ linux-2.6.32.46/security/selinux/hooks.c 2011-04-17 15:56:46.000000000 -0400
77938 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
77939 * Minimal support for a secondary security module,
77940 * just to allow the use of the capability module.
77941 */
77942 -static struct security_operations *secondary_ops;
77943 +static struct security_operations *secondary_ops __read_only;
77944
77945 /* Lists of inode and superblock security structures initialized
77946 before the policy was loaded. */
77947 @@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
77948
77949 #endif
77950
77951 -static struct security_operations selinux_ops = {
77952 +static struct security_operations selinux_ops __read_only = {
77953 .name = "selinux",
77954
77955 .ptrace_access_check = selinux_ptrace_access_check,
77956 @@ -5841,7 +5841,9 @@ int selinux_disable(void)
77957 avc_disable();
77958
77959 /* Reset security_ops to the secondary module, dummy or capability. */
77960 + pax_open_kernel();
77961 security_ops = secondary_ops;
77962 + pax_close_kernel();
77963
77964 /* Unregister netfilter hooks. */
77965 selinux_nf_ip_exit();
77966 diff -urNp linux-2.6.32.46/security/selinux/include/xfrm.h linux-2.6.32.46/security/selinux/include/xfrm.h
77967 --- linux-2.6.32.46/security/selinux/include/xfrm.h 2011-03-27 14:31:47.000000000 -0400
77968 +++ linux-2.6.32.46/security/selinux/include/xfrm.h 2011-05-18 20:09:37.000000000 -0400
77969 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
77970
77971 static inline void selinux_xfrm_notify_policyload(void)
77972 {
77973 - atomic_inc(&flow_cache_genid);
77974 + atomic_inc_unchecked(&flow_cache_genid);
77975 }
77976 #else
77977 static inline int selinux_xfrm_enabled(void)
77978 diff -urNp linux-2.6.32.46/security/selinux/ss/services.c linux-2.6.32.46/security/selinux/ss/services.c
77979 --- linux-2.6.32.46/security/selinux/ss/services.c 2011-03-27 14:31:47.000000000 -0400
77980 +++ linux-2.6.32.46/security/selinux/ss/services.c 2011-05-16 21:46:57.000000000 -0400
77981 @@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
77982 int rc = 0;
77983 struct policy_file file = { data, len }, *fp = &file;
77984
77985 + pax_track_stack();
77986 +
77987 if (!ss_initialized) {
77988 avtab_cache_init();
77989 if (policydb_read(&policydb, fp)) {
77990 diff -urNp linux-2.6.32.46/security/smack/smack_lsm.c linux-2.6.32.46/security/smack/smack_lsm.c
77991 --- linux-2.6.32.46/security/smack/smack_lsm.c 2011-03-27 14:31:47.000000000 -0400
77992 +++ linux-2.6.32.46/security/smack/smack_lsm.c 2011-04-17 15:56:46.000000000 -0400
77993 @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
77994 return 0;
77995 }
77996
77997 -struct security_operations smack_ops = {
77998 +struct security_operations smack_ops __read_only = {
77999 .name = "smack",
78000
78001 .ptrace_access_check = smack_ptrace_access_check,
78002 diff -urNp linux-2.6.32.46/security/tomoyo/tomoyo.c linux-2.6.32.46/security/tomoyo/tomoyo.c
78003 --- linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-03-27 14:31:47.000000000 -0400
78004 +++ linux-2.6.32.46/security/tomoyo/tomoyo.c 2011-04-17 15:56:46.000000000 -0400
78005 @@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
78006 * tomoyo_security_ops is a "struct security_operations" which is used for
78007 * registering TOMOYO.
78008 */
78009 -static struct security_operations tomoyo_security_ops = {
78010 +static struct security_operations tomoyo_security_ops __read_only = {
78011 .name = "tomoyo",
78012 .cred_alloc_blank = tomoyo_cred_alloc_blank,
78013 .cred_prepare = tomoyo_cred_prepare,
78014 diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.c linux-2.6.32.46/sound/aoa/codecs/onyx.c
78015 --- linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-03-27 14:31:47.000000000 -0400
78016 +++ linux-2.6.32.46/sound/aoa/codecs/onyx.c 2011-04-17 15:56:46.000000000 -0400
78017 @@ -53,7 +53,7 @@ struct onyx {
78018 spdif_locked:1,
78019 analog_locked:1,
78020 original_mute:2;
78021 - int open_count;
78022 + local_t open_count;
78023 struct codec_info *codec_info;
78024
78025 /* mutex serializes concurrent access to the device
78026 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
78027 struct onyx *onyx = cii->codec_data;
78028
78029 mutex_lock(&onyx->mutex);
78030 - onyx->open_count++;
78031 + local_inc(&onyx->open_count);
78032 mutex_unlock(&onyx->mutex);
78033
78034 return 0;
78035 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
78036 struct onyx *onyx = cii->codec_data;
78037
78038 mutex_lock(&onyx->mutex);
78039 - onyx->open_count--;
78040 - if (!onyx->open_count)
78041 + if (local_dec_and_test(&onyx->open_count))
78042 onyx->spdif_locked = onyx->analog_locked = 0;
78043 mutex_unlock(&onyx->mutex);
78044
78045 diff -urNp linux-2.6.32.46/sound/aoa/codecs/onyx.h linux-2.6.32.46/sound/aoa/codecs/onyx.h
78046 --- linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-03-27 14:31:47.000000000 -0400
78047 +++ linux-2.6.32.46/sound/aoa/codecs/onyx.h 2011-04-17 15:56:46.000000000 -0400
78048 @@ -11,6 +11,7 @@
78049 #include <linux/i2c.h>
78050 #include <asm/pmac_low_i2c.h>
78051 #include <asm/prom.h>
78052 +#include <asm/local.h>
78053
78054 /* PCM3052 register definitions */
78055
78056 diff -urNp linux-2.6.32.46/sound/core/seq/seq_device.c linux-2.6.32.46/sound/core/seq/seq_device.c
78057 --- linux-2.6.32.46/sound/core/seq/seq_device.c 2011-03-27 14:31:47.000000000 -0400
78058 +++ linux-2.6.32.46/sound/core/seq/seq_device.c 2011-08-05 20:33:55.000000000 -0400
78059 @@ -63,7 +63,7 @@ struct ops_list {
78060 int argsize; /* argument size */
78061
78062 /* operators */
78063 - struct snd_seq_dev_ops ops;
78064 + struct snd_seq_dev_ops *ops;
78065
78066 /* registred devices */
78067 struct list_head dev_list; /* list of devices */
78068 @@ -332,7 +332,7 @@ int snd_seq_device_register_driver(char
78069
78070 mutex_lock(&ops->reg_mutex);
78071 /* copy driver operators */
78072 - ops->ops = *entry;
78073 + ops->ops = entry;
78074 ops->driver |= DRIVER_LOADED;
78075 ops->argsize = argsize;
78076
78077 @@ -462,7 +462,7 @@ static int init_device(struct snd_seq_de
78078 dev->name, ops->id, ops->argsize, dev->argsize);
78079 return -EINVAL;
78080 }
78081 - if (ops->ops.init_device(dev) >= 0) {
78082 + if (ops->ops->init_device(dev) >= 0) {
78083 dev->status = SNDRV_SEQ_DEVICE_REGISTERED;
78084 ops->num_init_devices++;
78085 } else {
78086 @@ -489,7 +489,7 @@ static int free_device(struct snd_seq_de
78087 dev->name, ops->id, ops->argsize, dev->argsize);
78088 return -EINVAL;
78089 }
78090 - if ((result = ops->ops.free_device(dev)) >= 0 || result == -ENXIO) {
78091 + if ((result = ops->ops->free_device(dev)) >= 0 || result == -ENXIO) {
78092 dev->status = SNDRV_SEQ_DEVICE_FREE;
78093 dev->driver_data = NULL;
78094 ops->num_init_devices--;
78095 diff -urNp linux-2.6.32.46/sound/drivers/mts64.c linux-2.6.32.46/sound/drivers/mts64.c
78096 --- linux-2.6.32.46/sound/drivers/mts64.c 2011-03-27 14:31:47.000000000 -0400
78097 +++ linux-2.6.32.46/sound/drivers/mts64.c 2011-04-17 15:56:46.000000000 -0400
78098 @@ -27,6 +27,7 @@
78099 #include <sound/initval.h>
78100 #include <sound/rawmidi.h>
78101 #include <sound/control.h>
78102 +#include <asm/local.h>
78103
78104 #define CARD_NAME "Miditerminal 4140"
78105 #define DRIVER_NAME "MTS64"
78106 @@ -65,7 +66,7 @@ struct mts64 {
78107 struct pardevice *pardev;
78108 int pardev_claimed;
78109
78110 - int open_count;
78111 + local_t open_count;
78112 int current_midi_output_port;
78113 int current_midi_input_port;
78114 u8 mode[MTS64_NUM_INPUT_PORTS];
78115 @@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
78116 {
78117 struct mts64 *mts = substream->rmidi->private_data;
78118
78119 - if (mts->open_count == 0) {
78120 + if (local_read(&mts->open_count) == 0) {
78121 /* We don't need a spinlock here, because this is just called
78122 if the device has not been opened before.
78123 So there aren't any IRQs from the device */
78124 @@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
78125
78126 msleep(50);
78127 }
78128 - ++(mts->open_count);
78129 + local_inc(&mts->open_count);
78130
78131 return 0;
78132 }
78133 @@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
78134 struct mts64 *mts = substream->rmidi->private_data;
78135 unsigned long flags;
78136
78137 - --(mts->open_count);
78138 - if (mts->open_count == 0) {
78139 + if (local_dec_return(&mts->open_count) == 0) {
78140 /* We need the spinlock_irqsave here because we can still
78141 have IRQs at this point */
78142 spin_lock_irqsave(&mts->lock, flags);
78143 @@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
78144
78145 msleep(500);
78146
78147 - } else if (mts->open_count < 0)
78148 - mts->open_count = 0;
78149 + } else if (local_read(&mts->open_count) < 0)
78150 + local_set(&mts->open_count, 0);
78151
78152 return 0;
78153 }
78154 diff -urNp linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c
78155 --- linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-03-27 14:31:47.000000000 -0400
78156 +++ linux-2.6.32.46/sound/drivers/opl4/opl4_lib.c 2011-08-05 20:33:55.000000000 -0400
78157 @@ -27,7 +27,7 @@ MODULE_AUTHOR("Clemens Ladisch <clemens@
78158 MODULE_DESCRIPTION("OPL4 driver");
78159 MODULE_LICENSE("GPL");
78160
78161 -static void inline snd_opl4_wait(struct snd_opl4 *opl4)
78162 +static inline void snd_opl4_wait(struct snd_opl4 *opl4)
78163 {
78164 int timeout = 10;
78165 while ((inb(opl4->fm_port) & OPL4_STATUS_BUSY) && --timeout > 0)
78166 diff -urNp linux-2.6.32.46/sound/drivers/portman2x4.c linux-2.6.32.46/sound/drivers/portman2x4.c
78167 --- linux-2.6.32.46/sound/drivers/portman2x4.c 2011-03-27 14:31:47.000000000 -0400
78168 +++ linux-2.6.32.46/sound/drivers/portman2x4.c 2011-04-17 15:56:46.000000000 -0400
78169 @@ -46,6 +46,7 @@
78170 #include <sound/initval.h>
78171 #include <sound/rawmidi.h>
78172 #include <sound/control.h>
78173 +#include <asm/local.h>
78174
78175 #define CARD_NAME "Portman 2x4"
78176 #define DRIVER_NAME "portman"
78177 @@ -83,7 +84,7 @@ struct portman {
78178 struct pardevice *pardev;
78179 int pardev_claimed;
78180
78181 - int open_count;
78182 + local_t open_count;
78183 int mode[PORTMAN_NUM_INPUT_PORTS];
78184 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
78185 };
78186 diff -urNp linux-2.6.32.46/sound/isa/cmi8330.c linux-2.6.32.46/sound/isa/cmi8330.c
78187 --- linux-2.6.32.46/sound/isa/cmi8330.c 2011-03-27 14:31:47.000000000 -0400
78188 +++ linux-2.6.32.46/sound/isa/cmi8330.c 2011-08-23 21:22:32.000000000 -0400
78189 @@ -173,7 +173,7 @@ struct snd_cmi8330 {
78190
78191 struct snd_pcm *pcm;
78192 struct snd_cmi8330_stream {
78193 - struct snd_pcm_ops ops;
78194 + snd_pcm_ops_no_const ops;
78195 snd_pcm_open_callback_t open;
78196 void *private_data; /* sb or wss */
78197 } streams[2];
78198 diff -urNp linux-2.6.32.46/sound/oss/sb_audio.c linux-2.6.32.46/sound/oss/sb_audio.c
78199 --- linux-2.6.32.46/sound/oss/sb_audio.c 2011-03-27 14:31:47.000000000 -0400
78200 +++ linux-2.6.32.46/sound/oss/sb_audio.c 2011-04-17 15:56:46.000000000 -0400
78201 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
78202 buf16 = (signed short *)(localbuf + localoffs);
78203 while (c)
78204 {
78205 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
78206 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
78207 if (copy_from_user(lbuf8,
78208 userbuf+useroffs + p,
78209 locallen))
78210 diff -urNp linux-2.6.32.46/sound/oss/swarm_cs4297a.c linux-2.6.32.46/sound/oss/swarm_cs4297a.c
78211 --- linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-03-27 14:31:47.000000000 -0400
78212 +++ linux-2.6.32.46/sound/oss/swarm_cs4297a.c 2011-04-17 15:56:46.000000000 -0400
78213 @@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
78214 {
78215 struct cs4297a_state *s;
78216 u32 pwr, id;
78217 - mm_segment_t fs;
78218 int rval;
78219 #ifndef CONFIG_BCM_CS4297A_CSWARM
78220 u64 cfg;
78221 @@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
78222 if (!rval) {
78223 char *sb1250_duart_present;
78224
78225 +#if 0
78226 + mm_segment_t fs;
78227 fs = get_fs();
78228 set_fs(KERNEL_DS);
78229 -#if 0
78230 val = SOUND_MASK_LINE;
78231 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
78232 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
78233 val = initvol[i].vol;
78234 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
78235 }
78236 + set_fs(fs);
78237 // cs4297a_write_ac97(s, 0x18, 0x0808);
78238 #else
78239 // cs4297a_write_ac97(s, 0x5e, 0x180);
78240 cs4297a_write_ac97(s, 0x02, 0x0808);
78241 cs4297a_write_ac97(s, 0x18, 0x0808);
78242 #endif
78243 - set_fs(fs);
78244
78245 list_add(&s->list, &cs4297a_devs);
78246
78247 diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_codec.c linux-2.6.32.46/sound/pci/ac97/ac97_codec.c
78248 --- linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-03-27 14:31:47.000000000 -0400
78249 +++ linux-2.6.32.46/sound/pci/ac97/ac97_codec.c 2011-04-17 15:56:46.000000000 -0400
78250 @@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
78251 }
78252
78253 /* build_ops to do nothing */
78254 -static struct snd_ac97_build_ops null_build_ops;
78255 +static const struct snd_ac97_build_ops null_build_ops;
78256
78257 #ifdef CONFIG_SND_AC97_POWER_SAVE
78258 static void do_update_power(struct work_struct *work)
78259 diff -urNp linux-2.6.32.46/sound/pci/ac97/ac97_patch.c linux-2.6.32.46/sound/pci/ac97/ac97_patch.c
78260 --- linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:24:44.000000000 -0400
78261 +++ linux-2.6.32.46/sound/pci/ac97/ac97_patch.c 2011-08-29 22:25:07.000000000 -0400
78262 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
78263 return 0;
78264 }
78265
78266 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
78267 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
78268 .build_spdif = patch_yamaha_ymf743_build_spdif,
78269 .build_3d = patch_yamaha_ymf7x3_3d,
78270 };
78271 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
78272 return 0;
78273 }
78274
78275 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
78276 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
78277 .build_3d = patch_yamaha_ymf7x3_3d,
78278 .build_post_spdif = patch_yamaha_ymf753_post_spdif
78279 };
78280 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
78281 return 0;
78282 }
78283
78284 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
78285 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
78286 .build_specific = patch_wolfson_wm9703_specific,
78287 };
78288
78289 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
78290 return 0;
78291 }
78292
78293 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
78294 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
78295 .build_specific = patch_wolfson_wm9704_specific,
78296 };
78297
78298 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
78299 return 0;
78300 }
78301
78302 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
78303 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
78304 .build_specific = patch_wolfson_wm9705_specific,
78305 };
78306
78307 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
78308 return 0;
78309 }
78310
78311 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
78312 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
78313 .build_specific = patch_wolfson_wm9711_specific,
78314 };
78315
78316 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
78317 }
78318 #endif
78319
78320 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
78321 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
78322 .build_specific = patch_wolfson_wm9713_specific,
78323 .build_3d = patch_wolfson_wm9713_3d,
78324 #ifdef CONFIG_PM
78325 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
78326 return 0;
78327 }
78328
78329 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
78330 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
78331 .build_3d = patch_sigmatel_stac9700_3d,
78332 .build_specific = patch_sigmatel_stac97xx_specific
78333 };
78334 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
78335 return patch_sigmatel_stac97xx_specific(ac97);
78336 }
78337
78338 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
78339 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
78340 .build_3d = patch_sigmatel_stac9708_3d,
78341 .build_specific = patch_sigmatel_stac9708_specific
78342 };
78343 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
78344 return 0;
78345 }
78346
78347 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
78348 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
78349 .build_3d = patch_sigmatel_stac9700_3d,
78350 .build_specific = patch_sigmatel_stac9758_specific
78351 };
78352 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
78353 return 0;
78354 }
78355
78356 -static struct snd_ac97_build_ops patch_cirrus_ops = {
78357 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
78358 .build_spdif = patch_cirrus_build_spdif
78359 };
78360
78361 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
78362 return 0;
78363 }
78364
78365 -static struct snd_ac97_build_ops patch_conexant_ops = {
78366 +static const struct snd_ac97_build_ops patch_conexant_ops = {
78367 .build_spdif = patch_conexant_build_spdif
78368 };
78369
78370 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
78371 }
78372 }
78373
78374 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
78375 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
78376 #ifdef CONFIG_PM
78377 .resume = ad18xx_resume
78378 #endif
78379 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
78380 return 0;
78381 }
78382
78383 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
78384 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
78385 .build_specific = &patch_ad1885_specific,
78386 #ifdef CONFIG_PM
78387 .resume = ad18xx_resume
78388 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
78389 return 0;
78390 }
78391
78392 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
78393 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
78394 .build_specific = &patch_ad1886_specific,
78395 #ifdef CONFIG_PM
78396 .resume = ad18xx_resume
78397 @@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
78398 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
78399 }
78400
78401 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
78402 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
78403 .build_post_spdif = patch_ad198x_post_spdif,
78404 .build_specific = patch_ad1981a_specific,
78405 #ifdef CONFIG_PM
78406 @@ -1952,7 +1952,7 @@ static int patch_ad1981b_specific(struct
78407 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
78408 }
78409
78410 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
78411 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
78412 .build_post_spdif = patch_ad198x_post_spdif,
78413 .build_specific = patch_ad1981b_specific,
78414 #ifdef CONFIG_PM
78415 @@ -2091,7 +2091,7 @@ static int patch_ad1888_specific(struct
78416 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
78417 }
78418
78419 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
78420 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
78421 .build_post_spdif = patch_ad198x_post_spdif,
78422 .build_specific = patch_ad1888_specific,
78423 #ifdef CONFIG_PM
78424 @@ -2140,7 +2140,7 @@ static int patch_ad1980_specific(struct
78425 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
78426 }
78427
78428 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
78429 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
78430 .build_post_spdif = patch_ad198x_post_spdif,
78431 .build_specific = patch_ad1980_specific,
78432 #ifdef CONFIG_PM
78433 @@ -2255,7 +2255,7 @@ static int patch_ad1985_specific(struct
78434 ARRAY_SIZE(snd_ac97_ad1985_controls));
78435 }
78436
78437 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
78438 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
78439 .build_post_spdif = patch_ad198x_post_spdif,
78440 .build_specific = patch_ad1985_specific,
78441 #ifdef CONFIG_PM
78442 @@ -2547,7 +2547,7 @@ static int patch_ad1986_specific(struct
78443 ARRAY_SIZE(snd_ac97_ad1985_controls));
78444 }
78445
78446 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
78447 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
78448 .build_post_spdif = patch_ad198x_post_spdif,
78449 .build_specific = patch_ad1986_specific,
78450 #ifdef CONFIG_PM
78451 @@ -2652,7 +2652,7 @@ static int patch_alc650_specific(struct
78452 return 0;
78453 }
78454
78455 -static struct snd_ac97_build_ops patch_alc650_ops = {
78456 +static const struct snd_ac97_build_ops patch_alc650_ops = {
78457 .build_specific = patch_alc650_specific,
78458 .update_jacks = alc650_update_jacks
78459 };
78460 @@ -2804,7 +2804,7 @@ static int patch_alc655_specific(struct
78461 return 0;
78462 }
78463
78464 -static struct snd_ac97_build_ops patch_alc655_ops = {
78465 +static const struct snd_ac97_build_ops patch_alc655_ops = {
78466 .build_specific = patch_alc655_specific,
78467 .update_jacks = alc655_update_jacks
78468 };
78469 @@ -2916,7 +2916,7 @@ static int patch_alc850_specific(struct
78470 return 0;
78471 }
78472
78473 -static struct snd_ac97_build_ops patch_alc850_ops = {
78474 +static const struct snd_ac97_build_ops patch_alc850_ops = {
78475 .build_specific = patch_alc850_specific,
78476 .update_jacks = alc850_update_jacks
78477 };
78478 @@ -2978,7 +2978,7 @@ static int patch_cm9738_specific(struct
78479 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
78480 }
78481
78482 -static struct snd_ac97_build_ops patch_cm9738_ops = {
78483 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
78484 .build_specific = patch_cm9738_specific,
78485 .update_jacks = cm9738_update_jacks
78486 };
78487 @@ -3069,7 +3069,7 @@ static int patch_cm9739_post_spdif(struc
78488 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
78489 }
78490
78491 -static struct snd_ac97_build_ops patch_cm9739_ops = {
78492 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
78493 .build_specific = patch_cm9739_specific,
78494 .build_post_spdif = patch_cm9739_post_spdif,
78495 .update_jacks = cm9739_update_jacks
78496 @@ -3243,7 +3243,7 @@ static int patch_cm9761_specific(struct
78497 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
78498 }
78499
78500 -static struct snd_ac97_build_ops patch_cm9761_ops = {
78501 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
78502 .build_specific = patch_cm9761_specific,
78503 .build_post_spdif = patch_cm9761_post_spdif,
78504 .update_jacks = cm9761_update_jacks
78505 @@ -3339,7 +3339,7 @@ static int patch_cm9780_specific(struct
78506 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
78507 }
78508
78509 -static struct snd_ac97_build_ops patch_cm9780_ops = {
78510 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
78511 .build_specific = patch_cm9780_specific,
78512 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
78513 };
78514 @@ -3459,7 +3459,7 @@ static int patch_vt1616_specific(struct
78515 return 0;
78516 }
78517
78518 -static struct snd_ac97_build_ops patch_vt1616_ops = {
78519 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
78520 .build_specific = patch_vt1616_specific
78521 };
78522
78523 @@ -3813,7 +3813,7 @@ static int patch_it2646_specific(struct
78524 return 0;
78525 }
78526
78527 -static struct snd_ac97_build_ops patch_it2646_ops = {
78528 +static const struct snd_ac97_build_ops patch_it2646_ops = {
78529 .build_specific = patch_it2646_specific,
78530 .update_jacks = it2646_update_jacks
78531 };
78532 @@ -3847,7 +3847,7 @@ static int patch_si3036_specific(struct
78533 return 0;
78534 }
78535
78536 -static struct snd_ac97_build_ops patch_si3036_ops = {
78537 +static const struct snd_ac97_build_ops patch_si3036_ops = {
78538 .build_specific = patch_si3036_specific,
78539 };
78540
78541 @@ -3914,7 +3914,7 @@ static int patch_ucb1400_specific(struct
78542 return 0;
78543 }
78544
78545 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
78546 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
78547 .build_specific = patch_ucb1400_specific,
78548 };
78549
78550 diff -urNp linux-2.6.32.46/sound/pci/hda/hda_codec.h linux-2.6.32.46/sound/pci/hda/hda_codec.h
78551 --- linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-03-27 14:31:47.000000000 -0400
78552 +++ linux-2.6.32.46/sound/pci/hda/hda_codec.h 2011-08-23 21:22:32.000000000 -0400
78553 @@ -580,7 +580,7 @@ struct hda_bus_ops {
78554 /* notify power-up/down from codec to controller */
78555 void (*pm_notify)(struct hda_bus *bus);
78556 #endif
78557 -};
78558 +} __no_const;
78559
78560 /* template to pass to the bus constructor */
78561 struct hda_bus_template {
78562 @@ -675,6 +675,7 @@ struct hda_codec_ops {
78563 int (*check_power_status)(struct hda_codec *codec, hda_nid_t nid);
78564 #endif
78565 };
78566 +typedef struct hda_codec_ops __no_const hda_codec_ops_no_const;
78567
78568 /* record for amp information cache */
78569 struct hda_cache_head {
78570 @@ -705,7 +706,7 @@ struct hda_pcm_ops {
78571 struct snd_pcm_substream *substream);
78572 int (*cleanup)(struct hda_pcm_stream *info, struct hda_codec *codec,
78573 struct snd_pcm_substream *substream);
78574 -};
78575 +} __no_const;
78576
78577 /* PCM information for each substream */
78578 struct hda_pcm_stream {
78579 @@ -760,7 +761,7 @@ struct hda_codec {
78580 const char *modelname; /* model name for preset */
78581
78582 /* set by patch */
78583 - struct hda_codec_ops patch_ops;
78584 + hda_codec_ops_no_const patch_ops;
78585
78586 /* PCM to create, set by patch_ops.build_pcms callback */
78587 unsigned int num_pcms;
78588 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c
78589 --- linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-03-27 14:31:47.000000000 -0400
78590 +++ linux-2.6.32.46/sound/pci/hda/patch_atihdmi.c 2011-08-05 20:33:55.000000000 -0400
78591 @@ -177,7 +177,7 @@ static int patch_atihdmi(struct hda_code
78592 */
78593 spec->multiout.dig_out_nid = CVT_NID;
78594
78595 - codec->patch_ops = atihdmi_patch_ops;
78596 + memcpy((void *)&codec->patch_ops, &atihdmi_patch_ops, sizeof(atihdmi_patch_ops));
78597
78598 return 0;
78599 }
78600 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c
78601 --- linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-03-27 14:31:47.000000000 -0400
78602 +++ linux-2.6.32.46/sound/pci/hda/patch_intelhdmi.c 2011-08-05 20:33:55.000000000 -0400
78603 @@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
78604 cp_ready);
78605
78606 /* TODO */
78607 - if (cp_state)
78608 - ;
78609 - if (cp_ready)
78610 - ;
78611 + if (cp_state) {
78612 + }
78613 + if (cp_ready) {
78614 + }
78615 }
78616
78617
78618 @@ -656,7 +656,7 @@ static int do_patch_intel_hdmi(struct hd
78619 spec->multiout.dig_out_nid = cvt_nid;
78620
78621 codec->spec = spec;
78622 - codec->patch_ops = intel_hdmi_patch_ops;
78623 + memcpy((void *)&codec->patch_ops, &intel_hdmi_patch_ops, sizeof(intel_hdmi_patch_ops));
78624
78625 snd_hda_eld_proc_new(codec, &spec->sink_eld);
78626
78627 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c
78628 --- linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-03-27 14:31:47.000000000 -0400
78629 +++ linux-2.6.32.46/sound/pci/hda/patch_nvhdmi.c 2011-08-05 20:33:55.000000000 -0400
78630 @@ -367,7 +367,7 @@ static int patch_nvhdmi_8ch(struct hda_c
78631 spec->multiout.max_channels = 8;
78632 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
78633
78634 - codec->patch_ops = nvhdmi_patch_ops_8ch;
78635 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_8ch, sizeof(nvhdmi_patch_ops_8ch));
78636
78637 return 0;
78638 }
78639 @@ -386,7 +386,7 @@ static int patch_nvhdmi_2ch(struct hda_c
78640 spec->multiout.max_channels = 2;
78641 spec->multiout.dig_out_nid = Nv_Master_Convert_nid;
78642
78643 - codec->patch_ops = nvhdmi_patch_ops_2ch;
78644 + memcpy((void *)&codec->patch_ops, &nvhdmi_patch_ops_2ch, sizeof(nvhdmi_patch_ops_2ch));
78645
78646 return 0;
78647 }
78648 diff -urNp linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c
78649 --- linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-06-25 12:55:35.000000000 -0400
78650 +++ linux-2.6.32.46/sound/pci/hda/patch_sigmatel.c 2011-08-23 21:22:32.000000000 -0400
78651 @@ -5220,7 +5220,7 @@ again:
78652 snd_hda_codec_write_cache(codec, nid, 0,
78653 AC_VERB_SET_CONNECT_SEL, num_dacs);
78654
78655 - codec->patch_ops = stac92xx_patch_ops;
78656 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
78657
78658 codec->proc_widget_hook = stac92hd_proc_hook;
78659
78660 @@ -5294,7 +5294,7 @@ static int patch_stac92hd71bxx(struct hd
78661 return -ENOMEM;
78662
78663 codec->spec = spec;
78664 - codec->patch_ops = stac92xx_patch_ops;
78665 + memcpy((void *)&codec->patch_ops, &stac92xx_patch_ops, sizeof(stac92xx_patch_ops));
78666 spec->num_pins = STAC92HD71BXX_NUM_PINS;
78667 switch (codec->vendor_id) {
78668 case 0x111d76b6:
78669 diff -urNp linux-2.6.32.46/sound/pci/ice1712/ice1712.h linux-2.6.32.46/sound/pci/ice1712/ice1712.h
78670 --- linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-03-27 14:31:47.000000000 -0400
78671 +++ linux-2.6.32.46/sound/pci/ice1712/ice1712.h 2011-08-05 20:33:55.000000000 -0400
78672 @@ -269,7 +269,7 @@ struct snd_ak4xxx_private {
78673 unsigned int mask_flags; /* total mask bits */
78674 struct snd_akm4xxx_ops {
78675 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
78676 - } ops;
78677 + } __no_const ops;
78678 };
78679
78680 struct snd_ice1712_spdif {
78681 @@ -285,7 +285,7 @@ struct snd_ice1712_spdif {
78682 int (*default_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
78683 void (*stream_get)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
78684 int (*stream_put)(struct snd_ice1712 *, struct snd_ctl_elem_value *ucontrol);
78685 - } ops;
78686 + } __no_const ops;
78687 };
78688
78689
78690 diff -urNp linux-2.6.32.46/sound/pci/intel8x0m.c linux-2.6.32.46/sound/pci/intel8x0m.c
78691 --- linux-2.6.32.46/sound/pci/intel8x0m.c 2011-03-27 14:31:47.000000000 -0400
78692 +++ linux-2.6.32.46/sound/pci/intel8x0m.c 2011-04-23 12:56:12.000000000 -0400
78693 @@ -1264,7 +1264,7 @@ static struct shortname_table {
78694 { 0x5455, "ALi M5455" },
78695 { 0x746d, "AMD AMD8111" },
78696 #endif
78697 - { 0 },
78698 + { 0, },
78699 };
78700
78701 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
78702 diff -urNp linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c
78703 --- linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-03-27 14:31:47.000000000 -0400
78704 +++ linux-2.6.32.46/sound/pci/ymfpci/ymfpci_main.c 2011-05-04 17:56:28.000000000 -0400
78705 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
78706 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
78707 break;
78708 }
78709 - if (atomic_read(&chip->interrupt_sleep_count)) {
78710 - atomic_set(&chip->interrupt_sleep_count, 0);
78711 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
78712 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
78713 wake_up(&chip->interrupt_sleep);
78714 }
78715 __end:
78716 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
78717 continue;
78718 init_waitqueue_entry(&wait, current);
78719 add_wait_queue(&chip->interrupt_sleep, &wait);
78720 - atomic_inc(&chip->interrupt_sleep_count);
78721 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
78722 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
78723 remove_wait_queue(&chip->interrupt_sleep, &wait);
78724 }
78725 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
78726 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
78727 spin_unlock(&chip->reg_lock);
78728
78729 - if (atomic_read(&chip->interrupt_sleep_count)) {
78730 - atomic_set(&chip->interrupt_sleep_count, 0);
78731 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
78732 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
78733 wake_up(&chip->interrupt_sleep);
78734 }
78735 }
78736 @@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
78737 spin_lock_init(&chip->reg_lock);
78738 spin_lock_init(&chip->voice_lock);
78739 init_waitqueue_head(&chip->interrupt_sleep);
78740 - atomic_set(&chip->interrupt_sleep_count, 0);
78741 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
78742 chip->card = card;
78743 chip->pci = pci;
78744 chip->irq = -1;
78745 diff -urNp linux-2.6.32.46/sound/soc/soc-core.c linux-2.6.32.46/sound/soc/soc-core.c
78746 --- linux-2.6.32.46/sound/soc/soc-core.c 2011-03-27 14:31:47.000000000 -0400
78747 +++ linux-2.6.32.46/sound/soc/soc-core.c 2011-08-23 21:22:32.000000000 -0400
78748 @@ -609,7 +609,7 @@ static int soc_pcm_trigger(struct snd_pc
78749 }
78750
78751 /* ASoC PCM operations */
78752 -static struct snd_pcm_ops soc_pcm_ops = {
78753 +static snd_pcm_ops_no_const soc_pcm_ops = {
78754 .open = soc_pcm_open,
78755 .close = soc_codec_close,
78756 .hw_params = soc_pcm_hw_params,
78757 diff -urNp linux-2.6.32.46/sound/usb/usbaudio.c linux-2.6.32.46/sound/usb/usbaudio.c
78758 --- linux-2.6.32.46/sound/usb/usbaudio.c 2011-03-27 14:31:47.000000000 -0400
78759 +++ linux-2.6.32.46/sound/usb/usbaudio.c 2011-08-05 20:33:55.000000000 -0400
78760 @@ -963,12 +963,12 @@ static int snd_usb_pcm_playback_trigger(
78761 switch (cmd) {
78762 case SNDRV_PCM_TRIGGER_START:
78763 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
78764 - subs->ops.prepare = prepare_playback_urb;
78765 + *(void **)&subs->ops.prepare = prepare_playback_urb;
78766 return 0;
78767 case SNDRV_PCM_TRIGGER_STOP:
78768 return deactivate_urbs(subs, 0, 0);
78769 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
78770 - subs->ops.prepare = prepare_nodata_playback_urb;
78771 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
78772 return 0;
78773 default:
78774 return -EINVAL;
78775 @@ -985,15 +985,15 @@ static int snd_usb_pcm_capture_trigger(s
78776
78777 switch (cmd) {
78778 case SNDRV_PCM_TRIGGER_START:
78779 - subs->ops.retire = retire_capture_urb;
78780 + *(void **)&subs->ops.retire = retire_capture_urb;
78781 return start_urbs(subs, substream->runtime);
78782 case SNDRV_PCM_TRIGGER_STOP:
78783 return deactivate_urbs(subs, 0, 0);
78784 case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
78785 - subs->ops.retire = retire_paused_capture_urb;
78786 + *(void **)&subs->ops.retire = retire_paused_capture_urb;
78787 return 0;
78788 case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
78789 - subs->ops.retire = retire_capture_urb;
78790 + *(void **)&subs->ops.retire = retire_capture_urb;
78791 return 0;
78792 default:
78793 return -EINVAL;
78794 @@ -1542,7 +1542,7 @@ static int snd_usb_pcm_prepare(struct sn
78795 /* for playback, submit the URBs now; otherwise, the first hwptr_done
78796 * updates for all URBs would happen at the same time when starting */
78797 if (subs->direction == SNDRV_PCM_STREAM_PLAYBACK) {
78798 - subs->ops.prepare = prepare_nodata_playback_urb;
78799 + *(void **)&subs->ops.prepare = prepare_nodata_playback_urb;
78800 return start_urbs(subs, runtime);
78801 } else
78802 return 0;
78803 @@ -2228,14 +2228,14 @@ static void init_substream(struct snd_us
78804 subs->direction = stream;
78805 subs->dev = as->chip->dev;
78806 if (snd_usb_get_speed(subs->dev) == USB_SPEED_FULL) {
78807 - subs->ops = audio_urb_ops[stream];
78808 + memcpy((void *)&subs->ops, &audio_urb_ops[stream], sizeof(subs->ops));
78809 } else {
78810 - subs->ops = audio_urb_ops_high_speed[stream];
78811 + memcpy((void *)&subs->ops, &audio_urb_ops_high_speed[stream], sizeof(subs->ops));
78812 switch (as->chip->usb_id) {
78813 case USB_ID(0x041e, 0x3f02): /* E-Mu 0202 USB */
78814 case USB_ID(0x041e, 0x3f04): /* E-Mu 0404 USB */
78815 case USB_ID(0x041e, 0x3f0a): /* E-Mu Tracker Pre */
78816 - subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
78817 + *(void **)&subs->ops.retire_sync = retire_playback_sync_urb_hs_emu;
78818 break;
78819 }
78820 }
78821 diff -urNp linux-2.6.32.46/tools/gcc/constify_plugin.c linux-2.6.32.46/tools/gcc/constify_plugin.c
78822 --- linux-2.6.32.46/tools/gcc/constify_plugin.c 1969-12-31 19:00:00.000000000 -0500
78823 +++ linux-2.6.32.46/tools/gcc/constify_plugin.c 2011-08-29 22:01:55.000000000 -0400
78824 @@ -0,0 +1,289 @@
78825 +/*
78826 + * Copyright 2011 by Emese Revfy <re.emese@gmail.com>
78827 + * Licensed under the GPL v2, or (at your option) v3
78828 + *
78829 + * This gcc plugin constifies all structures which contain only function pointers and const fields.
78830 + *
78831 + * Usage:
78832 + * $ gcc -I`gcc -print-file-name=plugin`/include -fPIC -shared -O2 -o constify_plugin.so constify_plugin.c
78833 + * $ gcc -fplugin=constify_plugin.so test.c -O2
78834 + */
78835 +
78836 +#include "gcc-plugin.h"
78837 +#include "config.h"
78838 +#include "system.h"
78839 +#include "coretypes.h"
78840 +#include "tree.h"
78841 +#include "tree-pass.h"
78842 +#include "intl.h"
78843 +#include "plugin-version.h"
78844 +#include "tm.h"
78845 +#include "toplev.h"
78846 +#include "function.h"
78847 +#include "tree-flow.h"
78848 +#include "plugin.h"
78849 +#include "diagnostic.h"
78850 +//#include "c-tree.h"
78851 +
78852 +#define C_TYPE_FIELDS_READONLY(TYPE) TREE_LANG_FLAG_1(TYPE)
78853 +
78854 +int plugin_is_GPL_compatible;
78855 +
78856 +static struct plugin_info const_plugin_info = {
78857 + .version = "20110826",
78858 + .help = "no-constify\tturn off constification\n",
78859 +};
78860 +
78861 +static void constify_type(tree type);
78862 +static bool walk_struct(tree node);
78863 +
78864 +static tree deconstify_type(tree old_type)
78865 +{
78866 + tree new_type, field;
78867 +
78868 + new_type = build_qualified_type(old_type, TYPE_QUALS(old_type) & ~TYPE_QUAL_CONST);
78869 + TYPE_FIELDS(new_type) = copy_list(TYPE_FIELDS(new_type));
78870 + for (field = TYPE_FIELDS(new_type); field; field = TREE_CHAIN(field))
78871 + DECL_FIELD_CONTEXT(field) = new_type;
78872 + TYPE_READONLY(new_type) = 0;
78873 + C_TYPE_FIELDS_READONLY(new_type) = 0;
78874 + return new_type;
78875 +}
78876 +
78877 +static tree handle_no_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
78878 +{
78879 + tree type;
78880 +
78881 + *no_add_attrs = true;
78882 + if (TREE_CODE(*node) == FUNCTION_DECL) {
78883 + error("%qE attribute does not apply to functions", name);
78884 + return NULL_TREE;
78885 + }
78886 +
78887 + if (TREE_CODE(*node) == VAR_DECL) {
78888 + error("%qE attribute does not apply to variables", name);
78889 + return NULL_TREE;
78890 + }
78891 +
78892 + if (TYPE_P(*node)) {
78893 + if (TREE_CODE(*node) == RECORD_TYPE || TREE_CODE(*node) == UNION_TYPE)
78894 + *no_add_attrs = false;
78895 + else
78896 + error("%qE attribute applies to struct and union types only", name);
78897 + return NULL_TREE;
78898 + }
78899 +
78900 + type = TREE_TYPE(*node);
78901 +
78902 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE) {
78903 + error("%qE attribute applies to struct and union types only", name);
78904 + return NULL_TREE;
78905 + }
78906 +
78907 + if (lookup_attribute(IDENTIFIER_POINTER(name), TYPE_ATTRIBUTES(type))) {
78908 + error("%qE attribute is already applied to the type", name);
78909 + return NULL_TREE;
78910 + }
78911 +
78912 + if (TREE_CODE(*node) == TYPE_DECL && !TYPE_READONLY(type)) {
78913 + error("%qE attribute used on type that is not constified", name);
78914 + return NULL_TREE;
78915 + }
78916 +
78917 + if (TREE_CODE(*node) == TYPE_DECL) {
78918 + TREE_TYPE(*node) = deconstify_type(type);
78919 + TREE_READONLY(*node) = 0;
78920 + return NULL_TREE;
78921 + }
78922 +
78923 + return NULL_TREE;
78924 +}
78925 +
78926 +static tree handle_do_const_attribute(tree *node, tree name, tree args, int flags, bool *no_add_attrs)
78927 +{
78928 + *no_add_attrs = true;
78929 + if (!TYPE_P(*node)) {
78930 + error("%qE attribute applies to types only", name);
78931 + return NULL_TREE;
78932 + }
78933 +
78934 + if (TREE_CODE(*node) != RECORD_TYPE && TREE_CODE(*node) != UNION_TYPE) {
78935 + error("%qE attribute applies to struct and union types only", name);
78936 + return NULL_TREE;
78937 + }
78938 +
78939 + *no_add_attrs = false;
78940 + constify_type(*node);
78941 + return NULL_TREE;
78942 +}
78943 +
78944 +static struct attribute_spec no_const_attr = {
78945 + .name = "no_const",
78946 + .min_length = 0,
78947 + .max_length = 0,
78948 + .decl_required = false,
78949 + .type_required = false,
78950 + .function_type_required = false,
78951 + .handler = handle_no_const_attribute
78952 +};
78953 +
78954 +static struct attribute_spec do_const_attr = {
78955 + .name = "do_const",
78956 + .min_length = 0,
78957 + .max_length = 0,
78958 + .decl_required = false,
78959 + .type_required = false,
78960 + .function_type_required = false,
78961 + .handler = handle_do_const_attribute
78962 +};
78963 +
78964 +static void register_attributes(void *event_data, void *data)
78965 +{
78966 + register_attribute(&no_const_attr);
78967 + register_attribute(&do_const_attr);
78968 +}
78969 +
78970 +static void constify_type(tree type)
78971 +{
78972 + TYPE_READONLY(type) = 1;
78973 + C_TYPE_FIELDS_READONLY(type) = 1;
78974 +}
78975 +
78976 +static bool is_fptr(tree field)
78977 +{
78978 + tree ptr = TREE_TYPE(field);
78979 +
78980 + if (TREE_CODE(ptr) != POINTER_TYPE)
78981 + return false;
78982 +
78983 + return TREE_CODE(TREE_TYPE(ptr)) == FUNCTION_TYPE;
78984 +}
78985 +
78986 +static bool walk_struct(tree node)
78987 +{
78988 + tree field;
78989 +
78990 + if (lookup_attribute("no_const", TYPE_ATTRIBUTES(node)))
78991 + return false;
78992 +
78993 + if (TYPE_FIELDS(node) == NULL_TREE)
78994 + return false;
78995 +
78996 + for (field = TYPE_FIELDS(node); field; field = TREE_CHAIN(field)) {
78997 + tree type = TREE_TYPE(field);
78998 + enum tree_code code = TREE_CODE(type);
78999 + if (code == RECORD_TYPE || code == UNION_TYPE) {
79000 + if (!(walk_struct(type)))
79001 + return false;
79002 + } else if (!is_fptr(field) && !TREE_READONLY(field))
79003 + return false;
79004 + }
79005 + return true;
79006 +}
79007 +
79008 +static void finish_type(void *event_data, void *data)
79009 +{
79010 + tree type = (tree)event_data;
79011 +
79012 + if (type == NULL_TREE)
79013 + return;
79014 +
79015 + if (TYPE_READONLY(type))
79016 + return;
79017 +
79018 + if (walk_struct(type))
79019 + constify_type(type);
79020 +}
79021 +
79022 +static unsigned int check_local_variables(void);
79023 +
79024 +struct gimple_opt_pass pass_local_variable = {
79025 + {
79026 + .type = GIMPLE_PASS,
79027 + .name = "check_local_variables",
79028 + .gate = NULL,
79029 + .execute = check_local_variables,
79030 + .sub = NULL,
79031 + .next = NULL,
79032 + .static_pass_number = 0,
79033 + .tv_id = TV_NONE,
79034 + .properties_required = 0,
79035 + .properties_provided = 0,
79036 + .properties_destroyed = 0,
79037 + .todo_flags_start = 0,
79038 + .todo_flags_finish = 0
79039 + }
79040 +};
79041 +
79042 +static unsigned int check_local_variables(void)
79043 +{
79044 + tree var;
79045 + referenced_var_iterator rvi;
79046 +
79047 +#if __GNUC__ == 4 && __GNUC_MINOR__ == 5
79048 + FOR_EACH_REFERENCED_VAR(var, rvi) {
79049 +#else
79050 + FOR_EACH_REFERENCED_VAR(cfun, var, rvi) {
79051 +#endif
79052 + tree type = TREE_TYPE(var);
79053 +
79054 + if (!DECL_P(var) || TREE_STATIC(var) || DECL_EXTERNAL(var))
79055 + continue;
79056 +
79057 + if (TREE_CODE(type) != RECORD_TYPE && TREE_CODE(type) != UNION_TYPE)
79058 + continue;
79059 +
79060 + if (!TYPE_READONLY(type))
79061 + continue;
79062 +
79063 +// if (lookup_attribute("no_const", DECL_ATTRIBUTES(var)))
79064 +// continue;
79065 +
79066 +// if (lookup_attribute("no_const", TYPE_ATTRIBUTES(type)))
79067 +// continue;
79068 +
79069 + if (walk_struct(type)) {
79070 + error("constified variable %qE cannot be local", var);
79071 + return 1;
79072 + }
79073 + }
79074 + return 0;
79075 +}
79076 +
79077 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
79078 +{
79079 + const char * const plugin_name = plugin_info->base_name;
79080 + const int argc = plugin_info->argc;
79081 + const struct plugin_argument * const argv = plugin_info->argv;
79082 + int i;
79083 + bool constify = true;
79084 +
79085 + struct register_pass_info local_variable_pass_info = {
79086 + .pass = &pass_local_variable.pass,
79087 + .reference_pass_name = "*referenced_vars",
79088 + .ref_pass_instance_number = 0,
79089 + .pos_op = PASS_POS_INSERT_AFTER
79090 + };
79091 +
79092 + if (!plugin_default_version_check(version, &gcc_version)) {
79093 + error(G_("incompatible gcc/plugin versions"));
79094 + return 1;
79095 + }
79096 +
79097 + for (i = 0; i < argc; ++i) {
79098 + if (!(strcmp(argv[i].key, "no-constify"))) {
79099 + constify = false;
79100 + continue;
79101 + }
79102 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
79103 + }
79104 +
79105 + register_callback(plugin_name, PLUGIN_INFO, NULL, &const_plugin_info);
79106 + if (constify) {
79107 + register_callback(plugin_name, PLUGIN_FINISH_TYPE, finish_type, NULL);
79108 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &local_variable_pass_info);
79109 + }
79110 + register_callback(plugin_name, PLUGIN_ATTRIBUTES, register_attributes, NULL);
79111 +
79112 + return 0;
79113 +}
79114 diff -urNp linux-2.6.32.46/tools/gcc/Makefile linux-2.6.32.46/tools/gcc/Makefile
79115 --- linux-2.6.32.46/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
79116 +++ linux-2.6.32.46/tools/gcc/Makefile 2011-08-05 20:33:55.000000000 -0400
79117 @@ -0,0 +1,12 @@
79118 +#CC := gcc
79119 +#PLUGIN_SOURCE_FILES := pax_plugin.c
79120 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
79121 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
79122 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
79123 +
79124 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
79125 +
79126 +hostlibs-y := stackleak_plugin.so constify_plugin.so
79127 +always := $(hostlibs-y)
79128 +stackleak_plugin-objs := stackleak_plugin.o
79129 +constify_plugin-objs := constify_plugin.o
79130 diff -urNp linux-2.6.32.46/tools/gcc/stackleak_plugin.c linux-2.6.32.46/tools/gcc/stackleak_plugin.c
79131 --- linux-2.6.32.46/tools/gcc/stackleak_plugin.c 1969-12-31 19:00:00.000000000 -0500
79132 +++ linux-2.6.32.46/tools/gcc/stackleak_plugin.c 2011-08-23 20:24:26.000000000 -0400
79133 @@ -0,0 +1,243 @@
79134 +/*
79135 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
79136 + * Licensed under the GPL v2
79137 + *
79138 + * Note: the choice of the license means that the compilation process is
79139 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
79140 + * but for the kernel it doesn't matter since it doesn't link against
79141 + * any of the gcc libraries
79142 + *
79143 + * gcc plugin to help implement various PaX features
79144 + *
79145 + * - track lowest stack pointer
79146 + *
79147 + * TODO:
79148 + * - initialize all local variables
79149 + *
79150 + * BUGS:
79151 + * - cloned functions are instrumented twice
79152 + */
79153 +#include "gcc-plugin.h"
79154 +#include "config.h"
79155 +#include "system.h"
79156 +#include "coretypes.h"
79157 +#include "tree.h"
79158 +#include "tree-pass.h"
79159 +#include "intl.h"
79160 +#include "plugin-version.h"
79161 +#include "tm.h"
79162 +#include "toplev.h"
79163 +#include "basic-block.h"
79164 +#include "gimple.h"
79165 +//#include "expr.h" where are you...
79166 +#include "diagnostic.h"
79167 +#include "rtl.h"
79168 +#include "emit-rtl.h"
79169 +#include "function.h"
79170 +
79171 +int plugin_is_GPL_compatible;
79172 +
79173 +static int track_frame_size = -1;
79174 +static const char track_function[] = "pax_track_stack";
79175 +static bool init_locals;
79176 +
79177 +static struct plugin_info stackleak_plugin_info = {
79178 + .version = "201106030000",
79179 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
79180 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
79181 +};
79182 +
79183 +static bool gate_stackleak_track_stack(void);
79184 +static unsigned int execute_stackleak_tree_instrument(void);
79185 +static unsigned int execute_stackleak_final(void);
79186 +
79187 +static struct gimple_opt_pass stackleak_tree_instrument_pass = {
79188 + .pass = {
79189 + .type = GIMPLE_PASS,
79190 + .name = "stackleak_tree_instrument",
79191 + .gate = gate_stackleak_track_stack,
79192 + .execute = execute_stackleak_tree_instrument,
79193 + .sub = NULL,
79194 + .next = NULL,
79195 + .static_pass_number = 0,
79196 + .tv_id = TV_NONE,
79197 + .properties_required = PROP_gimple_leh | PROP_cfg,
79198 + .properties_provided = 0,
79199 + .properties_destroyed = 0,
79200 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
79201 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
79202 + }
79203 +};
79204 +
79205 +static struct rtl_opt_pass stackleak_final_rtl_opt_pass = {
79206 + .pass = {
79207 + .type = RTL_PASS,
79208 + .name = "stackleak_final",
79209 + .gate = gate_stackleak_track_stack,
79210 + .execute = execute_stackleak_final,
79211 + .sub = NULL,
79212 + .next = NULL,
79213 + .static_pass_number = 0,
79214 + .tv_id = TV_NONE,
79215 + .properties_required = 0,
79216 + .properties_provided = 0,
79217 + .properties_destroyed = 0,
79218 + .todo_flags_start = 0,
79219 + .todo_flags_finish = 0
79220 + }
79221 +};
79222 +
79223 +static bool gate_stackleak_track_stack(void)
79224 +{
79225 + return track_frame_size >= 0;
79226 +}
79227 +
79228 +static void stackleak_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
79229 +{
79230 + gimple call;
79231 + tree decl, type;
79232 +
79233 + // insert call to void pax_track_stack(void)
79234 + type = build_function_type_list(void_type_node, NULL_TREE);
79235 + decl = build_fn_decl(track_function, type);
79236 + DECL_ASSEMBLER_NAME(decl); // for LTO
79237 + call = gimple_build_call(decl, 0);
79238 + if (before)
79239 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
79240 + else
79241 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
79242 +}
79243 +
79244 +static unsigned int execute_stackleak_tree_instrument(void)
79245 +{
79246 + basic_block bb;
79247 + gimple_stmt_iterator gsi;
79248 +
79249 + // 1. loop through BBs and GIMPLE statements
79250 + FOR_EACH_BB(bb) {
79251 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
79252 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
79253 + tree decl;
79254 + gimple stmt = gsi_stmt(gsi);
79255 +
79256 + if (!is_gimple_call(stmt))
79257 + continue;
79258 + decl = gimple_call_fndecl(stmt);
79259 + if (!decl)
79260 + continue;
79261 + if (TREE_CODE(decl) != FUNCTION_DECL)
79262 + continue;
79263 + if (!DECL_BUILT_IN(decl))
79264 + continue;
79265 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
79266 + continue;
79267 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
79268 + continue;
79269 +
79270 + // 2. insert track call after each __builtin_alloca call
79271 + stackleak_add_instrumentation(&gsi, false);
79272 +// print_node(stderr, "pax", decl, 4);
79273 + }
79274 + }
79275 +
79276 + // 3. insert track call at the beginning
79277 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
79278 + gsi = gsi_start_bb(bb);
79279 + stackleak_add_instrumentation(&gsi, true);
79280 +
79281 + return 0;
79282 +}
79283 +
79284 +static unsigned int execute_stackleak_final(void)
79285 +{
79286 + rtx insn;
79287 +
79288 + if (cfun->calls_alloca)
79289 + return 0;
79290 +
79291 + // 1. find pax_track_stack calls
79292 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
79293 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
79294 + rtx body;
79295 +
79296 + if (!CALL_P(insn))
79297 + continue;
79298 + body = PATTERN(insn);
79299 + if (GET_CODE(body) != CALL)
79300 + continue;
79301 + body = XEXP(body, 0);
79302 + if (GET_CODE(body) != MEM)
79303 + continue;
79304 + body = XEXP(body, 0);
79305 + if (GET_CODE(body) != SYMBOL_REF)
79306 + continue;
79307 + if (strcmp(XSTR(body, 0), track_function))
79308 + continue;
79309 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
79310 + // 2. delete call if function frame is not big enough
79311 + if (get_frame_size() >= track_frame_size)
79312 + continue;
79313 + delete_insn_and_edges(insn);
79314 + }
79315 +
79316 +// print_simple_rtl(stderr, get_insns());
79317 +// print_rtl(stderr, get_insns());
79318 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
79319 +
79320 + return 0;
79321 +}
79322 +
79323 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
79324 +{
79325 + const char * const plugin_name = plugin_info->base_name;
79326 + const int argc = plugin_info->argc;
79327 + const struct plugin_argument * const argv = plugin_info->argv;
79328 + int i;
79329 + struct register_pass_info stackleak_tree_instrument_pass_info = {
79330 + .pass = &stackleak_tree_instrument_pass.pass,
79331 +// .reference_pass_name = "tree_profile",
79332 + .reference_pass_name = "optimized",
79333 + .ref_pass_instance_number = 0,
79334 + .pos_op = PASS_POS_INSERT_AFTER
79335 + };
79336 + struct register_pass_info stackleak_final_pass_info = {
79337 + .pass = &stackleak_final_rtl_opt_pass.pass,
79338 + .reference_pass_name = "final",
79339 + .ref_pass_instance_number = 0,
79340 + .pos_op = PASS_POS_INSERT_BEFORE
79341 + };
79342 +
79343 + if (!plugin_default_version_check(version, &gcc_version)) {
79344 + error(G_("incompatible gcc/plugin versions"));
79345 + return 1;
79346 + }
79347 +
79348 + register_callback(plugin_name, PLUGIN_INFO, NULL, &stackleak_plugin_info);
79349 +
79350 + for (i = 0; i < argc; ++i) {
79351 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
79352 + if (!argv[i].value) {
79353 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
79354 + continue;
79355 + }
79356 + track_frame_size = atoi(argv[i].value);
79357 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
79358 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
79359 + continue;
79360 + }
79361 + if (!strcmp(argv[i].key, "initialize-locals")) {
79362 + if (argv[i].value) {
79363 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
79364 + continue;
79365 + }
79366 + init_locals = true;
79367 + continue;
79368 + }
79369 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
79370 + }
79371 +
79372 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_tree_instrument_pass_info);
79373 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &stackleak_final_pass_info);
79374 +
79375 + return 0;
79376 +}
79377 diff -urNp linux-2.6.32.46/usr/gen_init_cpio.c linux-2.6.32.46/usr/gen_init_cpio.c
79378 --- linux-2.6.32.46/usr/gen_init_cpio.c 2011-03-27 14:31:47.000000000 -0400
79379 +++ linux-2.6.32.46/usr/gen_init_cpio.c 2011-04-17 15:56:46.000000000 -0400
79380 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
79381 int retval;
79382 int rc = -1;
79383 int namesize;
79384 - int i;
79385 + unsigned int i;
79386
79387 mode |= S_IFREG;
79388
79389 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
79390 *env_var = *expanded = '\0';
79391 strncat(env_var, start + 2, end - start - 2);
79392 strncat(expanded, new_location, start - new_location);
79393 - strncat(expanded, getenv(env_var), PATH_MAX);
79394 - strncat(expanded, end + 1, PATH_MAX);
79395 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
79396 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
79397 strncpy(new_location, expanded, PATH_MAX);
79398 + new_location[PATH_MAX] = 0;
79399 } else
79400 break;
79401 }
79402 diff -urNp linux-2.6.32.46/virt/kvm/kvm_main.c linux-2.6.32.46/virt/kvm/kvm_main.c
79403 --- linux-2.6.32.46/virt/kvm/kvm_main.c 2011-03-27 14:31:47.000000000 -0400
79404 +++ linux-2.6.32.46/virt/kvm/kvm_main.c 2011-08-05 20:33:55.000000000 -0400
79405 @@ -2494,7 +2494,7 @@ asmlinkage void kvm_handle_fault_on_rebo
79406 if (kvm_rebooting)
79407 /* spin while reset goes on */
79408 while (true)
79409 - ;
79410 + cpu_relax();
79411 /* Fault while not rebooting. We want the trace. */
79412 BUG();
79413 }
79414 @@ -2714,7 +2714,7 @@ static void kvm_sched_out(struct preempt
79415 kvm_arch_vcpu_put(vcpu);
79416 }
79417
79418 -int kvm_init(void *opaque, unsigned int vcpu_size,
79419 +int kvm_init(const void *opaque, unsigned int vcpu_size,
79420 struct module *module)
79421 {
79422 int r;
79423 @@ -2767,15 +2767,17 @@ int kvm_init(void *opaque, unsigned int
79424 /* A kmem cache lets us meet the alignment requirements of fx_save. */
79425 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
79426 __alignof__(struct kvm_vcpu),
79427 - 0, NULL);
79428 + SLAB_USERCOPY, NULL);
79429 if (!kvm_vcpu_cache) {
79430 r = -ENOMEM;
79431 goto out_free_5;
79432 }
79433
79434 - kvm_chardev_ops.owner = module;
79435 - kvm_vm_fops.owner = module;
79436 - kvm_vcpu_fops.owner = module;
79437 + pax_open_kernel();
79438 + *(void **)&kvm_chardev_ops.owner = module;
79439 + *(void **)&kvm_vm_fops.owner = module;
79440 + *(void **)&kvm_vcpu_fops.owner = module;
79441 + pax_close_kernel();
79442
79443 r = misc_register(&kvm_dev);
79444 if (r) {
Unofficial grsecurity patch archive (https://github.com/slashbeast/grsecurity-scrape)